We are provided with a Memory dump and was asked to decrypt the encrypted contents of an archive file.
To get the entire description and other details, visit Hacktoria.
We shall use Volatility to extract useful evidences from the provided memory dump.
For this challenge, I will be using Volatility 2. Get it from official github repo
Let’s start our analysis by finding the profile of the memory dump provided.
$ vol.py -f .\CompromisedSystemMem.vmem imageinfo
As you can see from the above image, the identified profile is: Win7SP1x86_23418
Let’s use that profile and check what all processes were running at the time of capturing this memory dump.
We shall use pslist
plugin from volatility to get all the process that are running at the time of memory capture.
$ vol.py -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 pslist
As we can see from the above image(highlighted in RED), processes, cmd.exe, conhost.exe and ipconfig.exe got exitted and the content might not be available in memory to investigate.
We can also see that notepad.exe
process is running, which means, there are some text files open on the system when the memory capture.
To find these text files we can make use of handles
or filescan
plugins.
We shall use the filescan plugin and grep through these entries to get all the text files.
$ vol.py -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 filescan | Select-String "\.txt"
Two important things to notice are note.txt and Flag.txt files.
Let’s try to dump the Flag.txt file using dumpfiles
plugin and check its retrieved contents.
$ vol.py -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003d9339a0 -D .
From the above image, we can see it is a Datasource object to the contents for this file have been retrieved successfully.
We can see that we have successfully retrieved the flag.
Hacktoria{You_4nalyz3d_m3m0ry_AND_Cr4ckED_PASSW0rd}
Now let’s use this flag as the password for the FLAGFILE provided to retrieve the contract card.
]]>The challenge questions and the evidence files can be found at https://dfirmadness.com/the-stolen-szechuan-sauce/.
If you are learning different artefacts in Digital Forensics and want to apply it to a practice, then this challenge is more help for you. Some of the important artefacts covered in this challenge are:
During any investigation, we will have a lot of evidence files like Disk images, Memory images, Network captures etc. In my opinion only thing matters is the method how these evidence were approached.
In this challenge, we are provided with disk image from a domain controller, Desktop system. Their supporting memory images and autoruns files.
Note: This incident occurred at an organization located in Colorado in September. So, this places the incident at UTC -6. Keep this in mind when looking at the output of various tools.
Note: This post do not contain a static/dynamic analysis of any malicious binary during the investigation. It is completly based on the Forensics side of things in solving the challenge.
As per the description and file names, we can figure this seems to be a Windows box. Navigated the registry and got the extract OS information details.
DC01:
DESKTOP-SDN1RPT:
As we can see from the above screenshots, DC01 is running on Windows Server 2012 R2 Standard Evaluation
and DESKTOP-SDN1RPT is running on Windows 10 Enterprise
.
Now that we got the basic info about the disk image we have, let us start analyzing the Network capture given in the evidence.
For the Network Capture analysis, I will be using Wireshark to view the packets transferred between the devices.
After opening the Network capture in Wireshark and checking the Protocol Hierarchy, we can see a lot of information such as SMB, Kerberos, RDP, and some HTTP packets.
By applying the HTTP filter to wireshark, we can see some files being accessed.
We can use Export Objects options in wireshark to export all the files that are accessed via http.
Most of the files seem to be certificate related, but somewhere in middle we can see an external IP address(194.61.24[.]102
) visiting a simple fileshare for downloading a file named coreupdater[.]exe.
Exporting the file and searching the hash on Virus Total, we can see that this file is a malicious file.
As you can see from the virustotal, 59 out of 71 showed this file as a malicious file. And this file is part of meterpreter environment and is capable of Process Injection.
Now the file that was downloaded into the system(located on 10.42.85[.]10
) is malicious, the IP address from which this file downloaded is also a malicious IP(194.61.24[.]102
).
The relations tab from the virustotal, showed us that this file has contacted 4 other IPs, which may or may not be malicious.
To confirm which IP this coreupdater[.]exe contacted to, we may have to check the memory image given in the evidence files.
We shall be using the memory image from DC01 (Domain Controller) system.
To analyze a memory dump, we can use Volatility.
Let us check the process list that are running during the application was running from the memory dump.
PS > python.exe vol.py --plugins=D:\Tools\volatility-plugins\ -f .\citadeldc01.mem --profile=Win2012R2x64_18340 pslist
As you can see in the above image, the executable coreupdater[.]exe got exitted or stopped running at 2020-09-19 03:56:52.
Memory is one of the best place to check the network connections from any process. Lets use netscan plugin to find the Established or Listening.
As you can see in the above image, the coreupdater[.]exe has established a connection to an IP address (203.78.103[.]109
).
From the virustotal analysis result, we can see that this malicious file is part of Metasploit Framework. It has the capability for Process Injection. So we can make use of malfind plugin to find any process injection.
You can add a -D
flag to the command and we will get all the process that has the protection READ_EXECUTE_WRITECOPY. We can then pass it to clamscan or upload it to virustotal to find it has some malicious code injected to it.
As you can see in the above image, the our process named spoolsv.exe
is malicious with the same Meterpreter. So now lets use FLOSS and try to get the obfuscated strings.
As you can see in the above image, we can see a tcp connection to out foreign IP (203.78.103[.]109
), which we have seen from the netstat output.
From this we can say that the malicious file has established a connection and maybe has exfiltrated some files to that IP address.
Okay now let’s see what changes were made in the system when this malicious binary got into the system. Let’s analyze the DC01 disk image for this info.
During our network traffic analysis, we saw some RDP related network traffic. So lets check event logs related to RDP.
To find all the RDP related activities, we can check Event IDs 4624, 4625 for Successful and Failed Logon on to the system.
As you can see in the above image, There are a lot of Failed logons from a Remote Host name ‘Kali‘ to the target username Administrator.
The first failed logon detected at 2020-09-19 03:21:25
and the last failed logon detected at 2020-09-19 03:21:46
.
After a few failed logons, there is a successful logon (Logon Type 3) to the DC01 workstation. And after a few minutes, there is a 4624, Logon Type 3.
The sucessful logon for DC01 is at 2020-09-19 03:21:46
and the successful logon for Desktop is at 2020-09-19 03:28:21
.
After this successful logon, attacker visited a file server hosted on a foreign IP (194.61.24[.]102) and downloaded - coreupdater.exe
.
As an evidence that this malicious file has been downloaded, we can verify it from $MFT and UsnJrnl.$J.
MFT:
UsnJrnl.$J:
As this is a malicious executable which has the tendency to exfiltrate data from the system, so let’s check for any archive files that were created after this malicious file got created.
From UsnJrnl.$J, got these ZIP files created and deleted from DC01 and Desktop systems:
DC01:
Desktop:
Every malicious binary, wants to stay in the system after exfiltrated the files.
So let’s check some common persistence techniques like Autoruns and Service installs.
Autoruns (HKLM\SYSTEM\Microsoft\Windows\CurrentVersion\Run
):
Service Install from Registry:
Service Install from Event log (Event ID: 7045):
In the autoruns screenshot we can see that, the command is retreving some info from other registry keys. So by navigating to those registry keys, found an encoded base64 string.
Decoding this base64 string, we get a powershell script.
From the decoded base64 command, it seems like the powershell script is trying to create a new memory stream object and injecting an another base64 command present in it.
By decoding the other base64 command, found an another powershell script compressed in a GunZIP file. By extracting this new powershell script, it seems like the script is trying to do Process Injection.
A better view of the powershell script:
We can see GetProcAddress
being used. A kernel32.dll
is being used to free up memory addresses and creating a thread into the injected process. The base64 string that we are see in the code might be a shellcode which will be injected to a process. AFAIK, These GetProcAddress, VirtualAloc, CreateThread
are some of the functions used to inject a process.
There seems to be some data that has been send or received between the malicous IPs.
After the analysis of these the found malicious IP addresses, found the following:
Coreupdater.exe Download:
Data Exfiltration:
With this analysis, I guess we have got answers to all questions asked on the author’s webpage.
As malicious file might have been downloaded somewhere and may have moved to an other location, So after analysing IE WebcacheV01.dat, found the URL accessed to download and after retreiving the Response headers, got the location of where the file was downloaded.
WebCacheV01.dat:
Decoded Response headers:
As we can see in the above image, the file was originally downloaded to users download directory and as per MFT we can see that the file is in System32 directory.
It seems we may have got all the answers to the questions asked on the website, let’s answer them one by one.
What’s the Operating System of the Server?
What’s the Operating System of the Desktop?
What was the local time of the Server?
Was there a breach?
What was the initial entry vector (how did they get in)?
Was malware used? If so what was it? If there was malware answer the following:
What malicious IP Addresses were involved?
Did the attacker access any other systems?
What was the network layout of the victim network?
What architecture changes should be made immediately?
Did the attacker steal the Szechuan sauce? If so, what time?
Did the attacker steal or access any other sensitive files? If so, what times?
Finally, when was the last known contact with the adversary?
Below are some of the tools used for solving the challenge: (PS: All are open source or available for free)
If you have any queries or feedback reach out to me on Twitter / LinkedIn.
]]>Belkasoft organized a another CTF and it is their 4th CTF. For this CTF, we are given with a Linux Disk dump and some questions to answer.
Belkasoft Team also provided us with trails of Belkasoft X and Passware.
Download the challenge file from here
Password for the archive: MJSWY23BONXWM5DDORTEAMRQGIZA====
I couldn’t play the during the CTF, however I solved the challenges after the CTF. It is fun playing this CTF and an interesting one.
We are given a linux disk dump, add the dump in your favorite tool like Autopsy/FTK/Belkasoft X.
Once we load, we can find 2 users in the linux dump given. The users are ivan
& stanley
.
