The AusCERT 2016 Capture The Flag (CTF) was run from the 24th to 26th of May 2016, these are my solutions to the “Game of memory” category of challenges which was made up of 5 parts each worth 100 points, for a total of 500 points.
This challenge had a ~4gb memory dump which was to be analysed. After running strings against the memory dump file, I found references to Windows 6.1.7600.16385 which appears to be Windows 7, so I work with the Win7SP1x64 profile with Volatility. Volatility did not correctly detect the version and suggested that it was Windows 8 which was incorrect and did not work.
Challenge description:
The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF.
1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof?
Question 1: 100 pts
What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID?
The flag must be submitted in the following format: [pid][time][ppid]
First I ran a ‘pstree‘ to get a list of all processes, this would also reveal parent processes.
root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.4 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8005817060:wininit.exe 424 344 3 80 2016-05-11 03:25:16 UTC+0000 . 0xfffffa8005956a90:services.exe 524 424 8 217 2016-05-11 03:25:18 UTC+0000 .. 0xfffffa8005ed59b0:dllhost.exe 1920 524 18 213 2016-05-11 03:25:41 UTC+0000 .. 0xfffffa8005bb1b30:spoolsv.exe 1040 524 14 337 2016-05-11 03:25:32 UTC+0000 .. 0xfffffa8005c82b30:vmtoolsd.exe 1240 524 11 291 2016-05-11 03:25:34 UTC+0000 ... 0xfffffa8003ec1b30:cmd.exe 3744 1240 0 ------ 2016-05-11 03:29:15 UTC+0000 .... 0xfffffa8004120500:ipconfig.exe 3764 3744 0 ------ 2016-05-11 03:29:15 UTC+0000 .. 0xfffffa8005f4b200:msdtc.exe 1164 524 15 154 2016-05-11 03:25:42 UTC+0000 .. 0xfffffa8006968060:SearchIndexer. 2308 524 14 645 2016-05-11 03:26:57 UTC+0000 ... 0xfffffa80063314d0:SearchFilterHo 2536 2308 4 83 2016-05-11 03:26:58 UTC+0000 ... 0xfffffa8006855b30:SearchProtocol 2508 2308 7 259 2016-05-11 03:26:58 UTC+0000 .. 0xfffffa8005fd9b30:svchost.exe 2848 524 10 355 2016-05-11 03:27:00 UTC+0000 .. 0xfffffa8005a9db30:svchost.exe 816 524 24 561 2016-05-11 03:25:25 UTC+0000 .. 0xfffffa8005070b30:svchost.exe 2584 524 24 330 2016-05-11 03:26:59 UTC+0000 .. 0xfffffa8005c37630:svchost.exe 1072 524 21 330 2016-05-11 03:25:32 UTC+0000 .. 0xfffffa800423bb30:TrustedInstall 3652 524 7 135 2016-05-11 03:28:48 UTC+0000 .. 0xfffffa8005a664a0:svchost.exe 716 524 8 302 2016-05-11 03:25:25 UTC+0000 .. 0xfffffa8005ac2060:svchost.exe 848 524 28 539 2016-05-11 03:25:26 UTC+0000 ... 0xfffffa80068fb060:dwm.exe 2032 848 4 71 2016-05-11 03:26:50 UTC+0000 .. 0xfffffa8004059b30:sppsvc.exe 212 524 6 172 2016-05-11 03:27:40 UTC+0000 .. 0xfffffa8005ba75c0:svchost.exe 600 524 26 585 2016-05-11 03:25:31 UTC+0000 .. 0xfffffa8005d855a0:TPAutoConnSvc. 1632 524 11 145 2016-05-11 03:25:39 UTC+0000 ... 0xfffffa8006848060:TPAutoConnect. 2200 1632 6 127 2016-05-11 03:26:51 UTC+0000 .. 0xfffffa800686a060:taskhost.exe 1936 524 9 154 2016-05-11 03:26:50 UTC+0000 .. 0xfffffa8004008060:svchost.exe 928 524 18 379 2016-05-11 03:27:40 UTC+0000 .. 0xfffffa80067f4060:wmpnetwk.exe 2404 524 16 417 2016-05-11 03:26:57 UTC+0000 .. 0xfffffa8005ad26c0:svchost.exe 872 524 39 1807 2016-05-11 03:25:26 UTC+0000 .. 0xfffffa8005b6da30:svchost.exe 1016 524 22 764 2016-05-11 03:25:30 UTC+0000 .. 0xfffffa8005a3e630:svchost.exe 636 524 12 371 2016-05-11 03:25:25 UTC+0000 ... 0xfffffa8005e97630:WmiPrvSE.exe 1792 636 7 188 2016-05-11 03:25:41 UTC+0000 ... 0xfffffa8003f26b30:WmiPrvSE.exe 3064 636 8 125 2016-05-11 03:27:01 UTC+0000 . 0xfffffa800595d9d0:lsass.exe 532 424 8 743 2016-05-11 03:25:18 UTC+0000 . 0xfffffa800596c360:lsm.exe 540 424 11 211 2016-05-11 03:25:18 UTC+0000 0xfffffa8004e68060:csrss.exe 376 344 9 550 2016-05-11 03:25:14 UTC+0000 . 0xfffffa8003ece710:conhost.exe 3752 376 0 ------ 2016-05-11 03:29:15 UTC+0000 . 0xfffffa800408d780:conhost.exe 3276 376 2 35 2016-05-11 03:27:48 UTC+0000 0xfffffa8003c6d9e0:System 4 0 95 456 2016-05-11 03:25:04 UTC+0000 . 