Trend Micro CTF 2017 – Forensic 200 Write-up

The Trend Micro CTF 2017 was run again this year between the 24th and 25th of June 2017. This is my solution to the 200 point forensics challenge. I was only able to complete around 90% of the challenge during the actual CTF, I didn’t complete it until a week after it was over.

The challenge started by providing us with a 260MB memory dump called VictimMemory.img, so I use Volatility to analyze the dump.

First I want to know what operating system the memory dump is for, this can be done with ‘imageinfo’ as shown below. Check out the Volatility command examples if you need further information on what all the options I use throughout this post do.

root@kali:~# volatility -f /root/tm/VictimMemory.img imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/tm/VictimMemory.img)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x8333ec28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x8333fc00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2017-04-11 02:35:28 UTC+0000
     Image local date and time : 2017-04-11 11:35:28 +0900

The operating system appears to be Windows 7 32-bit, as per the suggested profiles. I started using the included Win7SP1x86 profile and had no problems with it.

While enumerating the memory dump, I noticed some suspicious processes running using ‘pstree’.

root@kali:~# volatility -f /root/tm/VictimMemory.img --profile=Win7SP1x86 pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x88bbaab8:explorer.exe                              940    356     31    865 2017-04-11 02:28:23 UTC+0000
. 0x8691c030:cmd.exe                                 4080    940      1     20 2017-04-11 02:32:02 UTC+0000
.. 0x88abfa78:svchost.exe                            3828   4080      1      7 2017-04-11 02:35:18 UTC+0000

We can see that svchost.exe is a child process of cmd.exe, interesting, let’s investigate further!

With Volatility I used ‘cmdscan’ to see commands that have been entered into cmd.exe.

root@kali:~# volatility -f /root/tm/VictimMemory.img --profile=Win7SP1x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x33a338 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #0 @ 0x33a700: cd %temp%
Cmd #1 @ 0x2d3b38: svchost.exe 1.tmp 0x0 1

It appears that the directory was changed to %temp% and then the command ‘svchost.exe 1.tmp 0x0 1’ was run. This means that there should be a dodgy svchost.exe file within this directory, so let’s take a look at the open file handles to see if we can find it. In this case we use ‘handles’ against process ID 3828, our suspect svchost.exe process.

root@kali:~# volatility -f /root/tm/VictimMemory.img --profile=Win7SP1x86 handles -p 3828
Volatility Foundation Volatility Framework 2.6
Offset(V)     Pid     Handle     Access Type             Details
---------- ------ ---------- ---------- ---------------- -------
0x8db9f5e0   3828        0x4        0x3 Directory        KnownDlls
0x869342c0   3828        0x8   0x100020 File             \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp
0x89b6b420   3828        0xc   0x1f0003 Event
0x88baf038   3828       0x10   0x1f0001 ALPC Port
0x869e9d98   3828       0x14   0x1f0001 ALPC Port
0x9540c300   3828       0x18    0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
0x88bb47c0   3828       0x1c   0x120089 File             \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp

The last file looks interesting, it’s in the %temp% directory and is called 1.tmp, which we know svchost.exe was executed against based on the command history.

Next I use ‘dumpfiles’ against our dodgy process 3828 to dump all associated files, which in this case includes both svchost.exe and 1.tmp.

root@kali:~# volatility -f /root/tm/VictimMemory.img --profile=Win7SP1x86 dumpfiles -p 3828 -D /tmp/hax
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x88bb47c0   3828   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp
SharedCacheMap 0x88bb47c0   3828   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp
ImageSectionObject 0x86942ad0   3828   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe
DataSectionObject 0x86942ad0   3828   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe

This created file.3828.0x86784ce0.vacb which is the 1.tmp file, and file.3828.0x8677fa30.img which is svchost.exe.

root@kali:~# file file.3828.0x86784ce0.vacb
file.3828.0x86784ce0.vacb: data
root@kali:~# file file.3828.0x8677fa30.img
file.3828.0x8677fa30.img: PE32 executable (console) Intel 80386, for MS Windows

Alternatively you could also use ‘dlllist’ and ‘dlldump’ options with Volatility to dump the svchost.exe file, as this is actually the way I did it I’ll include that way here too.

root@kali:~# volatility -f /root/tm/VictimMemory.img --profile=Win7SP1x86 dlllist -p 3828
Volatility Foundation Volatility Framework 2.5
************************************************************************
svchost.exe pid:   3828
Command line : svchost.exe  1.tmp 0x0 1
Service Pack 1