We can see Thunderbird mail is installed for the user stanley
.
We can see some database information and invoice related data regarding
Also we can some parts of crypto wallets in ivan’s Documents directory.
Lets answer the questions.
We have to find all users present in the given linux system.
For this we can directly see the list under home directory or check the /etc/passwd
or /etc/shadow
. Where we can get the list of user present in the system.
We can see ivan, stanley
as the users present in the given linux machine.
ivan, stanley
We need to find the website that the user is using to get his pocket money.
We can check the web browser history and see what all websites he accessed.
We can see FireFox browser is installed, and we can check out places.sqlite
database where we can find the browser history.
x-tux-0.web.app
We have to find the bitcoin wallet address used by the user.
When we open the website, the site contains information related to drugs and its price. Seems like it is the a side business for the user.
After viewing a product we can see a bitcoin address for paying the amount.
1KFHE7w8BhaENAswwryaoccDb6qcT6DbYY
The plot given says the user reports his sales to someone.
We can have to find the converation between them so that we can get the sales report and see which date has most sales.
As we know that the user stanley has a Thunderbird mail installed, let us check the conversations.
As we can see, the user shared a month wise database containing his sales.
But unfortunatly, the archive is password protected.
We can use Passware, to crack the password.
As you can see above, the password for the archive is vondutcemonaheem_gangsta78
.
The wordlist used for creaking the password is already given in the dump. It is located at /home/stanley/.thunderbird/xzyby22m.default-release/Mail/Local Folders/trashwords.txt
.
But one interesting file in this folder is Trash.txt
where it contains the password of the zip file.
We extract the csv files from the archive and grep for Acapulco Gold
, then we can find the date when the sales are high.
As you can see above 2021-05-12
has high sales.
2021-05-12
We have to find the private bitcoin wallet address used by the user.
In ivan’s documents directory, found .custom_info
file where it contained information regarding the private bitcoin wallet.
The contents of the file are:
M y p r i v a t e c u s t o m c r y p t o w a l l e t : bc1q__2kgdygjrs__zq2n0yrf2493p__kkfjhx__lh ( b i t c o i n )
Where some of the characters are missing.
In the same directory we can some of the invoice documents, where one of the document we can that the endianness is changed and the header is not present.
After we change the endianness and added header, we can see the complete bitcoin wallet ID.
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
We have to find the password of the secret note.
We can find that secret note in the stanley’s documents directory.
We can extract it and see its file type.
It is a CDFV2 Encrypted
file. Which is just a protected Microsoft Word Document.
Now, we have to find the password for this file.
There is file named NOTHING_IMPORTANT_INFO.pdf
, in ivan’s hidden folder named .info
.
It contained an embedded file named passwd. After opening it, contains some based encoded text.
Opening it in Cyberchef, we can get the decoded string.
As you can see in the above decoded string, we got the password of the note.
!mp0rt4nTNot3
We need to find the secret pin mentioned in the notes.
After we open the notes, we find a threat note where tux threats to kidnap.
He also mentioned that you stored the secret pin in a converstation recorded in a shark. (Probably meant a Wireshark/tshark capture or a pcap file).
We found a pcap file in ivan’s Music directory.
We can open PCAP using Wireshark and check the protocal hierarchy, to find what all protocols present in the capture.
We can see a audio file transfered in http.
We can open file in audacity or Sonic Visualiser and open it in Spectrogram, we get the flag.
flag{1257}
We are asked to find the timestamp when the user got the threat.
In the previous question, we saw a threat note with a timestamp noted when it is written.
User mentions, he wrote this note after 10 minutes of the threat. So we have to subtract 10 min from the timestamp.
In epoch time, 1 min = 60 sec
. So 10 min = 600 sec
.
The original timestamp is 1637948867 and subtracting 600 sec gives the flag.
1637948267
We need to find who the kidnapper threatned.
We can a mycon.zip
file in ivan’s .local directory. It is a password protected file.
As we found a secret pin in the other question, we can try using it as a password(flag{1257}
) to extract the contents of the zip file.
It worked and we got a sheet containing names and emails.
In the threat it mentioned that 0xTux
is the kidnapper, we can find his email from the sheet we received.
0xTux, wixelig493@keagenan.com
Everyone have lots of tasks to complete in a day and we use different apps for organising our daily tasks/meet-ups etc. Google Tasks is one of the simple application to get go. It is a user friendly application and easy to use, organise etc.
The Google Task data folder can be found at /data/data/com.google.android.apps.tasks/
.
The main files of interest is data.db
, which can be found in files/tasks-{ID}
.
We get a good amount of tables to sift through for analysis as you can see below from the DB Browser screenshot:
data.db Tables
Using the data collected from emulator, I found useful information populated in the following tables:
Note: Data is stored as blob in these both tables.
This table contains some metadata about when the list Created, Modified, List name, List ID and few other details.
Interesting columns in this table are:
~default
.created
, modified
, List Name
, List ID
.Decoding the blob data using CyberChef, we can see it pulls out List name, List ID, and timestamps and other information.
{ "1": "~default", "2": { "1": "My Tasks", "3": "user" }, "3": { "1": [ { "1": "cm-giEvLNfv7qtpq", "2": [ { "1": "elSNabzEnFtR9QsE" }, { "1": "dIXAjJLovsKNqXsr" } ] }, { "1": "Ry9dIkNjAdwTlaSn" } ] }, "6": { "1": 1623872134, "2": 158266000 }, "7": { "2": 5 }, "8": { "1": 1628267601, "2": 852175000 }}
Some of the keys that I figured out are:
This table contains the most important data like task names, task details, due data & time, task created & last modification time stamps, task completion time, task completion status.
Interesting columns in this table are:
From my testing, I got this as the structure of the blob data present in EffectiveTask:
{ "1": "DQn3azgcN9huA4Tb", "2": { "1": 1, "2": "task1", "3": "details in task1, list 16:16", "4": { "1": 2021, "2": 8, "3": 31 }, "5": { "1": 1629458276, "2": 408000000 }, "10": "5IAve9dCmbU854lU" }, "3": { "1": 1629458282, "2": 331087000 }, "4": "AwjRql9PeUnXpW5i", "8": { "2": 5 }, "9": { "1": { "2": { "1": 2021, "2": 8, "3": 31 }, "3": { "1": 18 }, "4": "Asia/Kolkata", "6": { "1": 1630413000 } } }, "11": { "1": 1629456419, "2": 138443000 }, "13": { "1": "117075487121734099140" }}
Some of the keys I figured out are:
These are some the useful details from Google Tasks database.
ALEAPP parsers have been added for retriving the Task, Task details, and timestamps etc. Other artifacts will be added soon while I continue my research.
Get ALEAPP here - https://github.com/abrignoni/ALEAPP
]]>Challenge Points: 989
Challenge Solves: 6
Challenge Author: g4rud4
Download the challenge file from here
MD5 Hash: Heist_ends.zip 28EB446FB1A2D3B408CBCCAFBBFBA86D
We are given a with an Android Device dump, I will be using Alexis Brignoni‘s ALEAPP to parse the given android dump. ALEAPP generated a HTML report of all artifacts that can be parse by it.
Android stores its application data in /data/data
directory and all the installed applications in /data/app
directory.
We can see a lot of apps being installed, some of which are Google apps, Slack, Dr. Driving, etc.
From the ALEAPP report, we can see that the given Android device is running Android 10.
- When did the Professor create the note for Rio?
We can only find one note taking app installed, i.e: Google Keep - Notes and Lists. Keep stores user data in the following directory: /data/data/com.google.android.keep/
. Only file of interest for this question is keep.db
present in databases
directory. We can go through the database and extract the creation time of the Note.
As we already ran ALEAPP, we can go check the Google Keep - Notes report.
As highlighted above, We can get the note creation time as 2021-07-19 12:28:39
. Converting that to the format mentioned in the description would result in 19-07-2021_12:28:39
.
If you want to learn more about the artifacts of Google Keep, checkout my blog post here.
- Where did Professor and Rio, Plan to meet to plan the heist?
As Slack is installed on the device, they might have used it for communication.
This blog post from Alexis Brignoni, gives us a detailed info on how we can extract messages from Slack Workspace. And here you can find the SQL queries required for extracting chats and files shared in a slack workspace.
Slack stores user data in the following directory, \data\data\com.Slack
.
Main files of interest are the database files named with the workspace ID found in databases directory.
We can see 2 files: org_T027GM97WJ3
and T027GM97WJ3
.
Extracting the useful data from org_T027GM97WJ3
, we can get all the messages between Professor and Rio.
SELECT datetime(ts , 'unixepoch') AS 'Time Sent', channel_id, user_id, json_extract(message_json, '$.text') AS 'Messages' FROM messages ORDER BY ts;
As highlighted, we can see a message from user with user ID U027H1QN8MD
, saying that they were planning to meet exactly at 9 PM on July 20, 2021 at this location.
We can get the Latitude and Longitude from the url shared.
Hence, we got the answer. Latitude and Longitude as 13.106_80.225
- When did Rio plan to meet Professor?
We got the answer for this question in the previous question.
We need to answer in original timezone, so irrespective of timezone that the user using on slack, we don’t need to convert it to different timezone.
So, We got our answer. Converting it to the format given in description, results in 20-07-2021_21:00:00
.
- How many members did Rio gathered for the heist?
From the Slack messages that we extracted previously. We can see a conversation regarding how many members for heist. Where Rio says, he is having a team of 11 members.
We got the answer. Members for the heist are 11
.
- How many tasks did Rio created in planning the heist, and how many did he complete?
As there are a lot of Google apps installed, we found an installation of Google Tasks.
Google Tasks stores user data at \data\data\com.google.android.apps.tasks\
.
Main files of interest is data.db
present in files\tasks-109039317116448576167\
.
