Game of Memory – Auscert2016 CTF
Shearwater Solutions recently hosted a 48-hr Capture the Flag contest for AusCERT2016. Here’s a very quick and dirty write-up of how I solved the “Game of Memory” challenges for the SecTalksBNE team.
The description for the challenge was:
The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF.
1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof?
We were provided with the following file for the challenge:
1 |
-rw-r--r-- 1 root root 4294975488 May 11 13:30 memory_1.dmp |
In total there were 5 flags for this challenge, and each flag was worth 100 points.
Challenge 1:
What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID?
The flag must be submitted in the following format: [pid][time][ppid]
Let’s check what type of file we are dealing with:
1 2 |
# file memory_1.dmp memory_1.dmp: MS Windows 64bit crash dump, full dump, 1048576 pages |
A windows crash dump. What version of Windows?
1 2 3 4 5 6 |
# strings -d memory_1.dmp | grep Version= | more -5 NetFx-ASPNET_WEBADMIN_LOCRES_RES, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=b03f5f7f11d50a3a, ProcessorArchitecture=x86 Microsoft-Windows-SmartCardKsp, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=x86, versionScope=NonSxS Microsoft-Windows-International-Keyboard-KBDFI1, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS Microsoft-Windows-MSXML30, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=wow64, versionScope=NonSxS Microsoft-Windows-MSXML60, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=wow64, versionScope=NonSxS |
Ok. Version 6.1.7600.16385, which we know is Windows 7. We also know it’s 64bit based on the file query above.
As soon as you are challenged with a memory dump, or have requests such as What is the malicious process PID, you can be sure that the tool of choice for memory forensics is most likely going to be Volatility. Let’s find our answer to challenge 1 by running the pstree
plugin.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# volatility -f memory_1.dmp --profile=Win7SP0x64 pstree Volatility Foundation Volatility Framework 2.5 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8005817060:wininit.exe 424 344 3 80 2016-05-11 03:25:16 UTC+0000 . 0xfffffa8005956a90:services.exe 524 424 8 217 2016-05-11 03:25:18 UTC+0000 .. 0xfffffa8005ed59b0:dllhost.exe 1920 524 18 213 2016-05-11 03:25:41 UTC+0000 .. 0xfffffa8005bb1b30:spoolsv.exe 1040 524 14 337 2016-05-11 03:25:32 UTC+0000 .. 0xfffffa8005c82b30:vmtoolsd.exe 1240 524 11 291 2016-05-11 03:25:34 UTC+0000 ---snip--- 0xfffffa80068bc060:explorer.exe 1056 744 22 695 2016-05-11 03:26:50 UTC+0000 . 0xfffffa8003e42b30:cmd.exe 312 1056 1 22 2016-05-11 03:27:04 UTC+0000 . 0xfffffa8003e746d0:firefox.exe 2652 1056 52 569 2016-05-11 03:27:12 UTC+0000 . 0xfffffa8006931060:vmtoolsd.exe 2152 1056 8 190 2016-05-11 03:26:50 UTC+0000 0xfffffa80040c9b30:rundll32.exe 3248 3216 3 61 2016-05-11 03:27:48 UTC+0000 . 0xfffffa8004e77b30:cmd.exe 3268 3248 1 33 2016-05-11 03:27:48 UTC+0000 |
What we are looking for is any odd or obviously malicious process. In our case, the final cmd.exe being run from parent process rundll32.exe is definitely sus.
Our flag is: [3268][2016-05-11 03:27:48 UTC+0000][3248]
Challenge 2:
What permission level was achieved by the attacker?
The flag must be submitted in the following format: [Authenticated Users]
We can use the getsids plugin to help us solve this one.
1 2 3 4 5 6 7 |
# volatility -f memory_1.dmp --profile=Win7SP0x64 getsids -p 3268 Volatility Foundation Volatility Framework 2.5 cmd.exe (3268): S-1-5-18 (Local System) cmd.exe (3268): S-1-5-32-544 (Administrators) cmd.exe (3268): S-1-1-0 (Everyone) cmd.exe (3268): S-1-5-11 (Authenticated Users) cmd.exe (3268): S-1-16-16384 (System Mandatory Level) |
Our flag is: [Local System]
Challenge 3:
What is the attacker’s IP and port, the PID of the process attached to the connection and is the connection still open?