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x00ed0000     0x6000     0xffff C:\Users\Taro\AppData\Local\Temp\svchost.exe
0x77560000   0x13c000     0xffff C:\Windows\SYSTEM32\ntdll.dll
0x76080000    0xd4000     0xffff C:\Windows\system32\kernel32.dll
0x75730000    0x4a000     0xffff C:\Windows\system32\KERNELBASE.dll
0x6ac10000    0xee000     0xffff C:\Windows\system32\MSVCR120.dll

We can see that svchost.exe is found at 0x00ed0000, so we can dump that out with ‘dlldump’ as shown below. It’s also worth noting that ‘dlllist’ also showed us what we saw with ‘cmdscan’.

root@kali:~# volatility -f /root/tm/VictimMemory.img --profile=Win7SP1x86 dlldump -p 3828 -b 0x00ed0000 -D /tmp/hax
Volatility Foundation Volatility Framework 2.6
Process(V) Name                 Module Base Module Name          Result
---------- -------------------- ----------- -------------------- ------
0x88abfa78 svchost.exe          0x000ed0000 svchost.exe          OK: module.3828.a269a78.ed0000.dll

The svchost.exe file is a 32-bit executable, while 1.tmp appears to be shell code after a closer look through a hex editor. The contents of the 1.tmp file are shown below.