This database contains a lot of tables, but the table of interest is Tasks
. Where we can find Task ID, Task list ID, completion status, Effective task(A blob data contains infomation about task, task details, creation, modification, & completion timestamps) etc.
AS highlighted, we can see that 4 tasks were created and 3 were completed. Converting to the format mentioned in description, results in 4_3
.
- There is a secret code present in a document shared between Rio & Professor, can you find out what it is?
From the Slack messages, we saw some conversion, where Rio sharing a link to the document. And also Google Docs is installed in the android device.
We can find the 1st page cache of the document opened via Google docs from the mobile device.
Location for the documents cache is data\data\com.google.android.apps.docs\cache\docs_glide\data
. We will find some images where they contain the 1st page cache.
From the image you can find the secret code used by Rio & Professor.
Secret code is MintMMCT15AUG
.
- We found a game installed on the device. When did Rio first open this game?
We only found one game installed on the device. Which is Dr. Driving
. We are asked to find the first open time of this game.
Dr. Driving stores user data at data\data\com.ansangha.drdriving
.
Main files for interest is com.google.android.gms.measurement.prefs.xml
present in shared_prefs.
<long value="1626782632701" name="last_upload"/><long value="1626782629126" name="first_open_time"/><long value="1628089054881" name="health_monitor:start"/>...<snip>...<string name="previous_os_version">10</string><boolean value="true" name="has_been_opened"/><boolean value="false" name="allow_remote_dynamite"/><long value="1628089934425" name="last_pause_time"/>
This file contains some metadata information about first time app opened, last upload, previous os version, etc.
Converting the epoch timestamp to UTC, we get 20-07-2021_12:03:49
.
Combining all answers gives us the flag.
inctf{19-07-2021_12:28:39_13.108_80.225_20-07-2021_21:00:00_11_4_3_MintMMCT15AUG_20-07-2021_12:03:49}
For further queries, please DM on Twitter: https://twitter.com/_Nihith
]]>Challenge Points: 984
Challenge Solves: 7
Challenge Author: g4rud4
Challenge file is same as Heist Challenge. If you haven’t downloaded it, you can download it from here
- What is the workspace ID and USER ID of the Slack workspace that is the user participating in?
As Slack is installed on the system. Slack stores it user logs at Users\Danial Benjamin\AppData\Roaming\Slack
.
Main files of interest would be 000004.log
& root-state.json
present in Local Storage\leveldb
& \storage\
.
Some of the usefull infomation that we can retrieve from 000004.log are:
With the help of root-state.json, we can confirm the about details we retrieved.
As highlighed and confirmed with 000004.log, We got the Workspace ID and the USER ID. Converting them to the format given in description, we get T027GM97WJ3_U027XK55WCT
.
- There was a remote connection and we think there is a secret text on the remote connected PC’s wallpaper. What are the first and last 3 characters of the secret text?
During the initial analysis of Heist challenges. We found out there are 2 Remote access application, TeamViewer & AnyDesk. Both of the these applications have their capabilities, but AnyDesk has something more.
AnyDesk stores the wallpaper of the Remote Desktop’s as a thumbnail. We can find these thumbnails at Users\Danial Benjamin\AppData\Roaming\AnyDesk\thumbnails
.
We can find a string on the thumbnail. We are asked to provide the first & last 3 characters of the string found. Which will be a27da2
.
- Team restored 2 USB devices (Sandisk 3.2Gen1 & Toshiba External USB 3.0) at the leader’s place. What is the file system of these 2 USB devices?
We were asked to find the FileSystem of the USB devices connected to the system.
System registry contains the details about USB devices connected to the system. From USBStor registry key we can find the list of USB devices connected to the system.
As we highlighted, we have the 2 USB drives connected to system. Now we need to find the filesystem of these 2 USB devices.
Event logs are an another place where these details(USB connection/removal) are stored. The Event ID 1006 is generated during USB insertion or removal, we can find this event ID in Microsoft-Windows-Partition%4Diagnostic.evtx
, where this event log stores metadata information about both removal devices and internal hard disk of the computer. This event log contains information if someone plugs in or out one of these devices, after booting the computer.
Event logs is located at C:\Windows\System32\winevt\Logs
. We can use Eric Zimmerman’s EvtxExplorer, to parse this event log to a CSV file.
Once the CSV is generated, we can filter out the CSV based on the model name of these 2 USB drives.
This is one of the research paper by Alexandros Vasilaras, Evangelos Dragonas, and Dimitrios Katsoulis, they have explained clearly what all artifacts can be extracted from Microsoft-Windows-Partition%4Diagnostic.evtx
, that also contains how we can get the FileSystem that a particular USB drive uses.
Basically what we have to do is we need to decode the hexadecimal data present at Vbr0
, that gives us the file system of the connected USB drives.
By decoding the hexadecimal bytes present at vbr0
for both the USB drive, we got:
No we can convert them in the format given in description, which results in FAT32_NTFS
.
- Team found some traces of Voice Modulator, How much time did the user actively used this Voice Modulator?
From Windows Version 1803, Windows introduced Windows 10 Timeline, which help forensics analysis to reconstruct user activities.
For Digital Forensics analysts, Windows Timeline provides information about applications that were executed on the computer such as application name, time when application launched, and application usage duration.
User activities are displayed in the timeline are stored in ActivityCache.db
which is located at C:\Users\<user>\AppData\Local\ConnectedDevicePlatform\L.<profile>\ActivitiesCache.db
.
Users profile cid can be found in NTUSER.dat: /software/Microsoft/IdentityCRL/UserExtendedProperties
We got the profile cid, we can head over to Users/Danial Benjamin/AppData/Local/ConnectedDevicesPlatform/f648d51b99a9ba12/ActivitiesCache.db
.
There 7 tables to be specific in ActivityCache.db
. For answering this question we need to look at ActivityOperation
table.
Filtering out Voicemod Desktop
, we can find some ActivityType 6 entries which indicates “App in focus”. By checking activeDurationSeconds
from payload, we can get the user’s application usage duration.
As highlighted, we can see various instances of usage activity of the application VoiceMod with different activeDurationSeconds as 32, 25, 736, 7
. Which sums to 800 seconds
.
Concatinating all answers, we can get the flag.
inctf{T027GM97WJ3_U027XK55WCT_a27da2_FAT32_NTFS_800}
For further queries, please DM on Twitter: https://twitter.com/_Nihith
]]>Challenge Points: 913
Challenge Solves: 15
Challenge Author: g4rud4
Download the challenge file from here
MD5 Hashes:
A916E26016180D2C5189061D652DC9E1 Heist.7z
31f23c78ff99142bad2a778db6a64163 Heist.E01
We are given with a disk dump, lets use add the data source to Autopsy. We can see that, the given dump is from Windows 10 Home system, and Owner of the system is Danial Benjamin
.
By checking all installed applications, we can see there are 3 web browsers(Google Chrome, Mozilla Firefox, Brave), Slack, Voice Modulator, TeamViewer, AnyDesk etc.
- What is the default browser that the Heist leader is using on the device?
As there were 3 browsers being installed on the system. Let us check which is the default browser that user is using.
We can find that by checking the following registry key.
NTUSER.DAT: Software\Microsoft\Windows\Shell\Associations\UrlAssociations\{http|https}\UserChoice
From the above highlighting, We get it as ChromeHTML
, which means user is using Chrome
as his default browser.
So the answer will be Chrome
or Google_Chrome
.
- What is the top-visited website in the leader’s system on the default browser?
Now we know Chrome
is the default browser. Chrome stores it user data in the following folder Users/Danial Benjamin/AppData/Local/Google/Chrome/User Data/Default/
.
In that directory we can find a SQlite database named Top Sites
. This database provides us a list of top-visited websites by the user and gives a url_rank
for each site. Sorting the table(top_sites
) according to url_rank
. We can get the top visited website user visited.
As highlighted above, we can see for url_rank - 0, we have https://www.ebay.com/
. Converting it to the given format, we get ebay.com
- When was the latest file transfer session initiated in TeamViewer?
We need to find when the file transfer session initiated in TeamViewer.
TeamViewer stores its user data, in these following locations:
C:\Program Files\TeamViewer\
C:\Users\<User Profile>\AppData\Roaming\TeamViewer\
Main files of interest would be Connection_incoming.txt
& Connections.txt
. These files store the incoming and outgoing connections from TeamViewer.
Here is an example representation for data found in Connection_incoming.txt
.
Img src: mii-cybersec
On comparing both files, we can have only one file transfer session in Connection_incoming.txt
. From that we can get the time initiated, TeamViewer ID, and the Hostname of the remote PC.
As highlighted above, we can see that TeamViewer ID is 920981533
, Remote PC’s Hostname is DESKTOP-S34NLCJ
, and time file transfer session initiated is 20-07-2021 07:48:50
in UTC.
But for this we need only the time initiated for this question. Which is 20-07-2021_07:48:50
.
- What is the ID, Hostname of that file-transfer session?
We found the TeamViewer ID and hostname of the Remote PC from the previous question.
So the TeamViewer ID and Hostname are 920981533
& DESKTOP-S34NLCJ
.
Converting the answer in the given format we get, 920981533_DESKTOP-S34NLCJ
.
Combining all answers we can get the flag.
inctf{Google_Chrome_ebay.com_20-07-2021_07:48:50_920981533_DESKTOP-S34NLCJ}
For further queries, please DM on Twitter: https://twitter.com/_Nihith
]]>Challenge Points: 140
Challenge Solves: 45
Challenge Author: g4rud4
Download the challenge file from here
MD5 Hash: ermittlung.raw 110305F3CF71432B4DFAFD1538CDF850
We are given with a memory dump. So let us find out the profile.
