Tuesday, September 24, 2019

InCTF 2019 - Notch It Up

by Renato "shrimpgo" Pacheco

Description

I and my friend love playing with computers. So one day, my friend hid the flag in his computer and gave me the memory dump of the system. Now, the challenge is to get the flag. However, the only problem is that he is a master in hiding things. So I need your help! Look carefully. Everything that you find will lead you to the destination.

Challenge: [Link1] & Link2

By unpacking the 7z file, we will have a Challenge.raw file. First of all, let’s see what kind of OS we’re handling with Volatility:

$ volatility -f Challenge.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/shrimp/challs/inctf/2019/forensics/notch_it_up/Challenge.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800027fa0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800027fbd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-08-19 14:41:58 UTC+0000
     Image local date and time : 2019-08-19 20:11:58 +0530

Checking running process list:

$ volatility -f Challenge.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80012a5040 System                    4      0     78      495 ------      0 2019-08-19 14:40:07 UTC+0000                                 
0xfffffa8002971470 smss.exe                264      4      2       29 ------      0 2019-08-19 14:40:07 UTC+0000                                 
0xfffffa800234cb30 csrss.exe               336    328     10      415      0      0 2019-08-19 14:40:10 UTC+0000                                 
0xfffffa8002aae910 wininit.exe             384    328      3       74      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002ab7060 csrss.exe               396    376      9      499      1      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002b66560 winlogon.exe            436    376      6      116      1      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002b99200 services.exe            480    384      9      194      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002bb4600 lsass.exe               496    384      7      513      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa80022ff910 lsm.exe                 504    384     10      152      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002ce8740 svchost.exe             608    480     10      358      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002d13060 VBoxService.ex          668    480     13      136      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002d4bb30 svchost.exe             724    480      6      257      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002d4fb30 svchost.exe             780    480     19      405      0      0 2019-08-19 14:40:11 UTC+0000                                 
0xfffffa8002dcf5f0 svchost.exe             896    480     22      452      0      0 2019-08-19 14:40:12 UTC+0000                                 
0xfffffa8002de1b30 svchost.exe             948    480     35      893      0      0 2019-08-19 14:40:12 UTC+0000                                 
0xfffffa8002e0b1c0 audiodg.exe            1008    780      7      132      0      0 2019-08-19 14:40:12 UTC+0000                                 
0xfffffa8002e645f0 svchost.exe             400    480     13      275      0      0 2019-08-19 14:40:12 UTC+0000                                 
0xfffffa8002eac740 svchost.exe            1052    480     17      368      0      0 2019-08-19 14:40:12 UTC+0000                                 
0xfffffa8002e76b30 spoolsv.exe            1176    480     14      279      0      0 2019-08-19 14:40:13 UTC+0000                                 
0xfffffa8002f4d780 svchost.exe            1212    480     21      311      0      0 2019-08-19 14:40:13 UTC+0000                                 
0xfffffa8002f79b30 svchost.exe            1308    480     17      253      0      0 2019-08-19 14:40:13 UTC+0000                                 
0xfffffa8003144250 taskhost.exe           1812    480      9      147      1      0 2019-08-19 14:40:18 UTC+0000                                 
0xfffffa8003160120 dwm.exe                1868    896      4       70      1      0 2019-08-19 14:40:18 UTC+0000                                 