00020000   90               NOP
00020001   90               NOP
00020002   90               NOP
00020003   90               NOP
00020004   90               NOP
00020005   90               NOP
00020006   90               NOP
00020007   90               NOP
00020008   90               NOP
00020009   90               NOP
0002000A   90               NOP
0002000B   90               NOP
0002000C   90               NOP
0002000D   90               NOP
0002000E   90               NOP
0002000F   90               NOP
00020010   55               PUSH EBP
00020011   89E5             MOV EBP,ESP
00020013   83EC 60          SUB ESP,60
00020016   C645 DA A8       MOV BYTE PTR SS:[EBP-26],0A8
0002001A   C645 DB FF       MOV BYTE PTR SS:[EBP-25],0FF
0002001E   C645 DC 88       MOV BYTE PTR SS:[EBP-24],88
00020022   C645 DD D0       MOV BYTE PTR SS:[EBP-23],0D0
00020026   C645 DE B2       MOV BYTE PTR SS:[EBP-22],0B2
0002002A   C645 DF F6       MOV BYTE PTR SS:[EBP-21],0F6
0002002E   C645 E0 F8       MOV BYTE PTR SS:[EBP-20],0F8
00020032   C645 E1 EA       MOV BYTE PTR SS:[EBP-1F],0EA
00020036   C645 E2 FF       MOV BYTE PTR SS:[EBP-1E],0FF
0002003A   C645 E3 FF       MOV BYTE PTR SS:[EBP-1D],0FF
0002003E   C645 E4 D2       MOV BYTE PTR SS:[EBP-1C],0D2
00020042   C645 E5 FF       MOV BYTE PTR SS:[EBP-1B],0FF
00020046   C645 E6 FF       MOV BYTE PTR SS:[EBP-1A],0FF
0002004A   C645 E7 C2       MOV BYTE PTR SS:[EBP-19],0C2
0002004E   C645 E8 DC       MOV BYTE PTR SS:[EBP-18],0DC
00020052   C645 E9 C2       MOV BYTE PTR SS:[EBP-17],0C2
00020056   C645 EA D8       MOV BYTE PTR SS:[EBP-16],0D8
0002005A   C645 EB FF       MOV BYTE PTR SS:[EBP-15],0FF
0002005E   C645 EC F6       MOV BYTE PTR SS:[EBP-14],0F6
00020062   C645 ED FF       MOV BYTE PTR SS:[EBP-13],0FF
00020066   C645 EE FA       MOV BYTE PTR SS:[EBP-12],0FA
0002006A   C645 EF FF       MOV BYTE PTR SS:[EBP-11],0FF
0002006E   C645 BC 55       MOV BYTE PTR SS:[EBP-44],55
00020072   C645 BD 8B       MOV BYTE PTR SS:[EBP-43],8B
00020076   C645 BE EC       MOV BYTE PTR SS:[EBP-42],0EC
0002007A   C645 BF 51       MOV BYTE PTR SS:[EBP-41],51
0002007E   C645 C0 E8       MOV BYTE PTR SS:[EBP-40],0E8
00020082   C645 C1 00       MOV BYTE PTR SS:[EBP-3F],0
00020086   C645 C2 00       MOV BYTE PTR SS:[EBP-3E],0
0002008A   C645 C3 00       MOV BYTE PTR SS:[EBP-3D],0
0002008E   C645 C4 00       MOV BYTE PTR SS:[EBP-3C],0
00020092   C645 C5 58       MOV BYTE PTR SS:[EBP-3B],58
00020096   C645 C6 2D       MOV BYTE PTR SS:[EBP-3A],2D
0002009A   C645 C7 52       MOV BYTE PTR SS:[EBP-39],52
0002009E   C645 C8 1F       MOV BYTE PTR SS:[EBP-38],1F
000200A2   C645 C9 34       MOV BYTE PTR SS:[EBP-37],34
000200A6   C645 CA 01       MOV BYTE PTR SS:[EBP-36],1
000200AA   C645 CB 2D       MOV BYTE PTR SS:[EBP-35],2D
000200AE   C645 CC 52       MOV BYTE PTR SS:[EBP-34],52
000200B2   C645 CD 1F       MOV BYTE PTR SS:[EBP-33],1F
000200B6   C645 CE 34       MOV BYTE PTR SS:[EBP-32],34
000200BA   C645 CF 01       MOV BYTE PTR SS:[EBP-31],1
000200BE   C645 D0 E8       MOV BYTE PTR SS:[EBP-30],0E8
000200C2   C645 D1 00       MOV BYTE PTR SS:[EBP-2F],0
000200C6   C645 D2 00       MOV BYTE PTR SS:[EBP-2E],0
000200CA   C645 D3 00       MOV BYTE PTR SS:[EBP-2D],0
000200CE   C645 D4 00       MOV BYTE PTR SS:[EBP-2C],0
000200D2   C645 D5 90       MOV BYTE PTR SS:[EBP-2B],90
000200D6   C645 D6 90       MOV BYTE PTR SS:[EBP-2A],90
000200DA   C645 D7 C9       MOV BYTE PTR SS:[EBP-29],0C9
000200DE   C645 D8 C3       MOV BYTE PTR SS:[EBP-28],0C3
000200E2   C645 D9 CC       MOV BYTE PTR SS:[EBP-27],0CC
000200E6   C645 A6 00       MOV BYTE PTR SS:[EBP-5A],0
000200EA   C645 A7 5B       MOV BYTE PTR SS:[EBP-59],5B
000200EE   C645 A8 00       MOV BYTE PTR SS:[EBP-58],0
000200F2   C645 A9 00       MOV BYTE PTR SS:[EBP-57],0
000200F6   C645 AA 00       MOV BYTE PTR SS:[EBP-56],0
000200FA   C645 AB 00       MOV BYTE PTR SS:[EBP-55],0
000200FE   C645 AC 00       MOV BYTE PTR SS:[EBP-54],0
00020102   C645 AD 00       MOV BYTE PTR SS:[EBP-53],0
00020106   C645 AE 2B       MOV BYTE PTR SS:[EBP-52],2B
0002010A   C645 AF 17       MOV BYTE PTR SS:[EBP-51],17
0002010E   C645 B0 00       MOV BYTE PTR SS:[EBP-50],0
00020112   C645 B1 19       MOV BYTE PTR SS:[EBP-4F],19
00020116   C645 B2 3F       MOV BYTE PTR SS:[EBP-4E],3F
0002011A   C645 B3 00       MOV BYTE PTR SS:[EBP-4D],0
0002011E   C645 B4 00       MOV BYTE PTR SS:[EBP-4C],0
00020122   C645 B5 00       MOV BYTE PTR SS:[EBP-4B],0
00020126   C645 B6 00       MOV BYTE PTR SS:[EBP-4A],0
0002012A   C645 B7 03       MOV BYTE PTR SS:[EBP-49],3
0002012E   C645 B8 00       MOV BYTE PTR SS:[EBP-48],0
00020132   C645 B9 13       MOV BYTE PTR SS:[EBP-47],13
00020136   C645 BA 00       MOV BYTE PTR SS:[EBP-46],0
0002013A   C645 BB 05       MOV BYTE PTR SS:[EBP-45],5
0002013E   C745 FC 16000000 MOV DWORD PTR SS:[EBP-4],16
00020145   C745 F4 00000000 MOV DWORD PTR SS:[EBP-C],0
0002014C   C745 F0 00000000 MOV DWORD PTR SS:[EBP-10],0
00020153   8B45 F0          MOV EAX,DWORD PTR SS:[EBP-10]
00020156   83F8 16          CMP EAX,16
00020159   73 70            JNB SHORT 000201CB
0002015B   8D55 DA          LEA EDX,DWORD PTR SS:[EBP-26]
0002015E   8B45 F0          MOV EAX,DWORD PTR SS:[EBP-10]
00020161   01D0             ADD EAX,EDX
00020163   0FB600           MOVZX EAX,BYTE PTR DS:[EAX]
00020166   0FB6C0           MOVZX EAX,AL
00020169   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
0002016C   8D55 A6          LEA EDX,DWORD PTR SS:[EBP-5A]
0002016F   8B45 F0          MOV EAX,DWORD PTR SS:[EBP-10]
00020172   01D0             ADD EAX,EDX
00020174   0FB600           MOVZX EAX,BYTE PTR DS:[EAX]
00020177   0FB6C0           MOVZX EAX,AL
0002017A   8945 F4          MOV DWORD PTR SS:[EBP-C],EAX
0002017D   837D F4 00       CMP DWORD PTR SS:[EBP-C],0
00020181   7E 0A            JLE SHORT 0002018D
00020183   8345 F8 01       ADD DWORD PTR SS:[EBP-8],1
00020187   836D F4 01       SUB DWORD PTR SS:[EBP-C],1
0002018B  ^EB F0            JMP SHORT 0002017D
0002018D   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
00020190   83E8 01          SUB EAX,1
00020193   0FB64405 BC      MOVZX EAX,BYTE PTR SS:[EBP+EAX-44]
00020198   0FB6C0           MOVZX EAX,AL
0002019B   2945 F8          SUB DWORD PTR SS:[EBP-8],EAX
0002019E   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
000201A1   83E8 01          SUB EAX,1
000201A4   0FB64405 BC      MOVZX EAX,BYTE PTR SS:[EBP+EAX-44]
000201A9   0FB6C0           MOVZX EAX,AL
000201AC   3145 F8          XOR DWORD PTR SS:[EBP-8],EAX
000201AF   D17D F8          SAR DWORD PTR SS:[EBP-8],1
000201B2   8B45 F8          MOV EAX,DWORD PTR SS:[EBP-8]
000201B5   89C1             MOV ECX,EAX
000201B7   8D55 DA          LEA EDX,DWORD PTR SS:[EBP-26]
000201BA   8B45 F0          MOV EAX,DWORD PTR SS:[EBP-10]
000201BD   01D0             ADD EAX,EDX
000201BF   8808             MOV BYTE PTR DS:[EAX],CL
000201C1   836D FC 01       SUB DWORD PTR SS:[EBP-4],1
000201C5   8345 F0 01       ADD DWORD PTR SS:[EBP-10],1
000201C9  ^EB 88            JMP SHORT 00020153
000201CB   90               NOP
000201CC   C9               LEAVE
000201CD   C3               RET