$ volatility -f ermittlung.raw imageinfo
I will be using WinXPSP2x86
, as the profile for this challenge.
As we don’t know what all processes were running during the memory capture. Let us check the active processes in the system for better understanding.
$ volatility -f ermittlung.raw --profile=WinXPSP2x86 pslist
We observe firefox.exe
, msimn.exe
are running.
Let us use firefoxhistory
plugin to check any suspicious url. You can get this from superponible github repo.
$ volatility --plugins=volatility-plugins -f ermittlung.raw --profile=WinXPSP2x86 firefoxhistory
Well there is nothing much in it which we can make use of.
- What is the name of the chat application program?
We found msimn.exe
, which a quick Google search or via using the plugin cmdline
, we can find, this excutable is part of Outlook Express
.
$ volatility -f ermittlung.raw --profile=WinXPSP2x86 cmdline -p 2132
Other than this, we couldn’t find any other chat applications running on the system. We got our answer to the 1st question. Which is Outlook Express
We got the name of the chat application. Now, let us find out when was the last time this application executed.
- When did the user last used this chat application?
We can find answer for this in 2 ways, One by checking the start time
from the pslist and another from registry.
Using UserAssist
from NTUSER.dat, we can also find the last executed time of Outlook Express. Let us use userassist
plugin.
$ volatility --plugins=/home/g4rud4/volatility-plugins -f ermittlung.raw --profile=WinXPSP2x86 userassist
As highlighted, we get the last execution time as 2020-07-27 12:26:17
. Converting that to the format mentioned in the description would result in 27-07-2020_12:26:17
.
- How many unread messages are there in the chat application that the user is using?
We find the message count from NTUSER.dat registry hive. Let us dump the NTUSER.dat registry hive.
To dump the registry hive, 1st we need to find the virtual address of the NTUSER.dat. For that we can use hivelist
plugin and list all hives.
$ volatility --plugins=/home/g4rud4/volatility-plugins -f ermittlung.raw --profile=WinXPSP2x86 hivelist
NTUSER.dat is located at 0xe1aa5b60
offset, now we can use dumpregistry
plugin to dump the registry hive.
$ volatility -f ermittlung.raw --profile=WinXPSP2x86 dumpregistry -o 0xe1aa5b60 -D output
We can use our preferred registry viewer to open the dumped registry hive.
We can got to this Software\Microsoft\Windows\CurrentVersion\UnreadMail\
hive, where we can find the count of unread messages under the email used in Outlook Express.
From the register, we get Message Count as 4
.
Note: We can also use volatility’s printkey
plugin to retrieve the Message Count from registry.
- What is the current version of the chat application that’s being used?
Version that the chat application is using can be found in NTUSER.dat or by dumping the process from memory and checking out the little endian strings.
As we have already dumped NTUSER.dat registry hive, we can got this Software\Microsoft\Outlook Express\5.0\Shared Settings\Setup
hive, and the sub-key MigToLWPVer
gives us the version of the chat application being used on the system.
From the pslist we can see that the executable is running at PID 2132. We can use procdump
plugin and dump the process.
$ volatility -f ermittlung.raw --profile=WinXPSP2x86 procdump -p 2132 -D output
Now, we can use strings
commands, to get all the little endian strings from the dumped executable.
As highlighted, the version of the application is 6.0.2900.5512
.
Concatinating all answer, we can get the flag.
inctf{Outlook_Express_27-07-2020_12:26:17_4_6.0.2900.5512}
For further queries, please DM on Twitter: https://twitter.com/_Nihith
]]>Google Keep is one of the best notes storing app for Android from Google can be installed through Google Play store. In this blog post I am gonna explain about the Google Keep Mobile Artifacts, one can find in an android mobile dump.
The Google Keep Notes app folder can be found at the following path: /data/data/com.google.android.keep/
The folders of interest is databases
and files/1/image/original
.
The files/1/image/original
directory contains the photos taken using/used in the app.
So, lets have a look at the databases subfolder, which gives us a database file to analyse.
The keep.db
contains ~50 tables as shown:
Listing table in keep.db
The main tables of interest is account
, list_item
, blob
, blob_node
, sharing
, and tree_entity
. These tables include a lot of information related to Notes text, Title, Sharing information, Creation timestamp, Last updated timestamp etc.
Here is an example on how the data is stored in some the important tables:
Main columns of interest in this table are _id
and name
.
_id
- Auto increments if we are having 2 or more Google accounts present in the device and we can use this value to map which user(name
) created the notes with the account_id
column in list_item
table.Account Table
Main columns of interest in this table are text
, synced_text
, list_parent_id
, time_created
, time_last_updated
, is_deleted
.
Time Created and Time last updated are self explanatory and both are stored in Unix Epoch Time.
List Item table
This table contains the metadata data about images present in /files
directory. This table stores the file size, name, mime type, and extracted text from the images inserted to the notes.
Blob
This table is used for retrieving the created and last modifed timestamps of the images inserted into the notes. We can correlate the blob, blob_node and tree_entity and retrieve to which notes the image is added.
Blob Node
The main columns of intrest in table are account_id
, title
, is_owner
, last_modifier_email
, is_deleted
, and is_pinned
.
All the columns are self explanatory and gives us the details about the notes created.
Tree Entity
ALEAPP Parsers have been added for retrieving Title, Text, Created Time, Last Modified time, Last Modifier Email, Shared Email and the Images added to the notes will be added soon, while I continue my research on it.
Get ALEAPP here - https://github.com/abrignoni/ALEAPP
Challenge Points: 988
No. of solves: 7
Solved by: g4rud4, stuxn3t, f4lc0n, d3liri0us
Challenge File: You can download the file here.
We are given a Windows 7 memory dump. Let us see what all processes are running in the system.
$ volatility --plugins=volatility-plugins -f memory.raw --profile=Win7SP1x64 pslist
We observe cmd.exe
, notepad.exe
& firefox.exe
are running.
Let us use the cmdscan
plugin to check if any suspicious commands were executed.
$ volatility --plugins=/home/g4rud4/volatility-plugins -f memory.raw --profile=Win7SP1x64 cmdscan
We can see env
and traverse through Documents and Downloads.
Let us use the envars
plugin to check if any suspicious environmental variables were added.
$ volatility --plugins=/home/g4rud4/volatility-plugins -f memory.raw --profile=Win7SP1x64 envars
We observe an environmental variable winrar_pswd
being added.
Let us use the filescan
plugin and check the files present in the Documents and Downloads folders.
$ volatility --plugins=/home/g4rud4/volatility-plugins -f memory.raw --profile=Win7SP1x64 filescan | grep 'Documents\|Downloads'
We observe 2 archives and a python script. Let us extract them and check out the contents.
As the offsets of those files are 0x000000007e4ef450
, 0x000000007e57f3e0
, 0x000000007e5c4070
, Let us use the dumpfiles
plugin to dump the files from memory.
Both the archives are password protected and the python script is a keylogger.
As we already got the password for the RAR file, while analyzing environmental variables. On using it, we got a Keepass KDBX file. Now we need to find the Keepass Master Password.
As we extracted the keylogger python script, let us analyze it.
import pynputfrom zipfile import ZipFilefrom pynput.keyboard import Key, Listenerkeys = []def hide(): import win32console,win32gui window = win32console.GetConsoleWindow() win32gui.ShowWindow(window,0) return Truedef on_press(key): keys.append(key) write_file(keys)def write_file(keys): with open("C:\Users\Semah\Documents\bm90IG5lZWQgdG8gZGVjb2RlIG1l\aSdtIGp1c3QgYSB0cm9sbA==\ZXh0cmEgZmlsZQ==\bG9ncw==", 'w') as f: for key in keys: k = str(key).replace("'", "") f.write(k+' ')def on_release(key): if key == Key.esc: zipObj = ZipFile('malmalmal.zip', 'w') zipObj.write('C:\Users\Semah\Documents\bm90IG5lZWQgdG8gZGVjb2RlIG1l\aSdtIGp1c3QgYSB0cm9sbA==\ZXh0cmEgZmlsZQ==\bG9ncw==') zipObj.close() return Falsewith Listener(on_press = on_press, on_release = on_release) as listener: listener.join()
We observe that all the keystrokes are being stored in the bG9ncw==
file and then that file is being written to malmalmal.zip
, and this zip file is password protected.
The description says the attacker changed the user password and used it to protect a secret file. So let us use the mimikatz
plugin and extract the user password.
$ volatility --plugins=/home/g4rud4/volatility-plugins -f memory.raw --profile=Win7SP1x64 mimikatz
We observe a hash of length 32 bytes probably MD5, as his password. But none of the hash-cracking websites are cracking it. So let us see if the attacker had set any password hint. Let us fire-up MemprocFS
and get the user-password hint registry key value. Generally it is stored at SAM\Domains\Account\Users\<F_Value>\UserPasswordHint
. Using MemprocFS we can easily traverse registry keys.
We observe a hint saying it's easy to get, all you have to do is crack it, md5 3chars+4numbers+you_rule_here
We can use hashcat
to crack this hash.
$ hashcat -a 3 -m 0 --force 'a3af05e30feb0ceec23359a2204e2991' '?l?l?l?d?d?d?dyou_rule_here'
On executing this command we got the result as sba2021you_rule_here
.
As we got the user password, let us use it and extract the contents of the zip file. On using that password we got the keystrokes.
Key.shift H e l l o Key.space s i r , Key.enter Key.shift I Key.space h a v e Key.space c h a n g e d Key.space t h e Key.space p w d Key.space o f Key.space t h e Key.space k p Key.space b e c a s u Key.backspace Key.backspace u s e Key.space i Key.space t h n k Key.space i "" m Key.space u n d e r Key.space a t t a c k , Key.space t h e Key.space n e w Key.space p w d Key.space i s Key.space : Key.space Key.enter <104> Key.shift z n q Key.shift w <99> Key.shift h Key.shift o Key.shift c Key.shift d f Key.shift m <101> Key.backspace <102> Key.shift w i u q à Key.backspace q Key.backspace a Key.shift o Key.shift b Key.enter Key.shift B e s t Key.space r e g a r d s , Key.enter Key.shift S e m a h Key.shift B A Key.esc
Changing it to the human-readable text we got:
Hello sir,I have changed the pwd of the kp because i thnk i""m under attack, the new pwd is : <104>ZnqW<99>HOCDfM<102>WiuqaOBBest regards,Semah BA
In the above text, he is referring to the KeePass master password. In the description author provided <97> = 1 <98> = 2 ...
and on changing that in the password we got 8ZnqW3HOCDfM6WiuqaOB
.
Now we get the Keepass Master Password, let us see what all passwords are stored in the kdbx file.
We found an entry for Pastebin’s password.
As firefox.exe
is running, the user might have opened an encrypted Pastebin link. He might have copy-pasted the URL, So Let us use the clipboard
plugin and check the user’s clipboard.
As we can see a defuse.ca link(https://defuse.ca/b/wrCi00bPb8eDf9E8b9Iqyx), On opening it and entering the password(LQlhH481mqpAor4Faroi
) we got from kdbx, we got the flag.
Flag
Securinets{long_way_but_made_it_this_far_gj_!!}
Challenge Points: 861
No. of solves: 119
Solved by: g4rud4
Can you share some secrets about this box?
nmap is allowed for this problem. However, you may only target misc.utctf.live ports 8881 & 8882
. Thank you.
Let us do a quick nmap and see what are the services open on the given ports.
$ nmap -sC -sV -p 8881-8882 misc.utctf.liveStarting Nmap 7.70 ( https://nmap.org ) at 2021-03-15 06:27 UTCNmap scan report for misc.utctf.live (3.236.87.2)Host is up (0.030s latency).rDNS record for 3.236.87.2: ec2-3-236-87-2.compute-1.amazonaws.comPORT STATE SERVICE VERSION8881/tcp open netbios-ssn Samba smbd 4.6.28882/tcp open netbios-ssn Samba smbd 4.6.2Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 54.70 seconds
So we can see that both the ports are open and running on Samba SMB
. As it is running on SMB lets retrieve the workgroup for the SMB server.
We can use the tool smbclient
for intracting with this given SMB(Server Message Block) server, and its is somewhat similar to FTP. SMB servers will be having a workgroup let us retrieve it.
$ smbclient -L misc.utctf.live -p 8881WARNING: The "syslog" option is deprecatedEnter WORKGROUP\g4rud4's password: Sharename Type Comment --------- ---- ------- guest Disk Look, but don't touch please. IPC$ IPC IPC Service (Samba Server)Reconnecting with SMB1 for workgroup listing.
We can see a workgroup/sharename guest. So lets connect to that and see what all files present in the guest.
As we already got the workgroup, we can connect to guest
workgroup using smbclient. Here is an example on how to connect to the smb server using smbclient.
$ smbclient \\\\<IP>\\<Workgroup>
As we know the IP as misc.utctf.live
and workgroup as guest
, let us connect to it and see what all files present in it.
smbclient \\\\misc.utctf.live\\guest -p 8881WARNING: The "syslog" option is deprecatedEnter WORKGROUP\g4rud4's password:Try "help" to get a list of possible commands.smb: \> dir . D 0 Fri Mar 12 12:15:26 2021 .. D 0 Sat Mar 13 04:14:53 2021 flag.txt N 30 Fri Mar 12 12:15:26 2021 8065444 blocks of size 1024. 3349624 blocks available
As we can see flag.txt
is present on the guest workgroup, we can do more flag.txt
and retrieve the flag.
utflag{gu3st_p4ss_4_3v3ry0n3}
]]>Challenge Points: 930
No. of solves: 85
Solved by: g4rud4, f4lc0n
Hack Bob’s box!
nmap is allowed for this problem only. However, you may only target misc.utctf.live:8121
and misc.utctf.live:8122
with nmap.
We are given 2 servers where one has an FTP server and the other has SSH. We don’t know the username and password for the SSH. Our 1st assumption was the FTP server might be having the details related to the SSH. We don’t the username and password for the FTP server, let try if the FTP server is having any anonymous user
login.
Now we logged into the FTP server, lets see what all files present in this server. When we tried to LIST
out the files in the server we got 425 No data connection
as a message. So we need to have a data connection for getting the data.
We have PORT
command, for establishing a secondary connection for data transfer. PORT command has six number series(ex: PORT 127,0,0,1,10,10
).
Let us see what this decodes to:
num(5)*256 + num(6) = Port number
=> 10*256 + 10 = 2570
So let us try to set the connection to localhost on port 2570. But we got an error saying 500 I won't open a connection to 127.0.0.1 (only to 35.238.186.24)
. It is saying it can attempt to connect for local IP only.
Once we changed the localhost to our local IP, we got a reply saying it was successful. Then let us try to LIST
the files present on the server. And we got the files listed out on localhost on port 2570.
In the screenshot we can see that we have the .ssh
folder, so let’s see if we can retrieve the PRIVATE
and PUBLIC
key.
Let us list out the contents of the .ssh
folder.
So we got to know that we have the public and private keys present on the server. So let us dump those keys.
We have RETR
command to extract the files from FTP server. On executing these two commands, RETR .ssh/id_rsa
& RETR .ssh/id_rsa.pub
.
Private Key:
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAsXz+QCTZeGn190BUQRdfROq1Qmy/vXzVxLej9yVFN/ehjNLkouEwJTt8UINqOn2zwD3QFmM5jAJobDydXe1t0qPLEC0bogAy7O65RiyN1rxNJOjbMAvz9Adg2ENMp9BgTuI/TlyE53ypVmzYYekQhqd9JxLZ3KmEdMGRoDMT8sGcTgi2CF9E5/utyayTme0gL/79sPU2GPh1ctLfEIu8CBb997iCrGuqL+IzC5fLsET6g1k4eUt3dXDIR3CBdMMj/X+Xke9F89XAkR2+ysFSYsLkLxiws1AHIJ+o9KXkW3NnxoPUQogmAf+5o7F9aIrDKIXkU07D3POGt3sAvABwyI99syoMz4NYi3l7a3wLRkAgIIs1Hq1PJ1CmV9ZE3otjOHZ0VDI+p6UPTFyIFV1GxSXgqOcS1I64SW/YF2fZFce59vTNvCcCYd6Am35sHMwGwoJiMrxfK8KVxIh/nk8SRtvR+kLoYEPg0evg2D7Tf/xH1zYNnfeLz+mnVzXs6YcTAAAFmKFhGt2hYRrdAAAAB3NzaC1yc2EAAAGBALF8/kAk2Xhp9fdAVEEXX0TqtUJsv7181cS3o/clRTf3oYzS5KLhMCU7fFCDajp9s8A90BZjOYwCaGw8nV3tbdKjyxAtG6IAMuzuuUYsjda8TSTo2zAL8/QHYNhDTKfQYE7iP05chOd8qVZs2GHpEIanfScS2dyphHTBkaAzE/LBnE4ItghfROf7rcmsk5ntIC/+/bD1Nhj4dXLS3xCLvAgW/fe4gqxrqi/iMwuXy7BE+oNZOHlLd3VwyEdwgXTDI/1/l5HvRfPVwJEdvsrBUmLC5C8YsLNQByCfqPSl5FtzZ8aD1EKIJgH/uaOxfWiKwyiF5FNOw9zzhrd7ALwAcMiPfbMqDM+DWIt5e2t8C0ZAICCLNR6tTydQplfWRN6LYzh2dFQyPqelD0xciBVdRsUl4KjnEtSOuElv2Bdn2RXHufb0zbwnAmHegJt+bBzMBsKCYjK8XyvClcSIf55PEkbb0fpC6GBD4NHr4Ng+03/8R9c2DZ33i8/pp1c17OmHEwAAAAMBAAEAAAGBAJVYMHP2zcqFloLy7TJMIUzTFawL55bg+NrrDxvBj6nVQ2lEd0AarbFWiXcR7QvEg8CqAnMkEOMfj5ArvNqxEuzgB9jXq923vyIgiWNj0AG1NlBtYyndlOtsXe/7SQAX1UHrHAuqy+YgvjhLpBNW0iILwsJjGVCUjzDTQ98Bu7JTeVsr90e6KjftTUFaZmRp4+Ce9ga1fkyqm+D/UNUSTyibeB2+cq30diKOehcyJiFvGT/2jg96Ec2PFecO4s9F9paysbQ21WCkmHbKVtrf/CAP+Uci9gGxaZYmoz7jdEt0y1QH/DxpB7uHuOj1DwS+EBfhBfROejJxYhS/xw0yrfFCjxjdQTU1VwLb3YB2a+N4vIah2xbOL86qc5U+B92IHuNJ+tZWI31Qkwi0m3yHKK/QdL/d4X+10BIipPKZq68SpwO6MDylygfiDYmlLPPXvoAAVOCRYUbRwWuLv125pSfK+2vE0QmttfdvaBFiZrHmvPHKNYCTsPD/rCf1whlAsQAAAMEAyT5GEdoB54W5gCf1ZnJ+gyUn86/MErCVcsyZL9WnVqs0FZAo+W1pkX1TTVF849mdxhwiPG/S1fBzLt7L2Xu5fBq/Or7jpoh3+kbtoLHxIMcrsC/dGgKoS7ZQhbZpUwuOX9Wp7OCRHtjpxQ15KDq51XPB/fTGy3O2+ypiXdPGzk0x+gJj20pi3jHIVMkRg8Tg8xfpLCOALMRTnYM60xKnOuQqSsFsBjVYpeh/tj2+OmNsDiQx41/8gG3vzhW77nscAAAAwQDdq5Am94mg3esbXbaln21bWYIt5uu62Uw+iWLq3Ml596I5MypQiNjJJIF1JEm2bH9pGG4dcxdl35ifEBZfn6r4LhcJ1gQr1EjZi11jCF4eHaolF001ofFhKPF6w/j9TYYV8kFobhNs5GYMX1/7UzZHjJbzZ2rI5biKPTtKgIsO5unOAKpLvoO0d+BOa1aU0ANqVq1zT8Z3hasR/dLAg5zcqEf4rcmfhy1CeoL64H4/G1HfPjTs6PTvD4gYbjgEnDkAAADBAMz5xhGKXDLCiPZVaeIX9cmW76s1YDX9sJo7etZeZ8bArt7Z4nHqMBIJBecKp97T8Sux5kA8fcXwTETC+L9abkBGu+RoxUXRiLgTvwWkxGRbOh0DzgWR8aVoNc9H7bCBvK22QZ32GjHcvabO8QxH+lVAd/yUJ7hcnsKRwGV/eBBr05uBm7Z14U3/F2yPXEs1cQLEWazqBLc2qZjSkjGzI16MakEDjV4SGSlCYSlnFCmJBIZCP1Hxy53Kg47SuiiVqwAAACFtYXR0aGV3cEBzdHJlZXRwaXp6YS5hdHRsb2NhbC5uZXQ=-----END OPENSSH PRIVATE KEY-----
