We are provided with a Windows 7 memory dump. Let’s begin our initial analysis.
Initial Analysis
Let’s check what all processes are running.
$ volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86 pslist
As we can see only notepad is active, so let us try using cmdline
plugin to check the process command line arguments.
$ volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86 cmdline
Going through the cmdline plugin output. In the bottom we can see that,
notepad.exe pid: 3736
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\evilscript.py
************************************************************************
notepad.exe pid: 3432
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\vip.txt
using notepad the user hello
accessed evilscript.py
and vip.txt
. Let us check if those files are still there in the memory.
$ volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86 filescan | grep Desktop
As we can see that, those are still present in the memory so we can dump them. And we can see that there is an another file named suspision1.jpeg
is also located on same folder. So let’s dump that too
So lets’s check what’s there in the python file.
import sys
import string
def xor(s):
a = ''.join(chr(ord(i)^3) for i in s)
return a
def encoder(x):
return x.encode("base64")
if __name__ == "__main__":
f = open("C:\\Users\\hello\\Desktop\\vip.txt", "w")
arr = sys.argv[1]
arr = encoder(xor(arr))
f.write(arr)
f.close()
As we can see the script is xoring a string with 3 and then encoding it to baste64 and writing it to vip.txt. So by doing the same exact thing in reverse way we can get the original string.
Flag
I have done this in ipython:
a='am1gd2V4M20wXGs3b2U='.decode('base64')
q=''
for i in a:
q+=chr(ord(i)^3)
This gave the output as the first half of the flag: inctf{0n3_h4lf.
As we have got a jpg file,
So lets try steghide with out a password and using the first half of the flag as the password.
After using the first half of the flag as the password, we got the result secret text
. Opening it got the second part of the flag: _1s_n0t_3n0ugh}
Flag: inctf{0n3_h4lf_1s_n0t_3n0ugh}
That’s how you finish this MemLabs, Lab – 3.
If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi