Description
I and my friend love playing with computers. So one day, my friend hid the flag in his computer and gave me the memory dump of the system. Now, the challenge is to get the flag. However, the only problem is that he is a master in hiding things. So I need your help! Look carefully. Everything that you find will lead you to the destination.
Challenge: [Link1] & Link2
By unpacking the 7z file, we will have a Challenge.raw file. First of all, let’s see what kind of OS we’re handling with Volatility:
$ volatility -f Challenge.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/shrimp/challs/inctf/2019/forensics/notch_it_up/Challenge.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800027fa0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff800027fbd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-08-19 14:41:58 UTC+0000
Image local date and time : 2019-08-19 20:11:58 +0530
Checking running process list:
$ volatility -f Challenge.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80012a5040 System 4 0 78 495 ------ 0 2019-08-19 14:40:07 UTC+0000
0xfffffa8002971470 smss.exe 264 4 2 29 ------ 0 2019-08-19 14:40:07 UTC+0000
0xfffffa800234cb30 csrss.exe 336 328 10 415 0 0 2019-08-19 14:40:10 UTC+0000
0xfffffa8002aae910 wininit.exe 384 328 3 74 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002ab7060 csrss.exe 396 376 9 499 1 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002b66560 winlogon.exe 436 376 6 116 1 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002b99200 services.exe 480 384 9 194 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002bb4600 lsass.exe 496 384 7 513 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa80022ff910 lsm.exe 504 384 10 152 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002ce8740 svchost.exe 608 480 10 358 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002d13060 VBoxService.ex 668 480 13 136 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002d4bb30 svchost.exe 724 480 6 257 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002d4fb30 svchost.exe 780 480 19 405 0 0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002dcf5f0 svchost.exe 896 480 22 452 0 0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002de1b30 svchost.exe 948 480 35 893 0 0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002e0b1c0 audiodg.exe 1008 780 7 132 0 0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002e645f0 svchost.exe 400 480 13 275 0 0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002eac740 svchost.exe 1052 480 17 368 0 0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002e76b30 spoolsv.exe 1176 480 14 279 0 0 2019-08-19 14:40:13 UTC+0000
0xfffffa8002f4d780 svchost.exe 1212 480 21 311 0 0 2019-08-19 14:40:13 UTC+0000
0xfffffa8002f79b30 svchost.exe 1308 480 17 253 0 0 2019-08-19 14:40:13 UTC+0000
0xfffffa8003144250 taskhost.exe 1812 480 9 147 1 0 2019-08-19 14:40:18 UTC+0000
0xfffffa8003160120 dwm.exe 1868 896 4 70 1 0 2019-08-19 14:40:18 UTC+0000
0xfffffa8003164b30 taskeng.exe 1876 948 5 81 0 0 2019-08-19 14:40:18 UTC+0000
0xfffffa800319a060 explorer.exe 1944 1844 35 894 1 0 2019-08-19 14:40:19 UTC+0000
0xfffffa8003227060 GoogleCrashHan 1292 1928 7 105 0 1 2019-08-19 14:40:19 UTC+0000
0xfffffa8003219060 GoogleCrashHan 924 1928 6 93 0 0 2019-08-19 14:40:19 UTC+0000
0xfffffa8003277810 VBoxTray.exe 1108 1944 14 139 1 0 2019-08-19 14:40:20 UTC+0000
0xfffffa8002324b30 cmd.exe 880 1944 1 21 1 0 2019-08-19 14:40:26 UTC+0000
0xfffffa800231e370 conhost.exe 916 396 3 50 1 0 2019-08-19 14:40:26 UTC+0000
0xfffffa8003315060 SearchIndexer. 856 480 13 689 0 0 2019-08-19 14:40:27 UTC+0000
0xfffffa800234eb30 chrome.exe 2124 1944 27 662 1 0 2019-08-19 14:40:46 UTC+0000
0xfffffa800234f780 chrome.exe 2132 2124 9 75 1 0 2019-08-19 14:40:46 UTC+0000
0xfffffa800314fab0 chrome.exe 2168 2124 3 55 1 0 2019-08-19 14:40:49 UTC+0000
0xfffffa80032d9060 WmiPrvSE.exe 2292 608 13 288 0 0 2019-08-19 14:40:52 UTC+0000
0xfffffa80032f9a70 chrome.exe 2340 2124 12 282 1 0 2019-08-19 14:40:52 UTC+0000
0xfffffa8003741b30 chrome.exe 2440 2124 13 263 1 0 2019-08-19 14:40:54 UTC+0000
0xfffffa800374bb30 chrome.exe 2452 2124 14 167 1 0 2019-08-19 14:40:54 UTC+0000
0xfffffa8002b74060 WmiApSrv.exe 2800 480 6 115 0 0 2019-08-19 14:40:57 UTC+0000
0xfffffa8002d9eab0 WmiPrvSE.exe 2896 608 7 124 0 0 2019-08-19 14:40:57 UTC+0000
0xfffffa80032d4380 chrome.exe 2940 2124 9 172 1 0 2019-08-19 14:41:06 UTC+0000
0xfffffa8003905b30 firefox.exe 2080 3060 59 970 1 1 2019-08-19 14:41:08 UTC+0000
0xfffffa80021fa630 firefox.exe 2860 2080 11 210 1 1 2019-08-19 14:41:09 UTC+0000
0xfffffa80013a4580 firefox.exe 3016 2080 31 413 1 1 2019-08-19 14:41:10 UTC+0000
0xfffffa8001415b30 firefox.exe 2968 2080 22 323 1 1 2019-08-19 14:41:11 UTC+0000
0xfffffa8001454b30 firefox.exe 3316 2080 21 307 1 1 2019-08-19 14:41:13 UTC+0000
0xfffffa80035e71e0 WinRAR.exe 3716 1944 7 201 1 0 2019-08-19 14:41:43 UTC+0000
0xfffffa800156e400 DumpIt.exe 4084 1944 5 46 1 1 2019-08-19 14:41:55 UTC+0000
0xfffffa80014c1060 conhost.exe 4092 396 2 50 1 0 2019-08-19 14:41:55 UTC+0000
0xfffffa80014aa060 sppsvc.exe 1224 480 5 0 ------ 0 2019-08-19 14:42:39 UTC+0000
0xfffffa800157eb30 GoogleUpdate.e 2256 2396 3 118 ------ 1 2019-08-19 14:42:40 UTC+0000
0xfffffa80014f9060 GoogleCrashHan 1192 2256 3 46 ------ 1 2019-08-19 14:42:41 UTC+0000
0xfffffa80035e3700 GoogleCrashHan 864 2256 1 127...45 0 0 2019-08-19 14:42:41 UTC+0000
There are interesting running processes: firefox.exe, chrome.exe and WinRAR.exe. I’ll look at them soon. Writing in files.txt a list of opened files in memory:
$volatility -f Challenge.raw --profile=Win7SP1x64 filescan > files.txt
Checking out the list, I found a suspicious rar file at C:\Users\Jaffa\Desktop\pr0t3ct3d called flag.rar. Let’s dump and extract it:
$ volatility -f Challenge.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x5fcfc4b0 None \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar
$ mv file.None.0xfffffa800138d750.dat flag.rar
$ unrar e flag.rar
UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal
Extracting from flag.rar
Enter password (will not be echoed) for flag2.png:
Shit, this file was encrypted! At first glance, I tried to crack it with rockyou wordlist with no success. Maybe this password is somewhere in the memory dump. My first shot was trying to look into WinRAR.exe’s environment vars (process number 3716):
$ volatility -f Challenge.raw --profile=Win7SP1x64 envars -p 3716
Volatility Foundation Volatility Framework 2.6
Pid Process Block Variable Value
-------- -------------------- ------------------ ------------------------------ -----
3716 WinRAR.exe 0x00000000002a1320 ALLUSERSPROFILE C:\ProgramData
3716 WinRAR.exe 0x00000000002a1320 APPDATA C:\Users\Jaffa\AppData\Roaming
3716 WinRAR.exe 0x00000000002a1320 CommonProgramFiles C:\Program Files\Common Files
3716 WinRAR.exe 0x00000000002a1320 CommonProgramFiles(x86) C:\Program Files (x86)\Common Files
3716 WinRAR.exe 0x00000000002a1320 CommonProgramW6432 C:\Program Files\Common Files
3716 WinRAR.exe 0x00000000002a1320 COMPUTERNAME VIRUS-PC
3716 WinRAR.exe 0x00000000002a1320 ComSpec C:\Windows\system32\cmd.exe
3716 WinRAR.exe 0x00000000002a1320 FP_NO_HOST_CHECK NO
3716 WinRAR.exe 0x00000000002a1320 HOMEDRIVE C:
3716 WinRAR.exe 0x00000000002a1320 HOMEPATH \Users\Jaffa
3716 WinRAR.exe 0x00000000002a1320 LOCALAPPDATA C:\Users\Jaffa\AppData\Local
3716 WinRAR.exe 0x00000000002a1320 LOGONSERVER \\VIRUS-PC
3716 WinRAR.exe 0x00000000002a1320 NUMBER_OF_PROCESSORS 1
3716 WinRAR.exe 0x00000000002a1320 OS Windows_NT
3716 WinRAR.exe 0x00000000002a1320 Path C:\Program Files\WinRAR;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
3716 WinRAR.exe 0x00000000002a1320 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
3716 WinRAR.exe 0x00000000002a1320 PROCESSOR_ARCHITECTURE AMD64
3716 WinRAR.exe 0x00000000002a1320 PROCESSOR_IDENTIFIER Intel64 Family 6 Model 158 Stepping 10, GenuineIntel
3716 WinRAR.exe 0x00000000002a1320 PROCESSOR_LEVEL 6
3716 WinRAR.exe 0x00000000002a1320 PROCESSOR_REVISION 9e0a
3716 WinRAR.exe 0x00000000002a1320 ProgramData C:\ProgramData
3716 WinRAR.exe 0x00000000002a1320 ProgramFiles C:\Program Files
3716 WinRAR.exe 0x00000000002a1320 ProgramFiles(x86) C:\Program Files (x86)
3716 WinRAR.exe 0x00000000002a1320 ProgramW6432 C:\Program Files
3716 WinRAR.exe 0x00000000002a1320 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
3716 WinRAR.exe 0x00000000002a1320 PUBLIC C:\Users\Public
3716 WinRAR.exe 0x00000000002a1320 RAR password easypeasyvirus
3716 WinRAR.exe 0x00000000002a1320 SESSIONNAME Console
3716 WinRAR.exe 0x00000000002a1320 SystemDrive C:
3716 WinRAR.exe 0x00000000002a1320 SystemRoot C:\Windows
3716 WinRAR.exe 0x00000000002a1320 TEMP C:\Users\Jaffa\AppData\Local\Temp
3716 WinRAR.exe 0x00000000002a1320 TMP C:\Users\Jaffa\AppData\Local\Temp
3716 WinRAR.exe 0x00000000002a1320 USERDOMAIN VIRUS-PC
3716 WinRAR.exe 0x00000000002a1320 USERNAME Jaffa
3716 WinRAR.exe 0x00000000002a1320 USERPROFILE C:\Users\Jaffa
3716 WinRAR.exe 0x00000000002a1320 windir C:\Windows
3716 WinRAR.exe 0x00000000002a1320 windows_tracing_flags 3
3716 WinRAR.exe 0x00000000002a1320 windows_tracing_logfile C:\BVTBin\Tests\installpackage\csilogfile.log
Gotcha! There was a var called RAR password and its content was easypeasyvirus. Using this password, it gave me flag2.png:
Checking Chrome, I’ve downloaded its history by dumpfiles volatility parameter, stored in SQLite file and I found this suspicious link below:
$ volatility -f Challenge.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005da5a610 -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x5da5a610 None \Device\HarddiskVolume2\Users\Jaffa\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x5da5a610 None \Device\HarddiskVolume2\Users\Jaffa\AppData\Local\Google\Chrome\User Data\Default\History
$ mv file.None.0xfffffa800361b1b0.vacb chrome.sqlite
$ sqlite3 places.sqlite "select url from urls;"
<skipped>
https://pastebin.com/RSGSi1hk
<skipped>
Accessing this URL, it showed:
Nice! There is a document from Google Docs and a little information:
But David sent the key in mail.
