Game of Memory – Auscert2016 CTF

Shearwater Solutions recently hosted a 48-hr Capture the Flag contest for AusCERT2016. Here’s a very quick and dirty write-up of how I solved the “Game of Memory” challenges for the SecTalksBNE team.

The description for the challenge was:

The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF.

1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof?

We were provided with the following file for the challenge:

In total there were 5 flags for this challenge, and each flag was worth 100 points.

Challenge 1:

What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID?

The flag must be submitted in the following format: [pid][time][ppid]

Let’s check what type of file we are dealing with:

A windows crash dump. What version of Windows?

Ok. Version 6.1.7600.16385, which we know is Windows 7. We also know it’s 64bit based on the file query above.

As soon as you are challenged with a memory dump, or have requests such as What is the malicious process PID, you can be sure that the tool of choice for memory forensics is most likely going to be Volatility. Let’s find our answer to challenge 1 by running the pstree plugin.

What we are looking for is any odd or obviously malicious process. In our case, the final cmd.exe being run from parent process rundll32.exe is definitely sus.

Our flag is: [3268][2016-05-11 03:27:48 UTC+0000][3248]

Challenge 2:

What permission level was achieved by the attacker?

The flag must be submitted in the following format: [Authenticated Users]

We can use the getsids plugin to help us solve this one.

Our flag is: [Local System]

Challenge 3:

What is the attacker’s IP and port, the PID of the process attached to the connection and is the connection still open?

The flag must be submitted in the following format: [IP:PORT][PID][N]

Using the netscan plugin and grep’ing for the parent PID will show us the local traffic from the attacker’s IP.

Our flag is: [192.168.136.134:41367][3248][N]

Challenge 4:

What file was modified?

The answer must be submitted in the following format: [C:\flag.txt]

Our first step here is to dump the process into a temporary directory. We’ll use the procdump plugin to help us out here, and dump the contents into a local tmp directory.

Now let’s run strings on the dumped executable to see if we can find the dumped file.

Our flag is: [C:\Users\vagrant\Documents\vault\6.txt]

Challenge 5:

What is the attackers flag?

The answer must be submitted in the following format: flag{example_flag}

For this challenge we will use the mftparser plugin.

Once the parser is complete, we open the output file in vi and search for our 6.txt file

Our flag is: flag{N3Xt_t1m3_l3t_1337_BU1lD}

Note: It was also possible to solve this challenge by simply running strings and looking for flags. Even though there are a number of troll flags in the memory dump, you could have guessed this flag based on the story line about 1337 not being allowed to be part of the build team.

GAME OVER!

If you haven’t used Volatility before, or if anything above is new for you, I hope this quick write-up helps you out.

Cheers to Shearwater for an enjoyable CTF.

Until next time, tight lines and happy hacking!