Public Key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxfP5AJNl4afX3QFRBF19E6rVCbL+9fNXEt6P3JUU396GM0uSi4TAlO3xQg2o6fbPAPdAWYzmMAmhsPJ1d7W3So8sQLRuiADLs7rlGLI3WvE0k6NswC/P0B2DYQ0yn0GBO4j9OXITnfKlWbNhh6RCGp30nEtncqYR0wZGgMxPywZxOCLYIX0Tn+63JrJOZ7SAv/v2w9TYY+HVy0t8Qi7wIFv33uIKsa6ov4jMLl8uwRPqDWTh5S3d1cMhHcIF0wyP9f5eR70Xz1cCRHb7KwVJiwuQvGLCzUAcgn6j0peRbc2fGg9RCiCYB/7mjsX1oisMoheRTTsPc84a3ewC8AHDIj32zKgzPg1iLeXtrfAtGQCAgizUerU8nUKZX1kTei2M4dnRUMj6npQ9MXIgVXUbFJeCo5xLUjrhJb9gXZ9kVx7n29M28JwJh3oCbfmwczAbCgmIyvF8rwpXEiH+eTxJG29H6QuhgQ+DR6+DYPtN//EfXNg2d94vP6adXNezphxM= matthewp@streetpizza.attlocal.net
From the public key, we can get the username of the ssh server we need to login to. So we got the private key and the username.
Let us try to login to the ssh server. But unfortunately, that private key is not getting accepted, that it’s not the correct private key or username.
Let us see what all files present in other folders.
We have .mozilla
, docs
& favs
folder left. Let us see what all files were present in the docs folder
.
We have 3 files present in this folder. Let us retrieve the contents from them.
drwxr-xr-x 2 0 0 4096 Mar 12 18:53 .drwxr-xr-x 1 0 0 4096 Mar 12 18:53 ..-rw-rw-r-- 1 0 0 508 Mar 12 06:45 letter.txt-rw-rw-r-- 1 0 0 435 Mar 12 06:45 notes.md-rw-rw-r-- 1 0 0 251 Mar 12 06:45 todo.txt
Let us see what all contents present in these files.
todo.txt
| Bob's TODO List |--------------------------------text jeff about gme-think of a bday gift for tom-sell my gme stocks-look up how to sell organs-figure out what a short is-check my website is secure
notes.md
# 1/3/2021 Group Meeting## Georgia's project- something about APIs ???- apparently, I have to do something with some newfangled language called Rust >:(## Security team- don't click on those emails that say you won a new laptop - even if they say you're the millionth visitor- rain on my parade more, why don't you## My presentation- seemed like people responded really well - silence means everyone understood I think
letter.txt
Dear RobinHood employee,As a user of your application, I was extremely disappointed tofind out that your platform had colluded with Citadel Securitiesto protect their interests in shorting $GME. I had a considerableamount of my life savings invested in this stock, and now I amhaving to make difficult decisions about how to pay rent thismonth. Hopefully you can appreciate the difficulty that you havecaused me and reinstate my account so I can sell my remainingshares.Best,Bob Bobberson
In all these files, we can see the details about a person named Bob
. From Bob’s todo list
we can see some info about a website. So let us check the Firefox history.
Firefox stores its history in a file named places.sqlite
, by dumping it and opening it in an SQLite viewer, We see a request for a website http://bobsite[.]com/login?user=bob&pass=i-l0v3-d0lph1n5
. Where can see the username as bob
and password as i-l0v3-d0lph1n5
. So let us use them as the ssh login credentials.
As we got the username and password, and ssh’ed into that server, and traversing through the root directory we got the flag.
utflag{red_teams_are_just_glorified_password_managers}
]]>Challenge points: 246
No. of solves: 62
Solved by: g4rud4, stuxn3t, v1ru5, d3liri0us
We are given a VHDX file, you can download the file from here. The file signature of the given VHDX file is also in format.
We can mount the VHDX file by double-clicking the VHDX file. On mounting the file we got a pop-up asking for the bit-locker password.
Now we need to find the password of the BitLocker encrypted drive.
On searching online found a tool BitlockCracker for brute-forcing the BitLocker password. But brute-forcing 10^48
is not possible so the same Github user provided a link to bitcracker.
The bit cracker is made simple for cracking the password. As it resulted with the hash, which can be cracked with John the Ripper
.
Here is what we got after building the bit cracker tool.
$ ./build/bitcracker_hash -i ../ll2.vhdx---------> BitCracker Hash Extractor <---------Encrypted device ../ll2.vhdx opened, size 132.00 MB************ Signature #1 found at 0x1400003 ************Version: 8Invalid version, looking for a signature with valid version...************ Signature #2 found at 0x5500000 ************Version: 2 (Windows 7 or later)=====> VMK entry found at 0x55000a7Encrypted with User Password (0x55000c8)VMK encrypted with AES-CCM======== UP VMK ========UP Salt: 212afe1afbb733f18b043338d85c4744UP Nonce: 80ad0e8486ead60103000000UP MAC: 01c1f4b616a85eecbd9d090ba2f0cbf5UP VMK: 642f6591ff2abdf1df84e3fc33240b714e5fd280f03b7b4fbb8fe6f58dcea572f1258671c7d42748c76097ed=====> VMK entry found at 0x5500187Encrypted with Recovery Password (0x55001a8)Searching for AES-CCM (0x55001c4)... Offset 0x5500257.... found! :)======== RP VMK #0 ========RP Salt: b044a4ad4fc868f736d0baf7ef47a9eaRP Nonce: 80ad0e8486ead60106000000RP MAC: 58fe021061ac9673d8925324f7a35304RP VMK: 3381445679ab17420c05c408a728775c3fde50f1333b720a876dab4cc850e29078aa257dab9f4f690be0fb81************ Signature #3 found at 0x64c8000 ************Version: 2 (Windows 7 or later)=====> VMK entry found at 0x64c80a7Can't define a key protection method for values (0,20)... skipping!=====> VMK entry found at 0x64c8187Encrypted with Recovery Password (0x64c81a8)Searching for AES-CCM (0x64c81c4)... Offset 0x64c8257.... found! :)This VMK has been already stored...quitting to avoid infinite loop!User Password hash:$bitlocker$0$16$212afe1afbb733f18b043338d85c4744$1048576$12$80ad0e8486ead60103000000$60$01c1f4b616a85eecbd9d090ba2f0cbf5642f6591ff2abdf1df84e3fc33240b714e5fd280f03b7b4fbb8fe6f58dcea572f1258671c7d42748c76097edRecovery Key hash #0:$bitlocker$2$16$b044a4ad4fc868f736d0baf7ef47a9ea$1048576$12$80ad0e8486ead60106000000$60$58fe021061ac9673d8925324f7a353043381445679ab17420c05c408a728775c3fde50f1333b720a876dab4cc850e29078aa257dab9f4f690be0fb81Output file for user password attack: "hash_user_pass.txt"Output file for recovery password attack: "hash_recv_pass.txt"
Using John to crack the User Password hash
we got 12345678
as the password for the BitLocker encrypted drive.
On opening the BitLocker encrypted drive, we found only one text file named password
. And it has the password used for encrypting the drive.
But the drive has 14 MB filled files, but we can only see a text. Stuxn3t suggested to open the unlocked drive-in FTK Imager
and check out the deleted files.
There a PDF file deleted on opening the PDF found a fake flag.
But we see some text highlighed back on that fake flag.
*CTF{59ca21b54198345f0efa963195e}
If you are new to Memory Forensics, you can check out Memlabs created by Abhiram Kumar. Here are my writeups for the same.
We are provided with a Windows memory dump. I’ll we be using Volatility to analyze and some command-line tools for extracting the relevant answers.
We shall use the plugin imageinfo to find the profile for the memory dump.
$ volatility -f memdump.mem imageinfo
So let us use the profile as Win7SP1x64
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
I think this part is one of the easiest part for this week’s challenge, but only if we solve this part, we will be able to view the remaining parts for this week’s challenge.
As the description talks about a conversation, it might be saved as plain text on the memory dump. So let us use the strings
command and grep
for the string password
over the memory dump.