The flag must be submitted in the following format: [IP:PORT][PID][N]
Using the netscan plugin and grep’ing for the parent PID will show us the local traffic from the attacker’s IP.
1 2 3 |
# volatility -f memory_1.dmp --profile=Win7SP0x64 netscan | grep 3248 Volatility Foundation Volatility Framework 2.5 0x13e3d16f0 TCPv4 192.168.136.131:49189 192.168.136.134:41367 CLOSED 3248 rundll32.exe |
Our flag is: [192.168.136.134:41367][3248][N]
Challenge 4:
What file was modified?
The answer must be submitted in the following format: [C:\flag.txt]
Our first step here is to dump the process into a temporary directory. We’ll use the procdump plugin to help us out here, and dump the contents into a local tmp directory.
1 2 3 4 5 |
# mkdir tmp ; volatility -f memory_1.dmp --profile=Win7SP0x64 procdump -D tmp/ -p 3268 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa8004e77b30 0x0000000049fa0000 cmd.exe OK: executable.3268.exe |
Now let’s run strings on the dumped executable to see if we can find the dumped file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# strings -6 tmp/executable.3268.exe !This program cannot be run in DOS mode. `.data @.reloc msvcrt.dll ntdll.dll KERNEL32.dll api-ms-win-core-processthreads-l1-1-0.DLL WINBRAND.dll ---snip--- cmd.pdb C:\Users\vagrant\Documents\vault> " > 6.txt CMD Internal Error %s <?xml version="1.0" encoding="UTF-8" standalone="yes"?> |
Our flag is: [C:\Users\vagrant\Documents\vault\6.txt]
Challenge 5:
What is the attackers flag?
The answer must be submitted in the following format: flag{example_flag}
For this challenge we will use the mftparser plugin.
1 2 3 |
# volatility -f memory_1.dmp --profile=Win7SP0x64 mftparser --output-file=out.txt Volatility Foundation Volatility Framework 2.5 Scanning for MFT entries and building directory, this can take a while |
Once the parser is complete, we open the output file in vi and search for our 6.txt file
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
*************************************************************************** *************************************************************************** MFT entry found at offset 0x25273400 Attribute: In Use & File Record Number: 43713 Link count: 1 $STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2016-05-08 08:09:18 UTC+0000 2016-05-11 03:28:58 UTC+0000 2016-05-11 03:28:58 UTC+0000 2016-05-08 08:09:18 UTC+0000 Archive $FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2016-05-08 08:09:18 UTC+0000 2016-05-08 08:09:18 UTC+0000 2016-05-08 08:09:18 UTC+0000 2016-05-08 08:09:18 UTC+0000 Users\vagrant\DOCUME~1\vault\6.txt $OBJECT_ID Object ID: 1f69cf66-f314-e611-8b90-000c296760b4 Birth Volume ID: 80000000-4000-0000-0000-180000000400 Birth Object ID: 23000000-1800-0000-2266-6c61677b4e33 Birth Domain ID: 58745f74-316d-335f-6c33-745f31333337 $DATA 0000000000: 22 66 6c 61 67 7b 4e 33 58 74 5f 74 31 6d 33 5f "flag{N3Xt_t1m3_ 0000000010: 6c 33 74 5f 31 33 33 37 5f 42 55 31 6c 44 7d 22 l3t_1337_BU1lD}" 0000000020: 20 0d 0a ... *************************************************************************** *************************************************************************** |
Our flag is: flag{N3Xt_t1m3_l3t_1337_BU1lD}
Note: It was also possible to solve this challenge by simply running strings and looking for flags. Even though there are a number of troll flags in the memory dump, you could have guessed this flag based on the story line about 1337 not being allowed to be part of the build team.
1 2 3 4 5 |
# strings memory_1.dmp | grep -i flag{ "flag{N3Xt_t1m3_l3t_1337_BU1lD}" "flag{N3Xt_t1m3_l3t_1337_BU1lD}" flag{Mayb3_w3_sh0uld_us3_sha256_aga1n} ---snip--- |
GAME OVER!
If you haven’t used Volatility before, or if anything above is new for you, I hope this quick write-up helps you out.
Cheers to Shearwater for an enjoyable CTF.
Until next time, tight lines and happy hacking!