AusCERT 2016 CTF – Game of memory write-up

The AusCERT 2016 Capture The Flag (CTF) was run from the 24th to 26th of May 2016, these are my solutions to the “Game of memory” category of challenges which was made up of 5 parts each worth 100 points, for a total of 500 points.

This challenge had a ~4gb memory dump which was to be analysed. After running strings against the memory dump file, I found references to Windows 6.1.7600.16385 which appears to be Windows 7, so I work with the Win7SP1x64 profile with Volatility. Volatility did not correctly detect the version and suggested that it was Windows 8 which was incorrect and did not work.

Challenge description:

The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF.

1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof?

Question 1: 100 pts

What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID?

The flag must be submitted in the following format: [pid][time][ppid]

First I ran a ‘pstree‘ to get a list of all processes, this would also reveal parent processes.

root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.4
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa8005817060:wininit.exe                       424    344      3     80 2016-05-11 03:25:16 UTC+0000
. 0xfffffa8005956a90:services.exe                     524    424      8    217 2016-05-11 03:25:18 UTC+0000
.. 0xfffffa8005ed59b0:dllhost.exe                    1920    524     18    213 2016-05-11 03:25:41 UTC+0000
.. 0xfffffa8005bb1b30:spoolsv.exe                    1040    524     14    337 2016-05-11 03:25:32 UTC+0000
.. 0xfffffa8005c82b30:vmtoolsd.exe                   1240    524     11    291 2016-05-11 03:25:34 UTC+0000
... 0xfffffa8003ec1b30:cmd.exe                       3744   1240      0 ------ 2016-05-11 03:29:15 UTC+0000
.... 0xfffffa8004120500:ipconfig.exe                 3764   3744      0 ------ 2016-05-11 03:29:15 UTC+0000
.. 0xfffffa8005f4b200:msdtc.exe                      1164    524     15    154 2016-05-11 03:25:42 UTC+0000
.. 0xfffffa8006968060:SearchIndexer.                 2308    524     14    645 2016-05-11 03:26:57 UTC+0000
... 0xfffffa80063314d0:SearchFilterHo                2536   2308      4     83 2016-05-11 03:26:58 UTC+0000
... 0xfffffa8006855b30:SearchProtocol                2508   2308      7    259 2016-05-11 03:26:58 UTC+0000
.. 0xfffffa8005fd9b30:svchost.exe                    2848    524     10    355 2016-05-11 03:27:00 UTC+0000
.. 0xfffffa8005a9db30:svchost.exe                     816    524     24    561 2016-05-11 03:25:25 UTC+0000
.. 0xfffffa8005070b30:svchost.exe                    2584    524     24    330 2016-05-11 03:26:59 UTC+0000
.. 0xfffffa8005c37630:svchost.exe                    1072    524     21    330 2016-05-11 03:25:32 UTC+0000
.. 0xfffffa800423bb30:TrustedInstall                 3652    524      7    135 2016-05-11 03:28:48 UTC+0000
.. 0xfffffa8005a664a0:svchost.exe                     716    524      8    302 2016-05-11 03:25:25 UTC+0000
.. 0xfffffa8005ac2060:svchost.exe                     848    524     28    539 2016-05-11 03:25:26 UTC+0000
... 0xfffffa80068fb060:dwm.exe                       2032    848      4     71 2016-05-11 03:26:50 UTC+0000
.. 0xfffffa8004059b30:sppsvc.exe                      212    524      6    172 2016-05-11 03:27:40 UTC+0000
.. 0xfffffa8005ba75c0:svchost.exe                     600    524     26    585 2016-05-11 03:25:31 UTC+0000
.. 0xfffffa8005d855a0:TPAutoConnSvc.                 1632    524     11    145 2016-05-11 03:25:39 UTC+0000
... 0xfffffa8006848060:TPAutoConnect.                2200   1632      6    127 2016-05-11 03:26:51 UTC+0000
.. 0xfffffa800686a060:taskhost.exe                   1936    524      9    154 2016-05-11 03:26:50 UTC+0000
.. 0xfffffa8004008060:svchost.exe                     928    524     18    379 2016-05-11 03:27:40 UTC+0000
.. 0xfffffa80067f4060:wmpnetwk.exe                   2404    524     16    417 2016-05-11 03:26:57 UTC+0000
.. 0xfffffa8005ad26c0:svchost.exe                     872    524     39   1807 2016-05-11 03:25:26 UTC+0000
.. 0xfffffa8005b6da30:svchost.exe                    1016    524     22    764 2016-05-11 03:25:30 UTC+0000
.. 0xfffffa8005a3e630:svchost.exe                     636    524     12    371 2016-05-11 03:25:25 UTC+0000
... 0xfffffa8005e97630:WmiPrvSE.exe                  1792    636      7    188 2016-05-11 03:25:41 UTC+0000
... 0xfffffa8003f26b30:WmiPrvSE.exe                  3064    636      8    125 2016-05-11 03:27:01 UTC+0000
. 0xfffffa800595d9d0:lsass.exe                        532    424      8    743 2016-05-11 03:25:18 UTC+0000
. 0xfffffa800596c360:lsm.exe                          540    424     11    211 2016-05-11 03:25:18 UTC+0000
 0xfffffa8004e68060:csrss.exe                         376    344      9    550 2016-05-11 03:25:14 UTC+0000
. 0xfffffa8003ece710:conhost.exe                     3752    376      0 ------ 2016-05-11 03:29:15 UTC+0000
. 0xfffffa800408d780:conhost.exe                     3276    376      2     35 2016-05-11 03:27:48 UTC+0000
 0xfffffa8003c6d9e0:System                              4      0     95    456 2016-05-11 03:25:04 UTC+0000
. 0xfffffa8004d2d7e0:smss.exe                         280      4      2     30 2016-05-11 03:25:05 UTC+0000
 0xfffffa8005813060:csrss.exe                         416    408     10    260 2016-05-11 03:25:16 UTC+0000
. 0xfffffa800680d060:conhost.exe                     2208    416      1     34 2016-05-11 03:26:51 UTC+0000
. 0xfffffa8003d6a060:conhost.exe                      796    416      3     52 2016-05-11 03:27:04 UTC+0000
 0xfffffa8005891630:winlogon.exe                      460    408      4    109 2016-05-11 03:25:17 UTC+0000
 0xfffffa80068bc060:explorer.exe                     1056    744     22    695 2016-05-11 03:26:50 UTC+0000
. 0xfffffa8003e42b30:cmd.exe                          312   1056      1     22 2016-05-11 03:27:04 UTC+0000
. 0xfffffa8003e746d0:firefox.exe                     2652   1056     52    569 2016-05-11 03:27:12 UTC+0000
. 0xfffffa8006931060:vmtoolsd.exe                    2152   1056      8    190 2016-05-11 03:26:50 UTC+0000
 0xfffffa80040c9b30:rundll32.exe                     3248   3216      3     61 2016-05-11 03:27:48 UTC+0000
. 0xfffffa8004e77b30:cmd.exe                         3268   3248      1     33 2016-05-11 03:27:48 UTC+0000

