Link to the CTF itself
TryHackMe - Forensics
Type
Memory forensics
Challenge
Task 1 Volatility forensics
This is a memory dump of the infected system. Download the file attached to this Task.
The MD5 hash of the uncompressed file is: ba44c4b977d28132faeb5fb8b06debce
Download the victim.zip
SPOLERS AHEAD!
If you intend to do this CTF challenge, know that while I will omit the flags, you may spoil some of the fun.
Flags
What is the Operating System of this Dump file? (OS name)
[redacted]
What is the PID of SearchIndexer?
[redacted]
What is the last directory accessed by the user?
[redacted]
Solution
After downloading victim.zip we see that the file is a memory dump file. a bix hex blob, 1,5G unpacked.
Using hexdump we can read it.
hexdump -C -n 200 shows us the first 200 bytes, not that interresting.
tail -n 200 | hexdump -C shows us the last 200 rows of the dump and looking at them it is pretty clear that this dump comes from a particular operating system, flag one done.
To make sure I also did a hexdump -C victim.raw | less to be able to browse through it some more.
000021f0 1a 5f 4f 53 49 0d 57 69 6e 64 6f 77 73 20 32 30 |._OSI.Windows 20|
00002200 30 31 00 70 0a 04 4d 53 57 56 a0 1c 5f 4f 53 49 |01.p..MSWV.._OSI|
00002210 0d 57 69 6e 64 6f 77 73 20 32 30 30 31 2e 31 00 |.Windows 2001.1.|
00002220 70 0a 05 4d 53 57 56 a0 1a 5f 4f 53 49 0d 57 69 |p..MSWV.._OSI.Wi|
00002230 6e 64 6f 77 73 20 32 30 30 36 00 70 0a 06 4d 53 |ndows 2006.p..MS|
00002240 57 56 a0 1a 5f 4f 53 49 0d 57 69 6e 64 6f 77 73 |WV.._OSI.Windows|
00002250 20 32 30 30 39 00 70 0a 07 4d 53 57 56 a0 1a 5f | 2009.p..MSWV.._|
00002260 4f 53 49 0d 57 69 6e 64 6f 77 73 20 32 30 31 32 |OSI.Windows 2012|
00002270 00 70 0a 08 4d 53 57 56 a0 1a 5f 4f 53 49 0d 57 |.p..MSWV.._OSI.W|
00002280 69 6e 64 6f 77 73 20 32 30 31 33 00 70 0a 09 4d |indows 2013.p..M|
00002290 53 57 56 a0 1a 5f 4f 53 49 0d 57 69 6e 64 6f 77 |SWV.._OSI.Window|
000022a0 73 20 32 30 31 35 00 70 0a 0a 4d 53 57 56 a0 3e |s 2015.p..MSWV.>|
000022b0 5f 4f 53 49 0d 57 69 6e 64 6f 77 73 20 32 30 30 |_OSI.Windows 200|
000022c0 36 20 53 50 32 00 44 42 47 5f 0d 57 69 6e 64 6f |6 SP2.DBG_.Windo|
000022d0 77 73 20 32 30 30 36 20 53 50 32 20 73 75 70 70 |ws 2006 SP2 supp|
000022e0 6f 72 74 65 64 0a 00 70 00 4d 53 57 56 a1 43 06 |orted..p.MSWV.C.|
000022f0 a0 26 4d 54 43 48 5f 4f 53 5f 0d 4d 69 63 72 6f |.&MTCH_OS_.Micro|
00002300 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 00 |soft Windows NT.|
00002310 70 0a 03 4d 53 57 56 a0 39 4d 54 43 48 5f 4f 53 |p..MSWV.9MTCH_OS|
00002320 5f 0d 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 |_.Microsoft Wind|
00002330 6f 77 73 4d 45 3a 20 4d 69 6c 6c 65 6e 6e 69 75 |owsME: Millenniu|
00002340 6d 20 45 64 69 74 69 6f 6e 00 70 0a 02 4d 53 57 |m Edition.p..MSW|
00002350 56 a0 49 06 5b 12 5f 52 45 56 00 44 42 47 5f 0d |V.I.[._REV.DBG_.|
00002360 5f 52 45 56 3a 20 00 48 45 58 34 5f 52 45 56 a0 |_REV: .HEX4_REV.|
:
I installed volatility3 as it was not present in my current Kali install.
(volatility could also have shown me what operating system it came from, had I used that..)
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf80002653000
DTB 0x187000
Symbols file:///home/redacted/bin/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/BF9E190359784C2D8796CF5537B238B4-2.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdDebuggerDataBlock 0xf800028420a0
NTBuildLab 7601.18409.amd64fre.win7sp1_gdr.
