We are provided with a Windows 7 memory dump. Let us begin our initial level of analysis.
Initial Analysis
$ volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 pslist
As we see from the process list, cmd.exe
, chrome.exe
, firefox.exe
and WinRAR.exe
as active running processes.
First part
Let us check the chrome’s history.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 chromehistory
This seem to be an interesting pastebin link.
The Pastebin link contains another Google Docs link, lets head there. The docs link is: click here
The doc contains a lot of spam but there is one interesting link which leads us to a mega drive: https://mega.nz/#!SrxQxYTQ.
However, to download the file present in the mega drive, we need to find the KEY. However, the text in the Pastebin link tells us that “David sent the key in mail”.
Okay, let me use the Screenshot
plugin, it might help us.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 screenshot -D .
We can see that firefox window is open with the Gmail and has a subject Mega Drive Key. Now its time for some raw analysis. As the browser data is stored in JSON files. So we might get the message attached to that subject from raw analysis.
So we can use the strings
command, as we can get the data stored in JSON file from the memory.
$ strings MemoryDump_Lab6.raw | grep "Mega Drive Key"
So the key is zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU.
So we find a PNG image in the Mega drive. However, PNG is corrupted. Fixing the IHDR of the image gives us the 1st part of the flag.
The first part is: inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_
Second part
As WinRAR is running, that imply that user opened a rar archive, So we will search for a rar archive
in the memory.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 filescan | grep rar
we see a folder named pr0t3ct3d and which contains a RAR archive with the name flag.rar
Let us dump the RAR archive with the help of the dumpfiles plugin.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D .
However, the archive is password protected. Also, brute-forcing for the password might not help us. So lets check the other running processes.
As cmd.exe
is running, Using the cmdscan
plugin, we see that env
command has been used. So let us look at the Environment variables.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 cmdscan
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 envars
We observe a custom variable created named RAR password.
So it gives out the password as easypeasyvirus. Now we get the last part of the flag.
So now let us concatenate the 2 parts to finish this lab.
FLAG: inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?aN_Am4zINg!igU3Ss???_}
Note: Due to some markdown issue, ‘_’ is not being displayed properly, so check it out.
That’s how you finish this MemLabs, Lab – 6.
If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi