Link to the CTF itself
TryHackMe - Forensics

Type
Memory forensics

Challenge

Task 1 Volatility forensics

This is a memory dump of the infected system. Download the file attached to this Task.

The MD5 hash of the uncompressed file is: ba44c4b977d28132faeb5fb8b06debce

Download the victim.zip

SPOLERS AHEAD!
If you intend to do this CTF challenge, know that while I will omit the flags, you may spoil some of the fun.

Flags
What is the Operating System of this Dump file? (OS name)
[redacted]

What is the PID of SearchIndexer?
[redacted]

What is the last directory accessed by the user?
[redacted]

Solution
After downloading victim.zip we see that the file is a memory dump file. a bix hex blob, 1,5G unpacked.

Using hexdump we can read it.

hexdump -C -n 200 shows us the first 200 bytes, not that interresting.
tail -n 200 | hexdump -C shows us the last 200 rows of the dump and looking at them it is pretty clear that this dump comes from a particular operating system, flag one done.
To make sure I also did a hexdump -C victim.raw | less to be able to browse through it some more.

000021f0  1a 5f 4f 53 49 0d 57 69  6e 64 6f 77 73 20 32 30  |._OSI.Windows 20|
00002200  30 31 00 70 0a 04 4d 53  57 56 a0 1c 5f 4f 53 49  |01.p..MSWV.._OSI|
00002210  0d 57 69 6e 64 6f 77 73  20 32 30 30 31 2e 31 00  |.Windows 2001.1.|
00002220  70 0a 05 4d 53 57 56 a0  1a 5f 4f 53 49 0d 57 69  |p..MSWV.._OSI.Wi|
00002230  6e 64 6f 77 73 20 32 30  30 36 00 70 0a 06 4d 53  |ndows 2006.p..MS|
00002240  57 56 a0 1a 5f 4f 53 49  0d 57 69 6e 64 6f 77 73  |WV.._OSI.Windows|
00002250  20 32 30 30 39 00 70 0a  07 4d 53 57 56 a0 1a 5f  | 2009.p..MSWV.._|
00002260  4f 53 49 0d 57 69 6e 64  6f 77 73 20 32 30 31 32  |OSI.Windows 2012|
00002270  00 70 0a 08 4d 53 57 56  a0 1a 5f 4f 53 49 0d 57  |.p..MSWV.._OSI.W|
00002280  69 6e 64 6f 77 73 20 32  30 31 33 00 70 0a 09 4d  |indows 2013.p..M|
00002290  53 57 56 a0 1a 5f 4f 53  49 0d 57 69 6e 64 6f 77  |SWV.._OSI.Window|
000022a0  73 20 32 30 31 35 00 70  0a 0a 4d 53 57 56 a0 3e  |s 2015.p..MSWV.>|
000022b0  5f 4f 53 49 0d 57 69 6e  64 6f 77 73 20 32 30 30  |_OSI.Windows 200|
000022c0  36 20 53 50 32 00 44 42  47 5f 0d 57 69 6e 64 6f  |6 SP2.DBG_.Windo|
000022d0  77 73 20 32 30 30 36 20  53 50 32 20 73 75 70 70  |ws 2006 SP2 supp|
000022e0  6f 72 74 65 64 0a 00 70  00 4d 53 57 56 a1 43 06  |orted..p.MSWV.C.|
000022f0  a0 26 4d 54 43 48 5f 4f  53 5f 0d 4d 69 63 72 6f  |.&MTCH_OS_.Micro|
00002300  73 6f 66 74 20 57 69 6e  64 6f 77 73 20 4e 54 00  |soft Windows NT.|
00002310  70 0a 03 4d 53 57 56 a0  39 4d 54 43 48 5f 4f 53  |p..MSWV.9MTCH_OS|
00002320  5f 0d 4d 69 63 72 6f 73  6f 66 74 20 57 69 6e 64  |_.Microsoft Wind|
00002330  6f 77 73 4d 45 3a 20 4d  69 6c 6c 65 6e 6e 69 75  |owsME: Millenniu|
00002340  6d 20 45 64 69 74 69 6f  6e 00 70 0a 02 4d 53 57  |m Edition.p..MSW|
00002350  56 a0 49 06 5b 12 5f 52  45 56 00 44 42 47 5f 0d  |V.I.[._REV.DBG_.|
00002360  5f 52 45 56 3a 20 00 48  45 58 34 5f 52 45 56 a0  |_REV: .HEX4_REV.|
:

I installed volatility3 as it was not present in my current Kali install.
(volatility could also have shown me what operating system it came from, had I used that..)

Progress:  100.00               PDB scanning finished                        
Variable        Value

Kernel Base     0xf80002653000
DTB     0x187000
Symbols file:///home/redacted/bin/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/BF9E190359784C2D8796CF5537B238B4-2.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdDebuggerDataBlock     0xf800028420a0
NTBuildLab      7601.18409.amd64fre.win7sp1_gdr.
CSDVersion      1
KdVersionBlock  0xf80002842068
Major/Minor     15.7601
MachineType     34404
KeNumberProcessors      1
SystemTime      2019-05-02 18:11:45
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  6
NtMinorVersion  1
PE MajorOperatingSystemVersion  6
PE MinorOperatingSystemVersion  1
PE Machine      34404
PE TimeDateStamp        Tue Mar  4 08:38:19 2014

After that I ran python ~/bin/volatility3/vol.py -f victim.raw windows.pslist

C:\home\redacted\ctf\tryhackme\forensics> python ~/bin/volatility3/vol.py -f victim.raw windows.pslist                                
Volatility 3 Framework 2.7.0                                                                                                        
Progress:  100.00               PDB scanning finished                                                                               
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output 

