MemLabs Part 6 - The Reckoning

Published Date: 14 August 2024 ___ ### Introduction Welcome to the final part of my [MemLabs](https://github.com/stuxnet999/MemLabs?tab=readme-ov-file) series. I've enjoyed these labs but I can't honestly say I'm disappointed to be on the last one. If there is something that I brush past, please check the previous parts of the series as I may have already discussed it there. Once again, I will be using [Volatility](https://github.com/volatilityfoundation/volatility)for this lab. > [!Info] CTF Description > We received this memory dump from the Intelligence Bureau Department. They say this evidence might hold some secrets of the underworld gangster David Benjamin. This memory dump was taken from one of his workers whom the FBI busted earlier this week. Your job is to go through the memory dump and see if you can figure something out. FBI also says that David communicated with his workers via the internet so that might be a good place to start. > > **Note**: This challenge is composed of 1 flag split into 2 parts. ### Challenge We'll start by running `imageinfo` to determine the correct operating system profile to use. ```shell vol.py -f MemoryDump_Lab6.raw imageinfo INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/remnux/memlabs/MemLabs-Lab6/MemoryDump_Lab6.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027fa0a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027fbd00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-08-19 14:41:58 UTC+0000 Image local date and time : 2019-08-19 20:11:58 +0530 ``` Follow this up with a `pslist`. ```shell vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ [...snip...] 0xfffffa8002324b30 cmd.exe 880 1944 1 21 1 0 2019-08-19 14:40:26 UTC+0000 0xfffffa800234eb30 chrome.exe 2124 1944 27 662 1 0 2019-08-19 14:40:46 UTC+0000 0xfffffa800234f780 chrome.exe 2132 2124 9 75 1 0 2019-08-19 14:40:46 UTC+0000 0xfffffa800314fab0 chrome.exe 2168 2124 3 55 1 0 2019-08-19 14:40:49 UTC+0000 0xfffffa80032d9060 WmiPrvSE.exe 2292 608 13 288 0 0 2019-08-19 14:40:52 UTC+0000 0xfffffa80032f9a70 chrome.exe 2340 2124 12 282 1 0 2019-08-19 14:40:52 UTC+0000 0xfffffa8003741b30 chrome.exe 2440 2124 13 263 1 0 2019-08-19 14:40:54 UTC+0000 0xfffffa800374bb30 chrome.exe 2452 2124 14 167 1 0 2019-08-19 14:40:54 UTC+0000 0xfffffa8002b74060 WmiApSrv.exe 2800 480 6 115 0 0 2019-08-19 14:40:57 UTC+0000 0xfffffa8002d9eab0 WmiPrvSE.exe 2896 608 7 124 0 0 2019-08-19 14:40:57 UTC+0000 0xfffffa80032d4380 chrome.exe 2940 2124 9 172 1 0 2019-08-19 14:41:06 UTC+0000 0xfffffa8003905b30 firefox.exe 2080 3060 59 970 1 1 2019-08-19 14:41:08 UTC+0000 0xfffffa80021fa630 firefox.exe 2860 2080 11 210 1 1 2019-08-19 14:41:09 UTC+0000 0xfffffa80013a4580 firefox.exe 3016 2080 31 413 1 1 2019-08-19 14:41:10 UTC+0000 0xfffffa8001415b30 firefox.exe 2968 2080 22 323 1 1 2019-08-19 14:41:11 UTC+0000 0xfffffa8001454b30 firefox.exe 3316 2080 21 307 1 1 2019-08-19 14:41:13 UTC+0000 0xfffffa80035e71e0 WinRAR.exe 3716 1944 7 201 1 0 2019-08-19 14:41:43 UTC+0000 [...snip...] ``` This time, the processes of immediate interest to me are: `chrome.exe`, `firefox.exe`, and `WinRAR.exe`. Taking a look back at the lab description, we know that the user "*communicated with his workers via the internet*" - I mean, who doesn't honestly? Anyway, I'll look into this first. There are two commands that I chose to run here which are pretty self explanatory. ```shell vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 chromehistory > chromehistory.out vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 firefoxhistory > firefoxhistory.out ``` Looking at `chromehistory` first, I clocked a paste bin link. ```shell Index URL Title Visits Typed Last Visit Time Hidden Favicon ID ------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ---------- [...snip...] 169 https://pastebin.com/RSGSi1hk Private Paste ID: RSGSi1hk 1 0 2019-08-18 10:32:18.061245 N/A [...snip...] ``` Following this links reveals the following note. ![[Pasted image 20240813202011.png]] Talk about rabbit holes, eh? Following this link takes us to the following