- Published on
MemLabs - Lab 0
MemLabs - Lab 0
Case Overview: My friend John is an "environmental" activist and a humanitarian. He hated the ideology of Thanos from the Avengers: Infinity War. He sucks at programming. He used too many variables while writing any program. One day, John gave me a memory dump and asked me to find out what he was doing while he took the dump. Can you figure it out for me?
For this beginner challenge we are given a file to download. All of the labs in this repository can be solved by using Volatility, which is what I will be using to analyze the memory dump file.
First step is to figure out what profile we are going to use. To do this we will use
imageinfo (From the Volatility github) For a high level summary of the memory sample you're analyzing, use the imageinfo command. Most often this command is used to identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected.
The full command we use is:
./volatility -f Challenge.raw imageinfo
Volatility gives us three suggested profiles - Win7SP1x86_23418, Win7SP0x86, and Win7SP1x86
When you get more than one profile, one or none may be the right one. Because this Lab had a write up to go along with it we will use the one they used (Win7SP1x86) for our next step to save us a little time. Otherwise, you would just choose one and hope for the best.
The next step suggested is to get a list of the active or running processes by using
To list the processes of a system, use the
pslist command. This walks the doubly-linked list pointed to by PsActiveProcessHead and shows the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started and exited. As of 2.1 it also shows the Session ID and if the process is a Wow64 process (it uses a 32 bit address space on a 64 bit kernel).
Looking through this list we see a couple processes that are interesting: DumpIt.exe, cmd.exe, and explorer.exe. DumpIt.exe is a tool that was used by the creator of this memory dump used for the creation of this lab. cmd.exe is the terminal, and explorer.exe is for the file explorer.
Because cmd.exe was in use, we will run
The cmdscan plugin searches the memory of csrss.exe on XP/2003/Vista/2008 and conhost.exe on Windows 7 for commands that attackers entered through a console shell (cmd.exe). This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe through an RDP session or proxied input/output to a command shell from a networked backdoor.
By running this scan, we are able to see that demon.py.txt was executed.
I want to know what exactly the user typed while using cmd.exe, so we will use
This is the fun part. At the bottom of the screen shot above you can see the string "335d366f5d6031707f". Throw this into cyberchef using fromHex.
This is where the challenge gets tricky for me. The clues in CTF's are crucial. Back in the begining of the challenge we were given a small description about an individual and in that paragraph were a few key words. Environmental, Thanos, variables... I'm not sure I would pick up on these if I didn't have the walkthrough. Maybe with more experience. First, we will work with the environmental clue.
There are environmental variables in operating systems. We can view environmental variables by using envars.
Here is a helpful youtube video on environment tables: https://www.youtube.com/watch?v=bd65z5VZ7L4
There is a lot of information to look at here. Luckily, the environmental tables for cmd.exe was the first to show. The Thanos variable sticks out to me because of the clues. Under the Thanos variable we can see the value is xor and password.
I took the output from decoding the hex value we got earlier and threw it into Cyberchef using XOR bruteforce. We get a lot of output that doesn't mean much, however, we can see one that sticks out. Line two: 1_4m_b3tt3r (part of the flag?).
Now, back to the second half of the Thanos variable values - password. Lets run
hashdump in Volatility to extract and decrypt cached domain credentials stored in the registry.
There are several online tools that will help crack hashes. And the user hello is the one we are interested in cracking. Unfortunately, after a good half hour of trying multiple hashing websites and JohntheRipper, I came up empty-handed. I decided to head over to google and see if anyone had a website recommendation and came upon this post below.
Bummer! I got all the way here... oh well. If we were successful, the second half of our flag would be presented as
Therefore, the full flag is:
flag(you_are_good_but1_4m_b3tt3r) Thanks to MemLabs for this beginner challange tutorial on Volatility.