0xfffffa8003164b30 taskeng.exe            1876    948      5       81      0      0 2019-08-19 14:40:18 UTC+0000                                 
0xfffffa800319a060 explorer.exe           1944   1844     35      894      1      0 2019-08-19 14:40:19 UTC+0000                                 
0xfffffa8003227060 GoogleCrashHan         1292   1928      7      105      0      1 2019-08-19 14:40:19 UTC+0000                                 
0xfffffa8003219060 GoogleCrashHan          924   1928      6       93      0      0 2019-08-19 14:40:19 UTC+0000                                 
0xfffffa8003277810 VBoxTray.exe           1108   1944     14      139      1      0 2019-08-19 14:40:20 UTC+0000                                 
0xfffffa8002324b30 cmd.exe                 880   1944      1       21      1      0 2019-08-19 14:40:26 UTC+0000                                 
0xfffffa800231e370 conhost.exe             916    396      3       50      1      0 2019-08-19 14:40:26 UTC+0000                                 
0xfffffa8003315060 SearchIndexer.          856    480     13      689      0      0 2019-08-19 14:40:27 UTC+0000                                 
0xfffffa800234eb30 chrome.exe             2124   1944     27      662      1      0 2019-08-19 14:40:46 UTC+0000                                 
0xfffffa800234f780 chrome.exe             2132   2124      9       75      1      0 2019-08-19 14:40:46 UTC+0000                                 
0xfffffa800314fab0 chrome.exe             2168   2124      3       55      1      0 2019-08-19 14:40:49 UTC+0000                                 
0xfffffa80032d9060 WmiPrvSE.exe           2292    608     13      288      0      0 2019-08-19 14:40:52 UTC+0000                                 
0xfffffa80032f9a70 chrome.exe             2340   2124     12      282      1      0 2019-08-19 14:40:52 UTC+0000                                 
0xfffffa8003741b30 chrome.exe             2440   2124     13      263      1      0 2019-08-19 14:40:54 UTC+0000                                 
0xfffffa800374bb30 chrome.exe             2452   2124     14      167      1      0 2019-08-19 14:40:54 UTC+0000                                 
0xfffffa8002b74060 WmiApSrv.exe           2800    480      6      115      0      0 2019-08-19 14:40:57 UTC+0000                                 
0xfffffa8002d9eab0 WmiPrvSE.exe           2896    608      7      124      0      0 2019-08-19 14:40:57 UTC+0000                                 
0xfffffa80032d4380 chrome.exe             2940   2124      9      172      1      0 2019-08-19 14:41:06 UTC+0000                                 
0xfffffa8003905b30 firefox.exe            2080   3060     59      970      1      1 2019-08-19 14:41:08 UTC+0000                                 
0xfffffa80021fa630 firefox.exe            2860   2080     11      210      1      1 2019-08-19 14:41:09 UTC+0000                                 
0xfffffa80013a4580 firefox.exe            3016   2080     31      413      1      1 2019-08-19 14:41:10 UTC+0000                                 
0xfffffa8001415b30 firefox.exe            2968   2080     22      323      1      1 2019-08-19 14:41:11 UTC+0000                                 
0xfffffa8001454b30 firefox.exe            3316   2080     21      307      1      1 2019-08-19 14:41:13 UTC+0000                                 
0xfffffa80035e71e0 WinRAR.exe             3716   1944      7      201      1      0 2019-08-19 14:41:43 UTC+0000                                 
0xfffffa800156e400 DumpIt.exe             4084   1944      5       46      1      1 2019-08-19 14:41:55 UTC+0000                                 
0xfffffa80014c1060 conhost.exe            4092    396      2       50      1      0 2019-08-19 14:41:55 UTC+0000                                 
0xfffffa80014aa060 sppsvc.exe             1224    480      5        0 ------      0 2019-08-19 14:42:39 UTC+0000                                 
0xfffffa800157eb30 GoogleUpdate.e         2256   2396      3      118 ------      1 2019-08-19 14:42:40 UTC+0000                                 
0xfffffa80014f9060 GoogleCrashHan         1192   2256      3       46 ------      1 2019-08-19 14:42:41 UTC+0000                                 
0xfffffa80035e3700 GoogleCrashHan          864   2256      1 127...45      0      0 2019-08-19 14:42:41 UTC+0000