$ strings memdump.mem | grep -i password[snip]Hmmm mmaybe I should change my password to:wow_this_is_an_uncrackable_password[snip]
Here is the interesting thing, we got the password.
wow_this_is_an_uncrackable_password
What is the md5 hash of the file which you recovered the password from?
So now comes the real part, what is md5sum of the file that they had a conversation with themselves. Where is this file located on the memory image? To find that out, we need to know which application, the user is using for opening this file.
As we already got the password string, Let us use yarascan
.
$ volatility -f memdump.mem --profile=Win7SP1x64 yarascan -Y "wow_this_is_an_uncrackable_password"
From the above image, we can see the application as WINWORD.EXE
with PID 3180
and the Virtual Offset where the password string is stored on the application memory is found at 0x02180a2d
.
Upon searching for the document files(.doc or .docx) in files, nothing found useful. So let’s try out the handles
plugin as it will give us all the open handles for a process.
$ volatility -f memdump.mem --profile=Win7SP1x64 handles -p 3180 -t FileVolatility Foundation Volatility Framework 2.6Offset(V) Pid Handle Access Type Details------------------ ------ ------------------ ------------------ ---------------- -------[snip]0xfffffa80326de810 3180 0x9c4 0x12019f File \Device\HarddiskVolume1\Users\Warren\AppData\Roaming\Microsoft\Word\AutoRecovery save of Document1.asd[snip]
We can see an open handle for a .asd
file and upon opening it we got the conversation that the user had with themselves.
Hmmm mmaybe I should change my password to: “wow_this_is_an_uncrackable_password”Great idea warrenThank you warrenYou’re so smart warrenI know I am Warren
Now we got the file, the application in which the user opening the file, and the virtual offset for the password string.
According to the description, we need the md5 sum of this file.
$ md5sum AutoRecovery\ save\ of\ Document1.asdaf1c3038dca8c7387e47226b88ea6e23 AutoRecovery save of Document1.asd
af1c3038dca8c7387e47226b88ea6e23
What is the birth object ID for the file which contained the password?
As we already got the filename, we can use the mftparser
plugin and get the Birth Object ID
.
$ volatility -f memdump.mem --profile=Win7SP1x64 mftparser --output-file=mftparser.txt
Upon greping for the filename in mftparser.txt
, here is what we got
$ grep -A 10 'AutoRecovery save of Document1.asd' mftparser.txt2020-04-20 23:22:36 UTC+0000 2020-04-20 23:22:36 UTC+0000 2020-04-20 23:22:36 UTC+0000 2020-04-20 23:22:36 UTC+0000 Users\Warren\AppData\Roaming\MICROS~1\Word\AutoRecovery save of Document1.asd$DATA$OBJECT_IDObject ID: 40000000-0000-0000-0060-000000000000Birth Volume ID: 005a0000-0000-0000-0056-000000000000Birth Object ID: 31013058-7f31-01c8-6b08-210191061101Birth Domain ID: f81101e8-3101-3d66-f800-000000000000
So we got the birth object id, so we got the flag.
31013058-7f31-01c8-6b08-210191061101
What is the name of the user and their unique identifier which you can attribute the creation of the file document to?
Format: #### (Name)
Now we need to find the owner of this file and the Unique identifier for the owner of this file.
We can get these details, by using the getsids
plugin to find the owner of this process that eventually gives the owner of this file.
$ volatility -f memdump.mem --profile=Win7SP1x64 getsids | grep 'WINWORD.EXE\|3180'WINWORD.EXE (3180): S-1-5-21-4288132831-552422005-3632184702-1000 (Warren)WINWORD.EXE (3180): S-1-5-21-4288132831-552422005-3632184702-513 (Domain Users)WINWORD.EXE (3180): S-1-1-0 (Everyone)WINWORD.EXE (3180): S-1-5-114 (Local Account (Member of Administrators))WINWORD.EXE (3180): S-1-5-32-544 (Administrators)WINWORD.EXE (3180): S-1-5-32-545 (Users)WINWORD.EXE (3180): S-1-5-4 (Interactive)WINWORD.EXE (3180): S-1-2-1 (Console Logon (Users who are logged onto the physical console))WINWORD.EXE (3180): S-1-5-11 (Authenticated Users)WINWORD.EXE (3180): S-1-5-15 (This Organization)WINWORD.EXE (3180): S-1-5-113 (Local Account)WINWORD.EXE (3180): S-1-5-5-0-691206 (Logon Session)WINWORD.EXE (3180): S-1-2-0 (Local (Users with the ability to log in locally))WINWORD.EXE (3180): S-1-5-64-10 (NTLM Authentication)WINWORD.EXE (3180): S-1-16-12288 (High Mandatory Level)
From the 1st line in the above text, we can confirm that the Unique Identifier is 1000
and the User/Owner of this process as Warren
.
1000 (Warren)
What is the version of software used to create the file containing the password?
Format ## (Whole version number, don’t worry about decimals)
I think there are a lot of ways to get the version of the software used to create the file containing the password.
I followed this, we can use the procdump
plugin and dump the WINWORD.EXE
and examining it gives the version of the software.
$ volatility -f memdump.mem --profile=Win7SP1x64 procdump -p 3180 -D dumpVolatility Foundation Volatility Framework 2.6Process(V) ImageBase Name Result------------------ ------------------ -------------------- ------0xfffffa803177bb00 0x000000013f9f0000 WINWORD.EXE OK: executable.3180.exe
Now we got the executable. we can now proceed and check the little-endian
strings of this executable.
$ strings -el dump/executable.3180.exe[snip]StringFileInfo000004E4CompanyNameMicrosoft CorporationFileDescriptionMicrosoft WordFileVersion15.0.5233.1000InternalNameWinWord[snip]
We got the version of the software used to create the file containing the password.
15
What is the virtual memory address offset where the password string is located in the memory image?
Format: 0x########
While answering part -2, yarascan gives the output from an application perspective, so we can use that address as the virtual address.
0x02180a2d
What is the physical memory address offset where the password string is located in the memory image?
Format: 0x#######
We need the offset from the memory perspective, so let us load the memory image into a hex editor and search for our password.
At the bottom of the image, you can see the offset where our password string started and we can use that as a physical memory address.
0x0AF12A2D
Week 2 challenge is involved on applications capability and application usage. Let us get started!
What domain was most recently viewed via an app that has picture-in-picture capability?
For this weeks challenge, I am gonna use Alexis Brignoni’s ALEAPP.
During the announcement of Week 2 challenge it was mentioned about a webinar that Tarah Melton and Jessica Hyde had early this year on different data that can be found in Google Takeout and an Android Image. In the end of the webinar Jessica Hyde show us that, when we change an application the snapshots will be stored on the device.
And I found a site that listed out all the applications that supported Picture In Picture capability, and it turned out only a few have it.
On firing Up ALEAPP, it creates a nice HTML report in the mentioned directory mentioned.
On going through the reports generated by ALEAPP, it created a report for “Recent Activity, Snanpshots”. And the last accessed UPL from the browser according to the snapshot is http://malliesae[.]com/investor-page/
.
From my personal experience, Chrome supports Picture In Picture capability, And on checking the Chrome History report generated by ALEAPP and sorting it out to most recently accessed URLs, it gave http://malliesae[.]com/investor-page/
accessed at 2020-03-23 23:53:22
As chrome is having PIP capability and malliesae[.]com
is the most recently accessed domain, let head on to submit it. And its correct!
]]>malliesae.com
As the description says, we need to find the last modified time of a file that maps DNS names to IP’s recently accessed.
I don’t have much knowledge on Mobile Forensics. It is time to sharen my skills on Mobile Forensics. Magnet Forensics has decided for a weekly CTF, new challenge every Monday for the last quarter of 2020. You can find more info in the blog post released by Magnet Forensics.
With my limited experience in Mobile Forensics, I started to look for hosts file as it is responsible for mapping IP’s to DNS names(Similar to Windows and Linux).
Let’s go a head and load the Android Image in Autopsy. You can download the image here.
If you don’t know how to load an Android Image in autopsy, found this blog post and followed that and loaded the image in Autopsy.
After loading the android image in autopsy, on checking the files present on the device, I found something intersting in Downloads folder(/data/media/0/Download
).
This seems to the required hosts file, Normally it won’t be stored in any local folder, So to confirm I searched for the hosts file location in android device.
Upon seaching for the hosts file location, got hit, saying that it will be stored in /device/system/etc/system
.
When I checked it, etc folder is not there in the mentioned location.
Upon searching and got an another hit saying that it will be stored in adb
folder of the image.
Location: /adb/modules/hosts/system/etc/hosts
In the same way I am not able to view the metadata on Autopsy for that file.
As I have extracted the tar file, I went to that location and viewed the metadata of that file.
Upon converting the timestamp 05 March 2020, 11.20.18 AM
from IST to UTC, we get 05 March 2020, 05.50.18 AM
]]>03/05/2020 05:58:18
We are given with a windows 7 memory dump, lets start out initial analysis and check what all processes are running.
$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 pslist
We can see that Google Chrome
and Command Prompt
are active running process. So let us dig more into them and check whats there in them.
As we know each and every command we entered in command prompt are stored in conhost.exe and we can retrive those commands from volatility’s consoles
plugin.
$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 consoles
We can see “I cant paste the binary in recyle bin
“ which gives us an information that we have to proceed to pastebin
for the next step. But we need a random 8 letter character.
On going through some plugins, used mimikatz
to get the user password. And found something similar to that random 8 letter character for pastebin.
$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 mimikatz
So on proceeding to this pastebin link(https://pastebin.com/dVi29Tv8) and we can see a lot of strings of length 37. So it much be some kind of wordlist or something.
Let us check whats there in chrome history.
