Defcon 2019 memory forensics CTF write up

4 minute read

Simple write up for the memory forensics component of the 2019 DEFCON forensics challenge.

DEFCON 2019 forensics

Flag Format-flag Everything after the – is what you need to submit, your answer is the xyx.

1 / get your volatility on (5)

What is the SHA1 hash of triage.mem?

$ sha1sum winmem.mem
$ c95e8cc8c946f95a109ea8e47a6800de10a27abd winmem.mem

2 / pr0file (10)

What profile is the most appropriate for this machine? (ex: Win10x86_14393)

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1  
INFO : volatility.debug : Determining profile based on KDBG search...   
Suggested Profile\(s\) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64\_24000, Win2008R2SP1x64\_23418, Win2008R2SP1x64, Win7SP1x64\_24000, Win7SP1x64\_23418

Since we can’t just guess (there may be points deducted for incorrect guesses), we should at least try to find the most appropriate profile based on kernel debug scan (kdbgscan) which identifies the number of modules loaded.

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem kdbgscan

3 / hey, write this down (12)

What was the process ID of notepad.exe?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 pslist

0xfffffa80054f9060 notepad.exe 3032 1432 1 60 1 0 2019-03-22 05:32:22 UTC+0000

4 / wscript can haz children (14)

Name the child processes of wscript.exe.

Instead of manually looking at PID and PPID (parent PID), we use pstree

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 pstree

. 0xfffffa8005a80060:wscript.exe 5116 3952 8 312 2019-03-22 05:35:32 UTC+0000  
... 0xfffffa8005a1d9e0:UWkpjFjDzM.exe 3496 5116 5 109 2019-03-22 05:35:33 UTC+0000  
.... 0xfffffa8005bb0060:cmd.exe 4660 3496 1 33 2019-03-22 05:35:36 UTC+0000

5 / tcpip settings (18)

What was the IP address of the machine at the time the RAM dump was created?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 netscan`

(Can also be dumped from TCPIP settings in registry)

6 / intel (18)

Based on the answer regarding to the infected PID, can you determine what the IP of the attacker was?

0x13e397190 TCPv4 10.0.0.101:49217 10.0.0.106:4444 ESTABLISHED 3496 UWkpjFjDzM.exe

7 / i <3 windows dependencies (20)

What process name is VCRUNTIME140.dll associated with?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 dlllist \| grep -B 50 VCRUNTIME140
OfficeClickToR pid: 1136 Command line : "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service  
EXCEL.EXE pid: 1272 Command line : "C:\Program Files \(x86\)\Microsoft Office\root\Office16\EXCEL.EXE"
OUTLOOK.EXE pid: 3688 Command line : "C:\Program Files \(x86\)\Microsoft Office\root\Office16\OUTLOOK.EXE"  
iexplore.exe pid: 2780 Command line : "C:\Program Files \(x86\)\Internet Explorer\iexplore.exe"
POWERPNT.EXE pid: 4048 Command line : "C:\Program Files \(x86\)\Microsoft Office\root\Office16\POWERPNT.EXE"

8 / mal-ware-are-you (20)

What is the md5 hash value the potential malware on the system?

Dump the exe and hash it

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 procdump -p 3496 -D /mnt/ctf/Defcon2019/dumpdir
md5sum executable.3496.exe

9 / lm-get bobs hash (24)

What is the LM hash of bobs account?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 hashdump

We look at the LM hash format;

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

This is NTLM format. LM is the first part, NTLM is the second part.

10 / vad the impaler (25)

What protections does the VAD node at 0xfffffa800577ba10 have?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 vadinfo \| grep -B 10 -A 10 '0xfffffa800577ba10'

(grep -B 10 for 10 lines before, and -A 10 for 10 lines after).

VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad Flags: NoChange: 1, Protection: 1 Protection: PAGE\_READONLY

11 / more vads?! (25)

What protections did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 vadinfo \| grep -A 5 '0x00000000033c0000'`
VAD node @ 0xfffffa80052652b0 Start 0x00000000033c0000 End 0x00000000033dffff Tag VadS Flags: CommitCharge: 32, PrivateMemory: 1, Protection: 24 Protection: PAGE\_NOACCESS Vad Type: VadNone

12 / vacation bible school (25)

There was a VBS script run on the machine. What is the name of the script? (submit without file extension)

cmdscan would provide manually entered CMD history. We want to find all input & output consoles - no vbscript cmdline

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 cmdline \| grep vbs
Volatility Foundation Volatility Framework 2.6.1
Command line : "C:\Windows\System32\wscript.exe" //B //NOLOGO %TEMP%\vhjReUDEuumrX.vbs

13 / thx microsoft (25)

An application was run at 2019-03-07 23:06:58 UTC, what is the name of the program? (Include extension)

We’re looking for historically executed programs. pslist shows current processes so it’s not listed. We want to look at shimcache.

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 shimcache \| grep '2019-03-07'
2019-03-07 23:06:58 UTC+0000 \??\C:\Program Files \(x86\)\Microsoft\Skype for Desktop\Skype.exe

14 / lightbulb moment (35)

What was written in notepad.exe in the time of the memory dump?

Identify the PID based on pslist output pid=3032 use memdump to dump process’s memory, not the executable/process itself (that would be procdump).

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 memdump -p 3032 -D /mnt/ctf/Defcon2019/dumpdir/

15 / 8675309 (35)

What is the shortname of the file at file record 59045?

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 mftparser \| grep -B 20 -A 20 '59045'
$OBJECT\_ID Object ID: 40000000-0000-0000-0010-000000000000 Birth Volume ID: 19050000-0000-0000-1905-000000000000 Birth Object ID: 31015ed0-1900-ffff-ffff-ffff82794711 Birth Domain ID: ffffffff-8279-4711-0000-000000000000

MFT entry found at offset 0x2193d400 Attribute: In Use & File Record Number: 59045 Link count: 2

$STANDARD\_INFORMATION Creation Modified MFT Altered Access Date Type 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Archive

$FILE\_NAME Creation Modified MFT Altered Access Date Name/Path 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EMPLOY~1.XLS

$FILE\_NAME Creation Modified MFT Altered Access Date Name/Path 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EmployeeInformation.xlsx

$OBJECT\_ID Object ID: 00fe50d2-4841-e911-8751-000c2958bc5f

16 / whats-a-metasploit? (50)

This box was exploited and is running meterpreter. What PID was infected?

0xfffffa8005a1d9e0 UWkpjFjDzM.exe 3496 5116 5 109 1 1 2019-03-22 05:35:33 UTC+0000

Dodgy. Let’s dump the process and upload it to virus total.

$ sha1sum executable.3496.exe ab120a232492dcfe8ff49e13f5720f63f0545dc2 executable.3496.exe

https://www.hybrid-analysis.com/sample/b6bdfee2e621949deddfc654dacd7bb8fce78836327395249e1f9b7b5ebfcfb1?environmentId=100