Home front-page port 80-shoopyuMemLabs Lab1 ๐Ÿ›ก๏ธ
Post
Cancel

front-page port 80-shoopyuMemLabs Lab1 ๐Ÿ›ก๏ธ

Posted Oct 17, 2023
By sujay adkesar
3 min read

Challenge Description

My sisterโ€™s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.

Note: This challenge is composed of 3 flags.

Challenge file: MemLabs_Lab1

The first thing to do with a memory dump file is to identify the operating system, for that we use imageinfo plugin.

1
2

$ volatility -f MemoryDump_Lab1.raw imageinfo

1

Next we check the running processes using pslist plugin.

1
2

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 pslist

2

There are 3 interesting processes here, letโ€™s start with cmd.exe. This process indicates that commands were executed on the system.

We can use consoles plugin to see the output

1
2

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 consoles

3

If you look closely to the output of the command St4G3$1, you can spot some Base64 text. If we decode it we get the flag of stage 1.

1
2
3

$ echo ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= | base64 -d
flag{th1s_1s_th3_1st_st4g3!!}



Flag 1: flag{th1s_1s_th3_1st_st4g3!!}

Next we will focus on the second interesting process, which is mspaint.exe. The PID of this process is 2424

If you go back to the challenge description, we can see that the user was drawing something using mspaint

So letโ€™s use memdump plugin to extract some data.

1
2

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 memdump -p 2424 -D lab1_output/

The output is written to 2424.dmp, we need to rename it to 2424.data to be able to open it in Gimp.

After playing a bit with the width and offset. I got an image which is somewhat flipped. I rotated it 180 degrees then flipped it horizontally and I got the flag.

4

5

Flag 2: flag{G00d_Boy_good_girL}

The third interesting process is WinRAR.exe with PID 1512, we can use cmdline plugin to see the associated command line.

1
2
3
4
5

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 cmdline | grep WinRAR
Volatility Foundation Volatility Framework 2.6.1
WinRAR.exe pid:   1512
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Alissa Simpson\Documents\Important.rar"

Great, we got the name of the rar file which is Important.rar (looks important).

Next we can use filescan plugin to get the psychical offset of that file in memory.

1
2
3
4
5
6

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 filescan | grep Important.rar
Volatility Foundation Volatility Framework 2.6.1
0x000000003fa3ebc0      1      0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
0x000000003fac3bc0      1      0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
0x000000003fb48bc0      1      0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar

We can pick any of these offsets, To dump the file we can use dumpfiles plugin.

1
2
3
4

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D lab1_output/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3fa3ebc0   None   \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar

The file is dumped under the name file.None.0xfffffa8001034450.dat, letโ€™s rename and unrar it.

1
2
3
4
5
6
7
8
9
10
11

$ mv file.None.0xfffffa8001034450.dat Important.rar
$ unrar e Important.rar 

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal

Extracting from Important.rar

Password is NTLM hash(in uppercase) of Alissa's account passwd.

Enter password (will not be echoed) for flag3.png:

The file is password protected, but we can see a comment that says the password is the NTLM hash of Alissaโ€™s account passwd.

To get the password hash, we can use hashdump plugin.

1
2
3
4
5
6
7
8

$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SmartNet:1001:aad3b435b51404eeaad3b435b51404ee:4943abb39473a6f32c11301f4987e7e0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f0fc3d257814e08fea06e63c5762ebd5:::
Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6:::

Windows stores two hashes with each password, delimited by colons. The first one is an extremely insecure, obsolete hash using the LANMAN algorithm. Windows operating systems since Vista no longer use LANMAN hashes, so they are filled with a dummy value starting with โ€œaadโ€.

The second hash is the newer NTLM hash, which is much better than LANMAN hashes, but still extremely insecure and much more easily cracked than Linux or Mac OS X hashes.

The desired NTLM hash is f4ff64c8baac57d22f22edc681055ba6 (remember it must be in uppercase).

After decompressing the file, we get an image with the flag.

6

Flag 3: flag{w3ll_3rd_stage_was_easy}

enter image description here

Write Up, memoryforensics
memlabs lab1 memoryforensics digitalforensics
This post is licensed under CC BY 4.0 by the author.
Contents

front-page port 80-shoopyuUnlock Your Cybersecurity Career with TryHackMe's New Security Engineer Learning Path ๐Ÿ›ก๏ธ

front-page port 80-shoopyuMemLabs Lab2 ๐Ÿ›ก๏ธ