When executing svchost.exe we get the following output:

usage: this.exe <input file> <offset> <isLongSleep>

This matches what we’ve seen before from ‘cmdscan’, so I run it against the 1.tmp shell code in a Windows virtual machine with the same parameters to see what happens, it appears to create a new thread after a sleep then end.

M:\ctf>svchost.exe 1.tmp 0x0 1
file name is 1.tmp
offset is 0
Createthread successful!
M:\ctf>

Nothing really interesting is happening yet. At this point during the CTF I spent a few hours looking at the svchost.exe file with the free version of IDA and Ollydbg but didn’t really get anywhere. I knew I was close, and then the CTF ended. A week later I went back into Ollydbg and had another attempt. I spent ages stepping through the process but saw nothing of interest, then I remembered the output mentioned that a thread was created. I looked at the other threads through Ollydbg through the View > Threads menu, but that didn’t really help me, mostly because I don’t really know how to use the tool properly.

This is where my ghetto solution comes in, I decided to modify the shell code and simply remove the return at the end. I edited 1.tmp in a hex editor and changed the c3 for return to 00 and saved it. The idea was that when it got to this point it’d stop processing rather than return back. Ideally I’d go through and set a breakpoint at the appropriate location, but I wasn’t even able to find the shell code executing while looking manually, likely because I don’t know how to work with threads and am not very good at this.

When you go to open svchost.exe in Ollydbg, in the arguments field you need to set ‘C:\path\to\1.tmp 0x0 1’ to run it against the shell code.

Ollydbg open with arguments

I loaded up Ollydbg with my modified file and executed it, it stopped as shown below, right at the end of the shell code as planned.

Ollydbg

Next I wanted to see what was in memory at this point straight after the shell code had been executed. This can be done in Ollydbg by going to View > Memory, or by pressing the Alt + m shortcut. Once the memory map was open, I right clicked and selected search as shown below.

Ollydbg memory

In this instance I knew that all flags started with the string ‘tmctf’, so I search for this.

tmctf

Sure enough this finds the flag in memory, which is TMCTF{static_analyzer}.

flag

I checked memory many different times while stepping through the process and never found the flag until I was able to stop execution at the end of the shell code.

I admit this was a ghetto solution, perhaps one day I’ll learn how to use IDA/Ollydbg and friends properly.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>