Google CTF 2016 – Forensic “For1” Write-up

The Google Capture The Flag (CTF) was run on the 29th and 30th of April 2016, this is my solution to the forensics challenge “For1” which was worth 100 points.

In this challenge a 200mb dump1.raw.lzma file was provided with no other instructions other than to find the flag. After downloading the file I decompress it to reveal a 900mb dump1.raw file.

root@kali:~# lzma -d dump1.raw.lzma
root@kali:~# file dump1.raw
dump1.raw: ELF 64-bit LSB core file x86-64, version 1 (SYSV)

Upon first look it appears to be an ELF file, however this is just the start of what appears to be a memory dump. After running binwalk against the dump I start to see a lot of “Microsoft portable executable” content. After running strings against the dump file I notice a lot of references to Microsoft/Windows confirming that this appears to be a memory dump from a Windows OS running within VirtualBox.

As this appears to be a memory dump I start using volatility, an open source memory forensics tool. Initially I’m not getting any results with volatility, after further searching through the dump I see references to Windows 10 and assume that my version of volatility does not have Windows 10 support. After checking the volatility website I confirm that I need version 2.5 which introduces Windows 10 support.

With the new version downloaded I ran “imageinfo” to determine the profile that volatility would recommend, but failed to get any useful information. At this point I simply guessed that it was Win10x64 which worked, so ran with this profile and performed a pslist to list all running processes at the time of the memory dump, output shown below.

root@kali:~/volatility-master# ./vol.py -f /root/dump1.raw pslist --profile=Win10x64 pstree
Volatility Foundation Volatility Framework 2.5
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe00032553780 System                    4      0    126        0 ------      0 2016-04-04 16:12:33 UTC+0000
0xffffe0003389c040 smss.exe                268      4      2        0 ------      0 2016-04-04 16:12:33 UTC+0000
0xffffe0003381b080 csrss.exe               344    336      8        0      0      0 2016-04-04 16:12:33 UTC+0000
0xffffe000325ba080 wininit.exe             404    336      1        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000325c7080 csrss.exe               412    396      9        0      1      0 2016-04-04 16:12:34 UTC+0000
0xffffe00033ec6080 winlogon.exe            460    396      2        0      1      0 2016-04-04 16:12:34 UTC+0000
0xffffe00033efb440 services.exe            484    404      3        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe00033f08080 lsass.exe               492    404      6        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe00033ec5780 svchost.exe             580    484     16        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe00034202280 svchost.exe             612    484      9        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000341cb640 dwm.exe                 712    460      8        0      1      0 2016-04-04 16:12:34 UTC+0000
0xffffe00034222780 svchost.exe             796    484     45        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000342a7780 VBoxService.ex          828    484     10        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000342ad780 svchost.exe             844    484      8        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000342c0080 svchost.exe             852    484      6        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000342dd780 svchost.exe             892    484     18        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000342bc780 svchost.exe             980    484     17        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe00034377780 svchost.exe             608    484     17        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000343e7780 spoolsv.exe            1072    484      8        0      0      0 2016-04-04 16:12:34 UTC+0000
0xffffe000343e9780 svchost.exe            1092    484     23        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe0003442a780 rundll32.exe           1148    796      1        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe00034494780 CompatTelRunne         1224   1148      9        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe00034495780 svchost.exe            1276    484     10        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe0003461d780 svchost.exe            1564    484      5        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe000345da780 wlms.exe               1616    484      2        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe00034623780 MsMpEng.exe            1628    484     24        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe000343b2340 cygrunsrv.exe          1832    484      4        0      0      0 2016-04-04 16:12:35 UTC+0000
0xffffe0003479b780 cygrunsrv.exe          1976   1832      0 --------      0      0 2016-04-04 16:12:36 UTC+0000   2016-04-04 16:12:36 UTC+0000
0xffffe000347aa780 conhost.exe            2004   1976      2        0      0      0 2016-04-04 16:12:36 UTC+0000
0xffffe000347c1080 sshd.exe               2028   1976      3        0      0      0 2016-04-04 16:12:36 UTC+0000
0xffffe00033e00780 svchost.exe            1772    484      3        0      0      0 2016-04-04 16:12:37 UTC+0000
0xffffe00033f1f780 sihost.exe               92    796     10        0      1      0 2016-04-04 16:12:37 UTC+0000
0xffffe0003259b3c0 taskhostw.exe          1532    796      9        0      1      0 2016-04-04 16:12:37 UTC+0000
0xffffe000339d4340 NisSrv.exe             2272    484      6        0      0      0 2016-04-04 16:12:38 UTC+0000
0xffffe000336e8780 userinit.exe           2312    460      0 --------      1      0 2016-04-04 16:12:38 UTC+0000   2016-04-04 16:13:04 UTC+0000
0xffffe000336e3780 explorer.exe           2336   2312     31        0      1      0 2016-04-04 16:12:38 UTC+0000
0xffffe0003374f780 RuntimeBroker.         2456    580      6        0      1      0 2016-04-04 16:12:38 UTC+0000
0xffffe00033a39080 SearchIndexer.         2664    484     13        0      0      0 2016-04-04 16:12:39 UTC+0000
0xffffe00033a79780 ShellExperienc         2952    580     41        0      1      0 2016-04-04 16:12:39 UTC+0000
0xffffe00033b57780 SearchUI.exe           3144    580     38        0      1      0 2016-04-04 16:12:40 UTC+0000
0xffffe00033e1d780 DismHost.exe           3636   1224      2        0      0      0 2016-04-04 16:12:47 UTC+0000
0xffffe000348e9780 svchost.exe            3992    484      6        0      0      0 2016-04-04 16:12:52 UTC+0000
0xffffe000348c6780 VBoxTray.exe           3324   2336     10        0      1      0 2016-04-04 16:12:55 UTC+0000
0xffffe00034b08780 OneDrive.exe           1692   2336     10        0      1      1 2016-04-04 16:12:55 UTC+0000
0xffffe00034b0f780 mspaint.exe            4092   2336      3        0      1      0 2016-04-04 16:13:21 UTC+0000
0xffffe00034ade080 svchost.exe             628    484      1        0      1      0 2016-04-04 16:14:43 UTC+0000
0xffffe0003472b080 notepad.exe            2012   2336      1        0      1      0 2016-04-04 16:14:49 UTC+0000
0xffffe000349e4780 WmiPrvSE.exe           3032    580      6        0      0      0 2016-04-04 16:16:37 UTC+0000
0xffffe000349285c0 taskhostw.exe           332    796     10        0      1      0 2016-04-04 16:17:40 UTC+0000

There are a small handful of processes that look interesting to me straight away, including notepad.exe, sshd.exe, and mspaint.exe.

I think text from notepad.exe would have been revealed while I was running strings on the dump file, so I leave that for now. I quickly check for open connections of sshd.exe which appears to by running under Cygwin but can’t see any established connections so leave that one for now. Finally I decide to dump the mspaint.exe process (PID 4092), as shown below.

root@kali:~/volatility-master# ./vol.py -f /root/dump1.raw --profile=Win10x64 memdump -p 4092 -D /root/
Volatility Foundation Volatility Framework 2.5
************************************************************************
Writing mspaint.exe [  4092] to 4092.dmp

After dumping the process I had a 1.8gb file, which seemed pretty strange to have come from a 900mb dump file. I’m not too sure why this is, and after discussing with the challenge creator afterwards they did not seem to know why this was the case either. If anyone has any insight to this I’d be interested to hear.

Regardless, at this point I did not yet know how to try and view any contents that were in paint from my process dump. After some quick research I found this post outlining how to extract images from memory. I simply renamed my exported 4092.dmp file to 4092.data so that it was recognized by Gimp, and then opened it in Gimp.

After opening the image, this is what I was given.

gimp-1

After holding the up arrow on the Offset field for a while, I decided that it would take a very long time to scrub through the 1.8gb file. I expanded the window and modified the width a bit to fit more in the screen and then started to drag the offset pointer around looking for anything interesting. Eventually with a lot of luck I found something, after adjusting the width further I found the flag shown below.

gimp-2

This resulted in the flag of CTF{HeRe_GoES_thE_FLaG}.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>