0xfffffa8004d2d7e0:smss.exe 280 4 2 30 2016-05-11 03:25:05 UTC+0000 0xfffffa8005813060:csrss.exe 416 408 10 260 2016-05-11 03:25:16 UTC+0000 . 0xfffffa800680d060:conhost.exe 2208 416 1 34 2016-05-11 03:26:51 UTC+0000 . 0xfffffa8003d6a060:conhost.exe 796 416 3 52 2016-05-11 03:27:04 UTC+0000 0xfffffa8005891630:winlogon.exe 460 408 4 109 2016-05-11 03:25:17 UTC+0000 0xfffffa80068bc060:explorer.exe 1056 744 22 695 2016-05-11 03:26:50 UTC+0000 . 0xfffffa8003e42b30:cmd.exe 312 1056 1 22 2016-05-11 03:27:04 UTC+0000 . 0xfffffa8003e746d0:firefox.exe 2652 1056 52 569 2016-05-11 03:27:12 UTC+0000 . 0xfffffa8006931060:vmtoolsd.exe 2152 1056 8 190 2016-05-11 03:26:50 UTC+0000 0xfffffa80040c9b30:rundll32.exe 3248 3216 3 61 2016-05-11 03:27:48 UTC+0000 . 0xfffffa8004e77b30:cmd.exe 3268 3248 1 33 2016-05-11 03:27:48 UTC+0000
In this particular instance I thought that cmd.exe running under rundll32.exe was suspicious, so I submitted my flag based on this criteria as shown below and it was correct.
flag: [3268][2016-05-11 03:27:48][3248]
Question 2: 100 pts
What permission level was achieved by the attacker?
The flag must be submitted in the following format: [Authenticated Users]
For this I decided to use ‘getsids‘ as this is used to view security identifiers associated with a process and see if privileges have been escalated.
root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP0x64 getsids [output snipped] rundll32.exe (3248): S-1-5-18 (Local System) rundll32.exe (3248): S-1-5-32-544 (Administrators) rundll32.exe (3248): S-1-1-0 (Everyone) rundll32.exe (3248): S-1-5-11 (Authenticated Users) rundll32.exe (3248): S-1-16-16384 (System Mandatory Level) cmd.exe (3268): S-1-5-18 (Local System) cmd.exe (3268): S-1-5-32-544 (Administrators) cmd.exe (3268): S-1-1-0 (Everyone) cmd.exe (3268): S-1-5-11 (Authenticated Users) cmd.exe (3268): S-1-16-16384 (System Mandatory Level)
Flag: [Local System]
Question 3: 100 pts
What is the attacker’s IP and port, the PID of the process attached to the connection and is the connection still open?
The flag must be submitted in the following format: [IP:PORT][PID][N]
I made use of ‘netscan‘ here which is used to provide network information in Windows based memory dumps.
root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP0x64 netscan Volatility Foundation Volatility Framework 2.4 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x13e3d16f0 TCPv4 192.168.136.131:49189 192.168.136.134:41367 CLOSED 3248 rundll32.exe
flag: [192.168.136.134:41367][3248][N]
Question 4: 100 pts
What file was modified?
The answer must be submitted in the following format: [C:\flag.txt]
At first I made use of ‘handles‘ to try and view the file handles of the compromised processes, however this did not give me any results so I dumped the process with ‘procdump‘ and investigated it.
root@kali:/mnt/ac# volatility -f memory_1.dmp --profile=Win7SP0x64 procdump -D /mnt/ac/tmp/ -p 3268 Volatility Foundation Volatility Framework 2.4 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa8004e77b30 0x0000000049fa0000 cmd.exe OK: executable.3268.exe
After the dump completed I ran strings on it which revealed this:
C:\Users\vagrant\Documents\vault> " > 6.txt
Flag: [C:\Users\vagrant\Documents\vault\6.txt]
Question 5: 100 pts
What is the attackers flag?
The answer must be submitted in the following format: flag{example_flag}
I actually found this flag first when I was running strings on the memory dump file at the start to help determine the operating system in use.
strings memory_1.dmp | grep -i flag
echo "flag{N3Xt_t1m3_l3t_1337_BU1lD}" > 6.txt
I thought this command would have shown through either ‘cmdscan or ‘consoles‘ as these should display various command history, however this was not the case.
Summary
These challenges were fun to complete, I’ve recently started getting into memory analysis as I find it pretty interesting.
As the first person to solve all 5 memory challenges in this CTF, I was also awarded 75 bonus points, for 575 in total.
0 Comments.