MemLabs Part 3 - The Evil's Den

Published Date: 9 Aug 2024 ___ ### Introduction Welcome to the third part of my [MemLabs](https://github.com/stuxnet999/MemLabs?tab=readme-ov-file)series, this means we're now halfway through. I recommend taking a look at the first and second parts to get up to speed. As always, I will be using [Volatility](https://github.com/volatilityfoundation/volatility)for this lab. Additionally, the lab description also mentions needing a tool called [Steghide](https://steghide.sourceforge.net/). I haven't used this tool before, but I'm going to take a shot in the dark and assume it's related to steganography. Let's just say I'm not particularly excited for this lab. > [!info] > Steganography is **the practice of concealing information within another message or physical object to avoid detection**. It can be used to hide virtually any type of digital content, including text, image, video, or audio content. Install `steghide` with the following command on Linux: ```shell sudo apt install steghide ``` > [!info] CTF Description > A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please? > > **Note-1:** This challenge is composed of only 1 flag. The flag split into 2 parts. > **Note-2**: You'll need the first half of the flag to get the second. ### Challenge By now, you should be familiar with my approach to analysing memory dumps, so we're going to fly right through this one. ```shell vol.py -f MemoryDump_Lab3.raw imageinfo INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86 AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/home/remnux/memlabs/MemLabs-Lab3/MemoryDump_Lab3.raw) PAE type : PAE DTB : 0x185000L KDBG : 0x82742c68L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x82743d00L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2018-09-30 09:47:54 UTC+0000 Image local date and time : 2018-09-30 15:17:54 +0530 ``` Running `imageinfo` suggests using `Win7SP1x86_23418` this time. Let's proceed by looking at the processes. ```shell vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------- [...snip...] 0x9c6b0970 notepad.exe 3736 5300 1 60 1 0 2018-09-30 09:47:49 UTC+0000 0x8443d3c0 notepad.exe 3432 5300 1 60 1 0 2018-09-30 09:47:50 UTC+0000 ``` The two `notepad.exe` processes are the only ones of particular interest to me. I'm going to check the handles now to see if I can find a reference to which files may have been open in these `notepad.exe` processes at the time. As you can see below, this process had an open handle to a file located in the `\Device\HarddiskVolume2\Users\hello\Desktop` directory. ```shell vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 handles -p 3736 Offset(V) Pid Handle Access Type Details ---------- ------ ---------- ---------- ---------------- ------- 0x8f578ae8 3736 0x4 0x3 Directory KnownDlls 0x843e9360 3736 0x8 0x100020 File \Device\HarddiskVolume2\Users\hello\Desktop [...snip...] ``` The same is true for the other `notepad.exe` process. ```shell vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 handles -p 3432 Offset(V) Pid Handle Access Type Details ---------- ------ ---------- ---------- ---------------- ------- 0x8f578ae8 3432 0x4 0x3 Directory KnownDlls 0x84e6c3c8 3432 0x8 0x100020 File \Device\HarddiskVolume2\Users\hello\Desktop [...snip...] ``` Let's see if we can find the files in question. ```shell vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 filescan | grep -i "Desktop" | grep -vi "\.ini" ``` > [!tip] > I grepped for anything with `Desktop` in the path but used `-vi` to filter out anything with an `.ini`. This just makes it easier to quickly filter out anything not of interest. ```shell [...snip...] 0x0000000004f34148 2 0 RW---- \Device\HarddiskVolume2\Users\hello\Desktop\suspision1.jpeg 0x000000003de1b5f0 8 0 R--rw- \Device\HarddiskVolume2\Users\hello\Desktop\evilscript.py.py 0x000000003de646e0 2 1 R--rwd \Device\HarddiskVolume2\Users\hello\Desktop 0x000000003dec1480 8 0 R--r-- \Device\HarddiskVolume2\Windows\winsxs\FileMaps\$_remotepackages_remotedesktops_873149a9e18f9d12.cdf-ms 0x000000003df96eb0 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop 0x000000003e1e9360 1 1 R--rw- \Device\HarddiskVolume2\Users\hello\Desktop 0x000000003e727e50 8 0 -W-rw- \Device\HarddiskVolume2\Users\hello\Desktop\vip.txt [...snip...] ``` The files `vip.txt` and `evilscript.py.py` stand out. Also take note of the `suspision1.jpeg` which I probably wouldn't have found interesting if it wasn't for the `steghide` hint in the description. Let's extract these files for further examination using `dumpfiles`. ```shell vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003de1b5f0 --dump-dir notepad-dump1 vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003e727e50 --dump-dir notepad-dump2 ``` The script `evilscript.py.py` opens `vip.txt`, XORs its contents by `3`, and then base64 encodes it. ```python import sys import string def xor(s): a = ''.join(chr(ord(i)^3) for i in s) # XOR function return a def encoder(x): return x.encode("base64") # base64 function if __name__ == "__main__": f = open("C:\\Users\\hello\\Desktop\\vip.txt", "w") # opens this file, with write permissions arr = sys.argv[1] # stores vip.txt arr = encoder(xor(arr)) # base64 encode the XOR'd contents f.write(arr) f.close() ``` For clarity, I have put comments beside the lines of importance. Now, let's grab the contents of `vip.txt`. ```shell am1gd2V4M20wXGs3b2U= ``` We need to reverse the ragtag obfuscation by doing the same steps but in the opposite way. Therefore, Base64 decode followed by the XOR. Laziness led me to use CyberChef for this one. ![[Pasted image 20240809152234.png]] As you can see, I just added the Base64 decode recipe first and then the XOR recipe with the decimal key. Revealed in the output is the first half of the flag. > [!check] (half of) Flag #1 > inctf{0n3_h4lf Okay, remember that `suspision1.jpeg` file we saw earlier? Are you thinking what I'm thinking? ```shell vol.py -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x0000000004f34148 --dump-dir suspision-dump/ ``` We learn from running `steghide --help` that we need to provide the `extract` argument followed by `-sf` to select the file we want to extract from. ![[Pasted image 20240809153518.png]] *Enter passphrase*? How rude. ![[üzgünkedikuzeyefe.gif]] Ah, the challenge description said "**You'll need the first half of the flag to get the second.**" so use the first half of the flag as the passphrase. ![[Pasted image 20240809153916.png]] > [!check] Flag #1 > inctf{0n3_h4lf_1s_n0t_3n0ugh} ### Conclusion I'll see you in [[MemLabs Part 4 - Obsession]]. Thanks for reading—peace.