The key is... :(
What are he talking about? Checking this document, it was a lot of Lorem Ipsum text, but in the middle of text had a MEGA link. Accessing this link, it asked a password. Oh crap…
At this part, I got stucked a little. Exploring other features of volatility, I tried the screenshot feature and I got this:
I noticed that the title from Mozilla Firefox called Mega Drive Key was a clue to find the Mega’s key file. So, let’s find it with strings in memory dump:
$ strings Challenge.raw | grep "Mega Drive Key"
<skipped>
Mega Drive Key - [email protected] - Gmail
top['GM_TRACING_THREAD_DETAILS_CHUNK_START'] = (window.performance && window.performance.now) ? window.performance.now() : null; top._GM_setData({"Cl6csf":[["simls",0,"{\"2\":[{\"1\":0,\"2\":{\"1\":\"Mega Drive Key\",\"2\":\"THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU\",\"3\":\"1566219955932\",\"4\":\"thread-f:1642300656742870683\",\"5\":[{\"1\":\"msg-f:1642300656742870683\",\"2\":{\"1\":1,\"2\":\"[email protected]\",\"3\":\"Daniel Benjamin\"},\"3\":[{\"1\":1,\"2\":\"[email protected]\"}],\"7\":\"1566219955932\",\"8\":\"Mega Drive Key\",\"9\":{\"2\":[{\"1\":0,\"3\":{\"2\":\"\\u003cdiv dir\\u003d\\\"ltr\\\"\\u003eTHE KEY IS\\u00a0\\u003cb style\\u003d\\\"color:rgb(38,50,56);font-family:Roboto,Arial,sans-serif;font-size:13px\\\"\\u003ezyWxCjCYYSEMA-\\u003cwbr\\u003ehZe552qWVXiPwa5TecODbjnsscMIU\\u003c/b\\u003e\\u003c/div\\u003e\\r\\n\"},\"4\":-958280989}],\"3\":0,\"7\":1,\"8\":0},\"10\":\"THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU\",\"11\":[\"^all\",\"^i\",\"^iim\",\"^io_im\",\"^io_lr\",\"^o\",\"^smartlabel_personal\",\"^sq_ig_i_personal\"],\"14\":\"\\u003cCALenj9-NuDWhCBPhkKQWKBT5YpXUdMvYOvsXwCPxoDRKtMd+nw@mail.gmail.com\\u003e\",\"18\":\"1566219956152\",\"19\":{\"1\":0,\"2\":1,\"3\":\"\",\"4\":-1,\"8\":\"gmail.com\",\"9\":\"gmail.com\",\"11\":0,\"17\":\"[email protected]\",\"18\":1},\"22\":{\"1\":1,\"2\":\"[email protected]\"},\"27\":{\"1\":[{\"1\":\"Got it, thanks!\",\"2\":[24,26,22],\"3\":[24,26,22]},{\"1\":\"Thank you!\",\"2\":[24,26,22],\"3\":[24,26,22]},{\"1\":\"Awesome, thanks!\",\"2\":[24,26,22],\"3\":[24,26,22]}],\"2\":2,\"6\":\"en\"},\"30\":{\"3\":{\"1\":3},\"4\":{\"1\":3},\"5\":{\"1\":0.9009061},\"7\":{\"1\":\"21660255\"},\"8\":[21660259,23130126,40510058,21660255,40510060,40510097,21660260],\"10\":1},\"31\":\"1566219956152\",\"36\":{\"5\":2},\"44\":0,\"45\":{\"3\":1},\"56\":\"16ca9fbefb8cae9b\"}],\"14\":0.9009061,\"17\":0,\"20\":\"16ca9fbefb8cae9b\"},\"3\":0,\"4\":0}]}"]]}); top['GM_TRACING_THREAD_DETAILS_CHUNK_END'] = (window.performance && window.performance.now) ? window.performance.now() : null;
<skipped>
Did you see the key? No? Take it: zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU Cool! I used this key in Mega file and downloaded flag_.png image, the first part of flag:
Flag: inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_aN_Am4zINg_!_i_gU3Ss???_}