Magnet Weekly CTF Challenge Week 9 Writeup

This week's Magnet Weekly CTF challenge was broken into 7 parts and I learnt a lot from it. Without further ado, let's jump right into the challenge questions. 

The 1st challenge question was:


To be honest, I did spend a lot of time on the 1st challenge question as I did not catch the full context in the first place. Eventually it took me roughly 1 day to see through it. 

As there were some slack.exe processes found from the Volatility pslist plugin output and the fact that "The user had a conversation with themselves about changing their password.", the first thought that came to my mind was the slack.exe processes might very well had something to do with the answer. However, it turned out to be a wrong rabbit hole.

Clueless, I resorted to using the GNU strings utility to capture all printable character sequences that are at least 4 characters long:

strings memdump.mem > memdump_strings.txt

Then the term password was searched within the memdump_strings.txt file and the lines "Hmmm mmaybe I should change my password to: " and "wow_this_is_an_uncrackable_password" could be found:

From the above captured strings, the user Warren was planning to change his password to "wow_this_is_an_uncrackable_password" and this new password was the correct answer to the 1st challenge question. In addition, the complete conversation could be found from a Hex editor as seen in the screenshot below. 

The 2nd challenge question was:

Since a md5 hash was requested as the flag, it appeared that the recovery of the original file that contained the password was a must at this stage. From Warren's conversation contents alone, it was insufficient to determine where did the password file come from. The vaddump plugin of Volatility would come in handy, as it extracts the entire memory region for a particular process and writes them to a separate output per region. (Source)
Therefore the following commands were issued in a Linux terminal:

python vol.py -f ../memdump.mem --profile=Win7SP1x64 vaddump -D vads
grep -r "wow_this_is_an_uncrackable_password" vads/

The vaddump plugin would take some time to run and the grep command should be able to locate the process(es) that were related to the password file.
So it appeared that the WINWORD.EXE was related to Warren's password file. From the pslist Volatility plugin output, the PID for WINWORD.EXE was 3180.

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
<redacted>
0xfffffa803177bb00 WINWORD.EXE            3180   2672     15      698      1      0 2020-04-20 23:17:06 UTC+0000 
<redacted>

After that, the dumpfiles Volatility plugin could be used to dump all files related to the PID 3180 WINWORD.EXE process:

python vol.py -f ../memdump.mem --profile=Win7SP1x64 dumpfiles -p 3180 -D word

All files related to PID 3180 WINWORD.EXE process would be dumped to the word directory and grep would be once more used on them:

grep "wow_this_is_an_uncrackable_password" *

One file file.3180.0xfffffa803316f710.dat contained the Warren's planned new password and it should be also a Word Document. Therefore, it should be the file that contained the password:

Using the md5sum utility, the md5 hash of file.3180.0xfffffa803316f710.dat (af1c3038dca8c7387e47226b88ea6e23) could be obtained successfully, which was also the correct answer for the 2nd challenge.

The 3rd challenge question was:

So it appeared that it would be necessary to look for NTFS birth object ID for the password file. The original dumpfiles Volatility plugin output also parsed the original filename of the dumped files. 

As the file.3180.0xfffffa803316f710.dat file should be a CDFV2 Microsoft Word file, which indicated that the file would probably had a ".doc" file extension. However, no dumpfiles output had an original file extension of ".doc". 
Meanwhile, an interesting called "AutoRecovery save of Document1.asd" could be found from the dumpfiles output. Turned out the original filename for file.3180.0xfffffa803316f710.dat was "AutoRecovery save of Document1.asd".

Following that the mftparser Volatility plugin was used to analyze the NTFS Master File Table (MFT)
python vol.py -f ../memdump.mem --profile=Win7SP1x64 mftparser --output-file=mft_parser.txt
After the mftparser finished runninntg, the output file mft_parser.txt should be inspected to see the MFT entry of "AutoRecovery save of Document1.asd". The Birth Object ID (31013058-7f31-01c8-6b08-21019106110) could be found from there as expected.

The 4th challenge question was:

From the contents of the password document, it should be written by Warren. In addition to that, by using RegRipper to parse the SAM registry hive (which could be extracted with Volatility dumpregistry plugin using the command python vol.py ../memdump.mem --profile=Win7SP1x64 dumpregistry -D output or by MemProcFS), the only active user should be Warren only. Thus, the correct answer should be 1000(Warren).

The 5th challenge question was:

As the password document name was  "AutoRecovery save of Document1.asd", it was very likely that the password documeny was created on the machine using the installed Microsoft Word. From the RegRipper results from Warren's NTUSER.DAT, the Microsoft Word running on the machine should be of a "OFFICE15" (a.k.a. Office 2013) and 15 is the Word software version number.

The 6th challenge question was:

For this question I used the Volatility vaddump plugin to dump the whole VAD structure of the WINWORD.EXE process and then look for the offset manually:
python vol.py -f ../memdump.mem --profile=Win7SP1x64 vaddump -p 3180 -D vads 
Afterwards, with the good old grep technique, the password string could be located inside "WINWORD.EXE.13f77bb00.0x0000000002180000-0x00000000021fffff.dmp". Using a Hex editor, the virtual memory address offset (0x02180A2D) could be found easily with a bit of calculation:

The 7th challenge question was:

What if I told you that you have already seen the answer for this question at the beginning of this write-up? That's right, the physical memory address offset of the password string was exactly the Hex offset of the password string (0xAF12A2Dinside the memory dump file.

Conclusion

Memory is fun and it would definitely interest everybody :D




Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi
Read more