4       0       System  0xfa8001252040  88      624     N/A     False   2019-05-03 06:32:24.000000      N/A     Disabled            
268     4       smss.exe        0xfa800234d8a0  2       29      N/A     False   2019-05-03 06:32:24.000000      N/A     Disabled    
360     352     csrss.exe       0xfa8002264550  9       363     0       False   2019-05-03 06:32:34.000000      N/A     Disabled    
408     400     csrss.exe       0xfa80027d67d0  7       162     1       False   2019-05-03 06:32:35.000000      N/A     Disabled    
416     352     wininit.exe     0xfa8002b601c0  3       76      0       False   2019-05-03 06:32:35.000000      N/A     Disabled    
444     400     winlogon.exe    0xfa8002b71680  3       111     1       False   2019-05-03 06:32:35.000000      N/A     Disabled    
504     416     services.exe    0xfa8002c69b30  6       184     0       False   2019-05-03 06:32:36.000000      N/A     Disabled    
512     416     lsass.exe       0xfa80027d9b30  6       534     0       False   2019-05-03 06:32:37.000000      N/A     Disabled    
520     416     lsm.exe 0xfa80027d81f0  10      143     0       False   2019-05-03 06:32:37.000000      N/A     Disabled            
628     504     svchost.exe     0xfa80029cd3e0  9       345     0       False   2019-05-03 06:32:48.000000      N/A     Disabled    
688     504     VBoxService.ex  0xfa8002d38b30  12      135     0       False   2019-05-03 06:32:48.000000      N/A     Disabled    
752     504     svchost.exe     0xfa8002a1bb30  7       235     0       False   2019-05-02 18:02:51.000000      N/A     Disabled    
852     504     svchost.exe     0xfa8002d70650  22      473     0       False   2019-05-02 18:02:51.000000      N/A     Disabled    
892     504     svchost.exe     0xfa8002d9c780  17      427     0       False   2019-05-02 18:02:51.000000      N/A     Disabled    
920     504     svchost.exe     0xfa8002dbe9e0  29      878     0       False   2019-05-02 18:02:51.000000      N/A     Disabled    
400     504     svchost.exe     0xfa8002e3db30  10      281     0       False   2019-05-02 18:02:56.000000      N/A     Disabled
1004    504     svchost.exe     0xfa8002e57890  20      379     0       False   2019-05-02 18:02:56.000000      N/A     Disabled
1140    504     spoolsv.exe     0xfa8002dfdab0  12      279     0       False   2019-05-02 18:02:57.000000      N/A     Disabled
1268    504     svchost.exe     0xfa8002f2cb30  17      297     0       False   2019-05-02 18:02:59.000000      N/A     Disabled
1368    504     svchost.exe     0xfa8002f81460  20      295     0       False   2019-05-02 18:02:59.000000      N/A     Disabled
1788    504     taskhost.exe    0xfa8003148b30  8       159     1       False   2019-05-02 18:03:09.000000      N/A     Disabled
1860    1756    explorer.exe    0xfa8003172b30  19      645     1       False   2019-05-02 18:03:09.000000      N/A     Disabled
1896    892     dwm.exe 0xfa800315eb30  3       69      1       False   2019-05-02 18:03:09.000000      N/A     Disabled
1600    1860    VBoxTray.exe    0xfa800300d700  13      141     1       False   2019-05-02 18:03:25.000000      N/A     Disabled
****    504     SearchIndexer.  0xfa8003367060  11      629     0       False   2019-05-02 18:03:32.000000      N/A     Disabled
2876    628     WmiPrvSE.exe    0xfa80033f6060  5       113     0       False   2019-05-02 18:03:55.000000      N/A     Disabled
1820    504     svchost.exe     0xfa8003162060  11      317     0       False   2019-05-02 18:05:09.000000      N/A     Disabled
2464    504     wmpnetwk.exe    0xfa8003371540  14      440     0       False   2019-05-02 18:05:10.000000      N/A     Disabled
1148    504     taskhost.exe    0xfa80014eeb30  8       176     0       False   2019-05-02 18:09:58.000000      N/A     Disabled

(excuse the funny looking path, I was running Kali in undercover mode looking like Windows)

The last flag in this task was a little bit tricky as Volatility3 nolonger has the shellbags plugin and I was unable to find anything that replaced it. One option was to run a docker container with the old version of Volatility. As I am currently running Kali in WSL I setup docker desktop on Windows and then just ran this docker command to parse the dump.

└─$ sudo docker run --rm -v /home/redacted/ctf/tryhackme/forensics:/data:ro blacktop/volatility -f victim.raw --profile=Win7SP1x64 shellbags
The command should be pretty obvious, but -v mounts a volume into the container and then the file can be specified with -f as a Volatility option.

This worked as expected and I could scroll through all the shellbags until I found this:

***************************************************************************
Registry: \??\C:\Users\victim\AppData\Local\Microsoft\Windows\UsrClass.dat
Key: Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0
Last updated: 2019-04-27 10:48:33 UTC+0000
Value   Mru   File Name      Modified Date                  Create Date                    Access Date
  File Attr                 Path
------- ----- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ----
0       0     deleted_files  2019-04-27 10:30:26 UTC+0000   2019-04-27 10:38:24 UTC+0000   2019-04-27 10:38:24 UTC+0000   NI, DIR                   X:\[redacted]
***************************************************************************

Closing thoughts
This was a fun CTF (capture the flag) for beginners on memory forensics, something I have only done sparingly myself before. It was not until I touched up my notes for this CTF that I noticed that task 1 was named Volatility forensics, otherwise that might have led me directly to Volatility and to skip hexdump all together. As mentioned in the part for the last flag there were some interresting quirks due to Volatility not including shellbags in version 3 too.

Stay tuned for parts two and three!

Previous Post Next Post