document which contains six pages of Lorem Ipsum. At some point, we can observe a link to a file hosted on MEGA. ![[Pasted image 20240813202136.png]] This takes us to... ![[Pasted image 20240813202434.png]] The pastebin note said "*But David sent the key in mail*." and I didn't see any mail software in the process listing so I thought to check whether the user accessed their mail in the browser instead. I first checked `Google Chrome` and could see that the user accessed `Gmail` but I couldn't find anything. Then I checked `Firefox` but it also looked like a dead-end. At this point, I opened up a list `Volatility` plugins and started going through anything I hadn't yet tried. I realised I hadn't actually used `cmdline` yet to try and extract and display the command line arguments of certain processes, so this is what I tried next. ![[Pasted image 20240814120300.png]] There is reference to a `flag.rar` file in what I will presume is a password protected directory. Let's dump this file anyway because we most likely will need it. ```shell vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 filescan | grep -i .rar ``` ![[Pasted image 20240814122834.png]] ```shell vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 --dump-dir=winrardump ``` ![[Pasted image 20240814123025.png]] As expected, it requires a password. I started firing plugins at the memory dump again and got very lucky to spot the following in output of the `envars` plugin. ![[Pasted image 20240814123229.png]] Using this password for the `flag.rar` archive works and we get our first... second flag? It's the second half by the looks of it. ![[Pasted image 20240814123335.png]] > [!check] Second-half of Flag #1 > aN\_Am4zINg\_!\_i\_gU3Ss???\_} I just need the first part now which was that MEGA drive we saw earlier but didn't have the password for. Again, I was spraying and praying with the plugins and stumbled upon this when I was using `windows`. ![[Pasted image 20240814123855.png]] `windows` is used to display the titles, handles, and associated processes of all open windows at the time of a memory capture. It scans the memory dump for window structures (often associated with the GUI subsystem) and retrieves information about each active window on the system. Using this information, I will now just grep for the key in the memory dump. ```shell strings MemoryDump_Lab6.raw | grep -i -A 30 "Mega Drive Key" ``` We find this godforsaken key after grepping for it. It's on the latter half of the second line. ![[Pasted image 20240814124450.png]] We can now go back to the MEGA drive and download that file. ![[Pasted image 20240814124848.png]] Once we click decrypt, it reveals a `flag_.png` file which opens this... ![[Pasted image 20240814124959.png]] Huh. I checked the `flag_.png` file with `file` and it doesn't recognise it as a `png`. ![[Pasted image 20240814125107.png]] I found a `png` repair tool on GitHub which I will link [here](https://github.com/sherlly/PCRT), there's probably many others but this was literally the first one I saw. You can see in the screenshot below that I ran it on the broken `flag_.png` and it calls out that there is a lost IDHR chunk (I didn't know what this was) but the `png` that the tool outputted still didn't work so I manually investigated the IDHR chunk. ![[Pasted image 20240814125636.png]] I found the following image when googling so I checked our corrupt file in a hex editor too. ![[03-ihdr.png]] ![[Pasted image 20240814130010.png]] Notice that the `i` in `IDHR` is actually lowercase. Let's patch this out so that it's an uppercase `I` by changing hex `69` to hex `49` and saving the new file. ![[Pasted image 20240814130252.png]] This is the first half of the flag, thank god. > [!check] Flag #1 > inctf{thi5\_cH4LL3Ng3\_!s\_g0nn4\_b3\_?\_aN\_Am4zINg\_!\_i\_gU3Ss???\_} ### Conclusion Thanks for following along, and I hope you found the series to be a good icebreaker into memory forensics with `Volatility`. Personally, I found the labs to be kind of repetitive and when they weren't repetitive they seemed random and messy. Anyway, until next time—peace!