We are provided with a Windows 7 memory dump. Let’s begin our initial analysis.

Initial Analysis

Let’s check what all processes are running.

$ volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86 pslist

pslist output
pslist output

As we can see only notepad is active, so let us try using cmdline plugin to check the process command line arguments.

$ volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86 cmdline

Going through the cmdline plugin output. In the bottom we can see that,

notepad.exe pid:   3736
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\evilscript.py
************************************************************************
notepad.exe pid:   3432
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\vip.txt

using notepad the user hello accessed evilscript.py and vip.txt. Let us check if those files are still there in the memory.

$ volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86 filescan | grep Desktop

filescan output

As we can see that, those are still present in the memory so we can dump them. And we can see that there is an another file named suspision1.jpeg is also located on same folder. So let’s dump that too

dumpfiles

So lets’s check what’s there in the python file.

import sys
import string

def xor(s):
    a = ''.join(chr(ord(i)^3) for i in s)
    return a

def encoder(x):
    return x.encode("base64")

if __name__ == "__main__":
    f = open("C:\\Users\\hello\\Desktop\\vip.txt", "w")
    arr = sys.argv[1]
    arr = encoder(xor(arr))
    f.write(arr)
    f.close()

As we can see the script is xoring a string with 3 and then encoding it to baste64 and writing it to vip.txt. So by doing the same exact thing in reverse way we can get the original string.

Flag

I have done this in ipython:

a='am1gd2V4M20wXGs3b2U='.decode('base64')
q=''
for i in a:
    q+=chr(ord(i)^3)

This gave the output as the first half of the flag: inctf{0n3_h4lf.

As we have got a jpg file,

jpg file

So lets try steghide with out a password and using the first half of the flag as the password.

steghide output

After using the first half of the flag as the password, we got the result secret text. Opening it got the second part of the flag: _1s_n0t_3n0ugh}

Flag: inctf{0n3_h4lf_1s_n0t_3n0ugh}

That’s how you finish this MemLabs, Lab – 3.

If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi