Shearwater AusCert 2016 CTF - Game of Memory Writeup
A solution guide for the Game of Memory challenge released during the AusCert 2016 CTF
This blog contains a write up of the solution I used to solve the category “Game of Memory”. Unlike with the other categories, there is a single challenge and we’re tasked to answer specific questions. We are given a brief scenario and a link and password for a memory dump file.
- The dump file is here: https://mega.nz/#!XAkUVZrL!ioGSxK6V3An14mnq-mOAOktk5o8RhAxiNOhEX0YCxtU
- Password: Shearwater AusCert 2016
##Question 1:
What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID?
The flag must be submitted in the following format: [pid][9999-99-99 00:00:00 UTC+0000][ppid]
volatility -f memory_1.dmp --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.4
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa80040c9b30:rundll32.exe 3248 3216 3 61 2016-05-11 03:27:48 UTC+0000
. 0xfffffa8004e77b30:cmd.exe 3268 3248 1 33 2016-05-11 03:27:48 UTC+0000
The above two process stood out the most as potentially malicious as typically “cmd.exe” processes would be spawned from “explorer.exe” processes. The “rundll32.exe” is frequently, but not exclusively, leveraged by MSF payloads. This provides another indicator of a potentially malicious process.
Answer: [3268][2016-05-11 03:27:48 UTC+0000][3248]
##Question 2:
What permission level was achieved by the attacker?
The flag must be submitted in the following format: [Authenticated Users]
There is a plugin in volatility which gathers the SID related to a process.
volatility -f memory_1.dmp --profile=Win7SP1x64 getsids -p 3268
Volatility Foundation Volatility Framework 2.4
cmd.exe (3268): S-1-5-18 (Local System)
cmd.exe (3268): S-1-5-32-544 (Administrators)
cmd.exe (3268): S-1-1-0 (Everyone)
cmd.exe (3268): S-1-5-11 (Authenticated Users)
cmd.exe (3268): S-1-16-16384 (System Mandatory Level)
Answer: [Local System]
##Question 3:
What is the attacker's IP and port, the PID of the process attached to the connection and is the connection still open?
The flag must be submitted in the following format: [IP:PORT][PID][N]
This is another simple question which can be solved using the netscan plugin in volatility.
volatility -f memory_1.dmp --profile=Win7SP1x64 netscan |grep 3248
Volatility Foundation Volatility Framework 2.4
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x13e3d16f0 TCPv4 192.168.136.131:49189 192.168.136.134:41367 CLOSED 3248 rundll32.exe
Answer: [192.168.136.134:41367][3248][N]
##Question 4:
What file was modified?
The answer must be submitted in the following format: [C:\flag.txt]
During the contest, I identified several ways which could be used to identify the file which was modified. I used the handles plugin in a previous blogpost to track a key logger file, so I decided to use this plugin in again.
volatility -f memory_1.dmp --profile=Win7SP1x64 handles -t File -p 3268
Volatility Foundation Volatility Framework 2.4
Offset(V) Pid Handle Access Type Details
------------------ ------ ------------------ ------------------ -------------------------- -------
0xfffffa8004091070 3268 0x10 0x100020 File \Device\HarddiskVolume1\Windows
0xfffffa8003f5ba60 3268 0x60 0x120089 File \Device\HarddiskVolume1\Windows\SysWOW64\en-US\cmd.exe.mui
0xfffffa80057bed30 3268 0x80 0x100020 File \Device\HarddiskVolume1\Users\vagrant\Documents\vault
0xfffffa80040a37c0 3268 0x84 0x16019f File \Device\Afd\Endpoint
0xfffffa80040a37c0 3268 0xe4 0x16019f File \Device\Afd\Endpoint
The above output the reference to the user “vagrant” seemed suspicious, however it doesn’t appear to be a file rather its a directory. I then used the filescan and grepped the output for the potential directory.
volatility -f memory_1.dmp --profile=Win7SP1x64 filescan |grep vault
Volatility Foundation Volatility Framework 2.4
0x000000013e05fbc0 10 0 R--r-d \Device\HarddiskVolume1\Windows\System32\vaultcli.dll
0x000000013e22c740 15 0 R--r-d \Device\HarddiskVolume1\Windows\System32\vaultsvc.dll
0x000000013e22c990 16 0 R--r-d \Device\HarddiskVolume1\Windows\System32\en-US\vaultsvc.dll.mui
0x000000013e7bed30 1 1 R--rw- \Device\HarddiskVolume1\Users\vagrant\Documents\vault
0x000000013fd1ad40 16 0 R--rw- \Device\HarddiskVolume1\Users\vagrant\Documents\vault\6.txt
Bingo! The file was found. This could also of been achieved via mftparser and crawling through all entries containing “vault”.
Answer: [C:\Users\vagrant\Documents\vault\6.txt]
##Question 5:
What is the attackers flag?
The answer must be submitted in the following format: flag{example_flag}
This is simple, just export the MFT using the mftparser and then find the 6.txt file.
volatility -f memory_1.dmp --profile=Win7SP1x64 mftparser --output-file=output.txt
MFT entry found at offset 0x25273400
Attribute: In Use & File
Record Number: 43713
Link count: 1
$STANDARD_INFORMATION
Creation Modified MFT Altered Access Date Type
------------------------------ ------------------------------ ------------------------------ ------------------------------ ----
2016-05-08 08:09:18 UTC+0000 2016-05-11 03:28:58 UTC+0000 2016-05-11 03:28:58 UTC+0000 2016-05-08 08:09:18 UTC+0000 Archive
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2016-05-08 08:09:18 UTC+0000 2016-05-08 08:09:18 UTC+0000 2016-05-08 08:09:18 UTC+0000 2016-05-08 08:09:18 UTC+0000 Users\vagrant\DOCUME~1\vault\6.txt
$OBJECT_ID
Object ID: 1f69cf66-f314-e611-8b90-000c296760b4
Birth Volume ID: 80000000-4000-0000-0000-180000000400
Birth Object ID: 23000000-1800-0000-2266-6c61677b4e33
Birth Domain ID: 58745f74-316d-335f-6c33-745f31333337
$DATA
0000000000: 22 66 6c 61 67 7b 4e 33 58 74 5f 74 31 6d 33 5f "flag{N3Xt_t1m3_
0000000010: 6c 33 74 5f 31 33 33 37 5f 42 55 31 6c 44 7d 22 l3t_1337_BU1lD}"
0000000020: 20 0d 0a ...
Answer: flag{N3Xt_t1m3_l3t_1337_BU1lD}