CSDVersion 1
KdVersionBlock 0xf80002842068
Major/Minor 15.7601
MachineType 34404
KeNumberProcessors 1
SystemTime 2019-05-02 18:11:45
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 34404
PE TimeDateStamp Tue Mar 4 08:38:19 2014
After that I ran python ~/bin/volatility3/vol.py -f victim.raw windows.pslist
C:\home\redacted\ctf\tryhackme\forensics> python ~/bin/volatility3/vol.py -f victim.raw windows.pslist
Volatility 3 Framework 2.7.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xfa8001252040 88 624 N/A False 2019-05-03 06:32:24.000000 N/A Disabled
268 4 smss.exe 0xfa800234d8a0 2 29 N/A False 2019-05-03 06:32:24.000000 N/A Disabled
360 352 csrss.exe 0xfa8002264550 9 363 0 False 2019-05-03 06:32:34.000000 N/A Disabled
408 400 csrss.exe 0xfa80027d67d0 7 162 1 False 2019-05-03 06:32:35.000000 N/A Disabled
416 352 wininit.exe 0xfa8002b601c0 3 76 0 False 2019-05-03 06:32:35.000000 N/A Disabled
444 400 winlogon.exe 0xfa8002b71680 3 111 1 False 2019-05-03 06:32:35.000000 N/A Disabled
504 416 services.exe 0xfa8002c69b30 6 184 0 False 2019-05-03 06:32:36.000000 N/A Disabled
512 416 lsass.exe 0xfa80027d9b30 6 534 0 False 2019-05-03 06:32:37.000000 N/A Disabled
520 416 lsm.exe 0xfa80027d81f0 10 143 0 False 2019-05-03 06:32:37.000000 N/A Disabled
628 504 svchost.exe 0xfa80029cd3e0 9 345 0 False 2019-05-03 06:32:48.000000 N/A Disabled
688 504 VBoxService.ex 0xfa8002d38b30 12 135 0 False 2019-05-03 06:32:48.000000 N/A Disabled
752 504 svchost.exe 0xfa8002a1bb30 7 235 0 False 2019-05-02 18:02:51.000000 N/A Disabled
852 504 svchost.exe 0xfa8002d70650 22 473 0 False 2019-05-02 18:02:51.000000 N/A Disabled
892 504 svchost.exe 0xfa8002d9c780 17 427 0 False 2019-05-02 18:02:51.000000 N/A Disabled
920 504 svchost.exe 0xfa8002dbe9e0 29 878 0 False 2019-05-02 18:02:51.000000 N/A Disabled
400 504 svchost.exe 0xfa8002e3db30 10 281 0 False 2019-05-02 18:02:56.000000 N/A Disabled
1004 504 svchost.exe 0xfa8002e57890 20 379 0 False 2019-05-02 18:02:56.000000 N/A Disabled
1140 504 spoolsv.exe 0xfa8002dfdab0 12 279 0 False 2019-05-02 18:02:57.000000 N/A Disabled
1268 504 svchost.exe 0xfa8002f2cb30 17 297 0 False 2019-05-02 18:02:59.000000 N/A Disabled
1368 504 svchost.exe 0xfa8002f81460 20 295 0 False 2019-05-02 18:02:59.000000 N/A Disabled
1788 504 taskhost.exe 0xfa8003148b30 8 159 1 False 2019-05-02 18:03:09.000000 N/A Disabled
1860 1756 explorer.exe 0xfa8003172b30 19 645 1 False 2019-05-02 18:03:09.000000 N/A Disabled
1896 892 dwm.exe 0xfa800315eb30 3 69 1 False 2019-05-02 18:03:09.000000 N/A Disabled
1600 1860 VBoxTray.exe 0xfa800300d700 13 141 1 False 2019-05-02 18:03:25.000000 N/A Disabled
**** 504 SearchIndexer. 0xfa8003367060 11 629 0 False 2019-05-02 18:03:32.000000 N/A Disabled
2876 628 WmiPrvSE.exe 0xfa80033f6060 5 113 0 False 2019-05-02 18:03:55.000000 N/A Disabled
1820 504 svchost.exe 0xfa8003162060 11 317 0 False 2019-05-02 18:05:09.000000 N/A Disabled
2464 504 wmpnetwk.exe 0xfa8003371540 14 440 0 False 2019-05-02 18:05:10.000000 N/A Disabled
1148 504 taskhost.exe 0xfa80014eeb30 8 176 0 False 2019-05-02 18:09:58.000000 N/A Disabled
(excuse the funny looking path, I was running Kali in undercover mode looking like Windows)
The last flag in this task was a little bit tricky as Volatility3 nolonger has the shellbags plugin and I was unable to find anything that replaced it. One option was to run a docker container with the old version of Volatility. As I am currently running Kali in WSL I setup docker desktop on Windows and then just ran this docker command to parse the dump.
└─$ sudo docker run --rm -v /home/redacted/ctf/tryhackme/forensics:/data:ro blacktop/volatility -f victim.raw --profile=Win7SP1x64 shellbags
The command should be pretty obvious, but -v mounts a volume into the container and then the file can be specified with -f as a Volatility option.
This worked as expected and I could scroll through all the shellbags until I found this:
***************************************************************************
Registry: \??\C:\Users\victim\AppData\Local\Microsoft\Windows\UsrClass.dat
Key: Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0
Last updated: 2019-04-27 10:48:33 UTC+0000
Value Mru File Name Modified Date Create Date Access Date
File Attr Path
------- ----- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ----
0 0 deleted_files 2019-04-27 10:30:26 UTC+0000 2019-04-27 10:38:24 UTC+0000 2019-04-27 10:38:24 UTC+0000 NI, DIR X:\[redacted]
***************************************************************************
Closing thoughts
This was a fun CTF (capture the flag) for beginners on memory forensics, something I have only done sparingly myself before.
It was not until I touched up my notes for this CTF that I noticed that task 1 was named Volatility forensics, otherwise that might have led me directly to Volatility and to skip hexdump all together.
As mentioned in the part for the last flag there were some interresting quirks due to Volatility not including shellbags in version 3 too.
Stay tuned for parts two and three!