There are interesting running processes: firefox.exe, chrome.exe and WinRAR.exe. I’ll look at them soon. Writing in files.txt a list of opened files in memory:

$volatility -f Challenge.raw --profile=Win7SP1x64 filescan > files.txt

Checking out the list, I found a suspicious rar file at C:\Users\Jaffa\Desktop\pr0t3ct3d called flag.rar. Let’s dump and extract it:

$ volatility -f Challenge.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x5fcfc4b0   None   \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar

$ mv file.None.0xfffffa800138d750.dat flag.rar
$ unrar e flag.rar

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal


Extracting from flag.rar

Enter password (will not be echoed) for flag2.png:

Shit, this file was encrypted! At first glance, I tried to crack it with rockyou wordlist with no success. Maybe this password is somewhere in the memory dump. My first shot was trying to look into WinRAR.exe’s environment vars (process number 3716):

$ volatility -f Challenge.raw --profile=Win7SP1x64 envars -p 3716
Volatility Foundation Volatility Framework 2.6
Pid      Process              Block              Variable                       Value
-------- -------------------- ------------------ ------------------------------ -----
    3716 WinRAR.exe           0x00000000002a1320 ALLUSERSPROFILE                C:\ProgramData
    3716 WinRAR.exe           0x00000000002a1320 APPDATA                        C:\Users\Jaffa\AppData\Roaming
    3716 WinRAR.exe           0x00000000002a1320 CommonProgramFiles             C:\Program Files\Common Files
    3716 WinRAR.exe           0x00000000002a1320 CommonProgramFiles(x86)        C:\Program Files (x86)\Common Files
    3716 WinRAR.exe           0x00000000002a1320 CommonProgramW6432             C:\Program Files\Common Files
    3716 WinRAR.exe           0x00000000002a1320 COMPUTERNAME                   VIRUS-PC
    3716 WinRAR.exe           0x00000000002a1320 ComSpec                        C:\Windows\system32\cmd.exe
    3716 WinRAR.exe           0x00000000002a1320 FP_NO_HOST_CHECK               NO
    3716 WinRAR.exe           0x00000000002a1320 HOMEDRIVE                      C:
    3716 WinRAR.exe           0x00000000002a1320 HOMEPATH                       \Users\Jaffa
    3716 WinRAR.exe           0x00000000002a1320 LOCALAPPDATA                   C:\Users\Jaffa\AppData\Local
    3716 WinRAR.exe           0x00000000002a1320 LOGONSERVER                    \\VIRUS-PC
    3716 WinRAR.exe           0x00000000002a1320 NUMBER_OF_PROCESSORS           1
    3716 WinRAR.exe           0x00000000002a1320 OS                             Windows_NT
    3716 WinRAR.exe           0x00000000002a1320 Path                           C:\Program Files\WinRAR;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
    3716 WinRAR.exe           0x00000000002a1320 PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    3716 WinRAR.exe           0x00000000002a1320 PROCESSOR_ARCHITECTURE         AMD64
    3716 WinRAR.exe           0x00000000002a1320 PROCESSOR_IDENTIFIER           Intel64 Family 6 Model 158 Stepping 10, GenuineIntel
    3716 WinRAR.exe           0x00000000002a1320 PROCESSOR_LEVEL                6
    3716 WinRAR.exe           0x00000000002a1320 PROCESSOR_REVISION             9e0a
    3716 WinRAR.exe           0x00000000002a1320 ProgramData                    C:\ProgramData
    3716 WinRAR.exe           0x00000000002a1320 ProgramFiles                   C:\Program Files
    3716 WinRAR.exe           0x00000000002a1320 ProgramFiles(x86)              C:\Program Files (x86)
    3716 WinRAR.exe           0x00000000002a1320 ProgramW6432                   C:\Program Files
    3716 WinRAR.exe           0x00000000002a1320 PSModulePath                   C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
    3716 WinRAR.exe           0x00000000002a1320 PUBLIC                         C:\Users\Public
    3716 WinRAR.exe           0x00000000002a1320 RAR password                   easypeasyvirus
    3716 WinRAR.exe           0x00000000002a1320 SESSIONNAME                    Console
    3716 WinRAR.exe           0x00000000002a1320 SystemDrive                    C:
    3716 WinRAR.exe           0x00000000002a1320 SystemRoot                     C:\Windows
    3716 WinRAR.exe           0x00000000002a1320 TEMP                           C:\Users\Jaffa\AppData\Local\Temp
    3716 WinRAR.exe           0x00000000002a1320 TMP                            C:\Users\Jaffa\AppData\Local\Temp
    3716 WinRAR.exe           0x00000000002a1320 USERDOMAIN                     VIRUS-PC
    3716 WinRAR.exe           0x00000000002a1320 USERNAME                       Jaffa
    3716 WinRAR.exe           0x00000000002a1320 USERPROFILE                    C:\Users\Jaffa
    3716 WinRAR.exe           0x00000000002a1320 windir                         C:\Windows
    3716 WinRAR.exe           0x00000000002a1320 windows_tracing_flags          3
    3716 WinRAR.exe           0x00000000002a1320 windows_tracing_logfile        C:\BVTBin\Tests\installpackage\csilogfile.log

Gotcha! There was a var called RAR password and its content was easypeasyvirus. Using this password, it gave me flag2.png:

second part of flag

Checking Chrome, I’ve downloaded its history by dumpfiles volatility parameter, stored in SQLite file and I found this suspicious link below:

$ volatility -f Challenge.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005da5a610 -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x5da5a610   None   \Device\HarddiskVolume2\Users\Jaffa\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x5da5a610   None   \Device\HarddiskVolume2\Users\Jaffa\AppData\Local\Google\Chrome\User Data\Default\History

$ mv file.None.0xfffffa800361b1b0.vacb chrome.sqlite
$ sqlite3 places.sqlite "select url from urls;"
<skipped>
https://pastebin.com/RSGSi1hk
<skipped>

Accessing this URL, it showed:

pastebin

Nice! There is a document from Google Docs and a little information:

But David sent the key in mail.
 