In this particular instance I thought that cmd.exe running under rundll32.exe was suspicious, so I submitted my flag based on this criteria as shown below and it was correct.

flag: [3268][2016-05-11 03:27:48][3248]

Question 2: 100 pts

What permission level was achieved by the attacker?

The flag must be submitted in the following format: [Authenticated Users]

For this I decided to use ‘getsids‘ as this is used to view security identifiers associated with a process and see if privileges have been escalated.

root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP0x64 getsids
[output snipped]

rundll32.exe (3248): S-1-5-18 (Local System)
rundll32.exe (3248): S-1-5-32-544 (Administrators)
rundll32.exe (3248): S-1-1-0 (Everyone)
rundll32.exe (3248): S-1-5-11 (Authenticated Users)
rundll32.exe (3248): S-1-16-16384 (System Mandatory Level)

cmd.exe (3268): S-1-5-18 (Local System)
cmd.exe (3268): S-1-5-32-544 (Administrators)
cmd.exe (3268): S-1-1-0 (Everyone)
cmd.exe (3268): S-1-5-11 (Authenticated Users)
cmd.exe (3268): S-1-16-16384 (System Mandatory Level)

Flag: [Local System]

Question 3: 100 pts

What is the attacker’s IP and port, the PID of the process attached to the connection and is the connection still open?

The flag must be submitted in the following format: [IP:PORT][PID][N]

I made use of ‘netscan‘ here which is used to provide network information in Windows based memory dumps.

root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP0x64 netscan
Volatility Foundation Volatility Framework 2.4
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x13e3d16f0        TCPv4    192.168.136.131:49189          192.168.136.134:41367 CLOSED           3248     rundll32.exe

flag: [192.168.136.134:41367][3248][N]

Question 4: 100 pts

What file was modified?

The answer must be submitted in the following format: [C:\flag.txt]

At first I made use of ‘handles‘ to try and view the file handles of the compromised processes, however this did not give me any results so I dumped the process with ‘procdump‘ and investigated it.

root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP0x64 procdump -D /mnt/ac/tmp/ -p 3268
Volatility Foundation Volatility Framework 2.4
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa8004e77b30 0x0000000049fa0000 cmd.exe              OK: executable.3268.exe

After the dump completed I ran strings on it which revealed this:

C:\Users\vagrant\Documents\vault>
" > 6.txt

Flag: [C:\Users\vagrant\Documents\vault\6.txt]

Question 5: 100 pts

What is the attackers flag?

The answer must be submitted in the following format: flag{example_flag}

I actually found this flag first when I was running strings on the memory dump file at the start to help determine the operating system in use.

strings memory_1.dmp | grep -i flag
echo "flag{N3Xt_t1m3_l3t_1337_BU1lD}" > 6.txt

I thought this command would have shown through either ‘cmdscan or ‘consoles‘ as these should display various command history, however this was not the case.

Summary

These challenges were fun to complete, I’ve recently started getting into memory analysis as I find it pretty interesting.

As the first person to solve all 5 memory challenges in this CTF, I was also awarded 75 bonus points, for 575 in total.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>