The key is... :(

What are he talking about? Checking this document, it was a lot of Lorem Ipsum text, but in the middle of text had a MEGA link. Accessing this link, it asked a password. Oh crap…

At this part, I got stucked a little. Exploring other features of volatility, I tried the screenshot feature and I got this:

hint

I noticed that the title from Mozilla Firefox called Mega Drive Key was a clue to find the Mega’s key file. So, let’s find it with strings in memory dump:

$ strings Challenge.raw | grep "Mega Drive Key"
<skipped>
Mega Drive Key - [email protected] - Gmail
top['GM_TRACING_THREAD_DETAILS_CHUNK_START'] = (window.performance && window.performance.now) ? window.performance.now() : null; top._GM_setData({"Cl6csf":[["simls",0,"{\"2\":[{\"1\":0,\"2\":{\"1\":\"Mega Drive Key\",\"2\":\"THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU\",\"3\":\"1566219955932\",\"4\":\"thread-f:1642300656742870683\",\"5\":[{\"1\":\"msg-f:1642300656742870683\",\"2\":{\"1\":1,\"2\":\"[email protected]\",\"3\":\"Daniel Benjamin\"},\"3\":[{\"1\":1,\"2\":\"[email protected]\"}],\"7\":\"1566219955932\",\"8\":\"Mega Drive Key\",\"9\":{\"2\":[{\"1\":0,\"3\":{\"2\":\"\\u003cdiv dir\\u003d\\\"ltr\\\"\\u003eTHE KEY IS\\u00a0\\u003cb style\\u003d\\\"color:rgb(38,50,56);font-family:Roboto,Arial,sans-serif;font-size:13px\\\"\\u003ezyWxCjCYYSEMA-\\u003cwbr\\u003ehZe552qWVXiPwa5TecODbjnsscMIU\\u003c/b\\u003e\\u003c/div\\u003e\\r\\n\"},\"4\":-958280989}],\"3\":0,\"7\":1,\"8\":0},\"10\":\"THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU\",\"11\":[\"^all\",\"^i\",\"^iim\",\"^io_im\",\"^io_lr\",\"^o\",\"^smartlabel_personal\",\"^sq_ig_i_personal\"],\"14\":\"\\[email protected]ail.com\\u003e\",\"18\":\"1566219956152\",\"19\":{\"1\":0,\"2\":1,\"3\":\"\",\"4\":-1,\"8\":\"gmail.com\",\"9\":\"gmail.com\",\"11\":0,\"17\":\"[email protected]\",\"18\":1},\"22\":{\"1\":1,\"2\":\"[email protected]\"},\"27\":{\"1\":[{\"1\":\"Got it, thanks!\",\"2\":[24,26,22],\"3\":[24,26,22]},{\"1\":\"Thank you!\",\"2\":[24,26,22],\"3\":[24,26,22]},{\"1\":\"Awesome, thanks!\",\"2\":[24,26,22],\"3\":[24,26,22]}],\"2\":2,\"6\":\"en\"},\"30\":{\"3\":{\"1\":3},\"4\":{\"1\":3},\"5\":{\"1\":0.9009061},\"7\":{\"1\":\"21660255\"},\"8\":[21660259,23130126,40510058,21660255,40510060,40510097,21660260],\"10\":1},\"31\":\"1566219956152\",\"36\":{\"5\":2},\"44\":0,\"45\":{\"3\":1},\"56\":\"16ca9fbefb8cae9b\"}],\"14\":0.9009061,\"17\":0,\"20\":\"16ca9fbefb8cae9b\"},\"3\":0,\"4\":0}]}"]]}); top['GM_TRACING_THREAD_DETAILS_CHUNK_END'] = (window.performance && window.performance.now) ? window.performance.now() : null;
<skipped>

Did you see the key? No? Take it: zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU Cool! I used this key in Mega file and downloaded flag_.png image, the first part of flag:

first part of flag

Flag: inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_aN_Am4zINg_!_i_gU3Ss???_}

Capture the Flag , Forensics , Memory dump , Writeup