$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 chromehistory
We can see that there is drive link(https://drive.google.com/file/d/1jYpvi9Va8be022G1SL4xUpEmZoknveTd/view) is present and after opening it we found an keepass
database.
For opening these keepass database we need a Master Password
or Key file
. But we can’t find one in the given memory, so as we know we can crack Keepass passwords with John the ripper and get the password if we have the correct wordlist.
Using the strings found in the pastebin as a wordlist we got the password.
As I have already loaded the hash and its showed its already cracked. And we can see the cracked hashes also and we got the password as this guz6AP41eXNZN6alCTZQsytzYsDSWrUV45lp
and after opening the keepass with that password we can see so many passwords already there in the database. From the username we can see that Pastebin/KEY
. And the passwords are also something similar to 8 letter random characters needed for pastebin.
After going through them and we can see a long base64 string in all the pastebins and decoding those base64 strings and there are a lot of fake flag and in that one them is flag.
Challenge points: 627
No. of solves: 30
Challenge Author: g4rud4
You can download the challenge file from Mega or Google Drive
We are provided with an E01 file(Expert Witness format image). There are a lot of ways in analyzing these files, I choose to use Autopsy for analyzing this. Let’s go ahead and load our E01 file in Autopsy. You can visit Autopsy’s1 documentation if you don’t know how to add a data source to autopsy.
From the description, we have a clue that the terrorist is using a genuine chat client, lets see what all applications are installed in the device.
As we know, all the applications present on the device can be found in Program Files
. Some of the applications we need to check are GPG
, Mozilla Firefox
, NetMeeting
, Outlook Express
. Let us dig more into it and check if they have identified and configured.
So by checking application data, we can say that Outlook Express
and Mozilla Firefox
are configured. Let us dig more into them.
As the Outlook Express is configured on the device, it leaves us useful forensics artifacts on the device.
Some of them are the mails received and sent. Whenever we receive a mail or delete a mail or sent a mail it will be stored in a .dbx files. Ex: for Inbox Emails - inbox.dbx
, Sent Emails - outbox.dbx
etc.
These files are stored at C:\Documents and Settings\Crimson\Local Settings\Application Data\Identities\{random characters}\Microsoft\Outlook Express\
In our case, these are stored at C:\Documents and Settings\Crimson\Local Settings\Application Data\Identities\{72F33BC6-0035-4FE0-AED1-5870C5CA389E}\Microsoft\Outlook Express\
You can see .dbx files being listed there on right. We know that we can’t view the messages stored in DBX files. So I have converted the DBX file into a PDF file using this link. There are other ways too, as this gives us something similar to the GUI, I used this. And one of the best thing is to do strings
on the DBX files.
Converting the Inbox.dbx
to PDF, One will be able to see that there is a mail from David Banjamin davin.banjamin@gmail.com
with a subject Secret File
. And a file named secret.gpg
has been attached.
We can get this file by a simple keyword search in Autopsy or check below.
So these attached files are stored in this location, unless the user saved it into a specified location C:\Users\{username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\{random characters}
.
We have 4 directories listed there, so rather than traversing through all directories, I used Autopsy’s Web Downloads
Result. There we can see that there is a secret.gpg.Zone.identifier
file. These Zone identifier files are generated automatically by applications/programs when files are downloaded to a Windows computer. So by checking the Source file path
we can get the random characters. So going into that directory(U0PDHEH3
), we can get the secret.gpg
file easily.
We know that the gpg files can only be decrypted by the Owner’s private key. As we have seen a directory named GPG
while traversing through the program files. Going into this directory we can find the secret.key
.
Importing the private key and decrypting the encrypted GPG file, we can get the first half of the flag.
$ gpg --decrypt secret.gpg
Snipping the output,
First half: inctf{!h0p3_y0u_L1k3d_s0lv1ng_7h3_F1rs7_p4r7
As we see that there are a lot of web searches listed out in Web History
results in Autopsy and going through them we can see a suspicious link http://35.209.205.103/ in the history. So going to that link there is a login page. And there is a note saying Don’t brutefore the Password. So the password must be saved somewhere.
As the terrorist is using firefox. And an active firefox installation will have a profile(in our case - 5ztdm4br.default) which consists of a lot of forensics artifacts and that can be found generally at
Path:
C:\Documents and Settings\{Username}\Application Data\Mozilla\Firefox\{random characters}.default\
In our case, these are found at
Path:
C:\Documents and Settings\Crimson\Application Data\Mozilla\Firefox\5ztdm4br.default\
By Checking the Web Form Autofill
results in Autopsy or by looking at the formhistory.sqlite database present in the firefox profile, we were able to see that the username as Danial_Banjamin and we need to find out the password.
As the username and password are stored in formhistory, that means passwords are stored in firefox saved passwords. We need to decrypt the saved passwords to get the original password.
Here comes the interesting part of decrypting Firefox saved passwords. There are a lot of ways
I am choosing the second way and here are those files:
logins.json - Place where all login information such as encrypted username and password are stored.
cert8.db and key3.db/key4.db - These are encrypted SQLite database files, and the entries encryptedUsername
and encryptedPassword
found in logins.json are encrypted with the keys found in both databases.
Permissions.sqlite - It contains permissions for installing add-ons, cookies, etc.
After dumping all these files from the firefox profile mentioned above, I used pwdecrypt
to decrypt the password. It’s a Debian package and can be installed by with apt.
$ sudo apt install libnss3-tools
Then, I used a JSON parser(jq
) to parse the JSON file and redirected the output to pwdecrypt.
Here is the json parsed output of logins.json.
$ jq . < logins.json{ "nextId": 3, "logins": [ { "id": 2, "hostname": "http://35.209.205.103", "httpRealm": null, "formSubmitURL": "http://35.209.205.103", "usernameField": "username", "passwordField": "password", "encryptedUsername": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECOczOqq7/ZDYBBC7w84JwpxUfkx1Nw52VKlx", "encryptedPassword": "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCwD7aXJGN+hBDAmr4dSU/2vXn+H+TZDl+oTlLGPMbX4usiAkneTan114d6kB2GGUa2b6771U5YIU40=", "guid": "{3ff55df0-bbb8-4192-98df-a1f428964c31}", "encType": 1, "timeCreated": 1595695030340, "timeLastUsed": 1595858974764, "timePasswordChanged": 1595695030340, "timesUsed": 2 } ], "disabledHosts": [], "version": 2}
As we are having so many entries, and we only need the username, password and URL. So added those entries to json parser and redirected it to pwdecrypt.
$ jq -r -S '.logins[] | .hostname, .encryptedUsername, .encryptedPassword' logins.json | pwdecrypt -d .http://35.209.205.103Decrypted: "Danial_Banjamin"Decrypted: "2!6BQ&e626g#YNWxsQWV9^knO8#85*E%6Zaxr@At42"
As the master password was not set by the terrorist we were able to get the decrypted password. So logging in using those credentials gives the second part of the flag.
Second Part of the flag: 4nd_3njoy3d_7he_53c0nd_p4rt_0f_7h3_ch4ll3ng3}
By concatinating two parts, here is the final flag:
inctf{!_h0p3_y0u_L1k3d_s0lv1ng_7h3_F1rs7_p4r7_4nd_3njoy3d_7he_53c0nd_p4rt_0f_7h3_ch4ll3ng3}
If you have any queries, Feel free to ping me. I am available on Twitter @NihithNihi
Here are some of the resources I came up while making the challenge. Hope it will be useful.
]]>I have solved this challenge along with my teammate stuxn3t during the Defenit CTF.
The challenge file can be downloaded from Google Drive.
We are provided with the file usb.ad1
. From the extension, It was quite clear that the evidence was acquired via Access Data’s FTK Imager. So let us go ahead and load the file in FTK Imager with version >=4.2.0.
We observe that only very few directories are present and our objective is to find the answer to the following questions so that we can combine them to get the flag. So let us dig in.
Question 1: Among the exe files, there are several files executed on the same USB. Let's call the second executed file 'A'. What is the name of 'A'?
From the question we are clear that, we need to find what all processes were run when the USB was pluged in. As the system records all the events, we can look event logs and registry analysis.
However, we found the presence of NTUSER.DAT
in the system. As the NTUSER.dat
stores the software and operating system settings for each user profile. One can find NTUSER.dat
in his user directory [root]/Users/james
There are a lot of tools to view registry files. Here I am using Eric Zimmerman’s Registry Explorer.
In NTUSER.data
, UserAssist
is the registry key that stores the list of processes that were run, when it was run, how many times it was run. We can find all those values from this sub-key according to our system:
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
To know which process was run on the USB, we first need to find when was the USB plugged in. For this, we use the SYSTEM
registry to determine the USB Last Arrival Date
time of the USB on the system. And that can be found from this sub-key:
Path: ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Ultra&Rev_1.00\4C531001461206123040&0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066
We can see the last write time as 2020-05-17 18.15.13
. So from this small detail, we can easily eliminate a lot of processes. However, we also found out that the USB was plugged-in/used ~ 18:00 Hrs as well. We found this from the .lnk
files created in the system.
.lnk
files are created whenever a file/folder is opened. In this case, we find a USB (E).lnk created on 2020-05-17 19:11:36 Hrs
.
So we can now identify the process. As we need to locate only 2 processes closest to this timestamp and the second one is the answer. On observing closely, we can see 2 processes are nearer to thae above timestamp.
Program Name | Run Counter | Focus Count | Focus Time | Last Executed |
---|---|---|---|---|
E:\svchost.exe | 1 | 0 | 0d, 0h, 00m, 00s | 2020-05-17 19:11:00 |
Microsoft.Windows.Explorer | 40 | 109 | 0d, 0h, 53m, 03s | 2020-05-17 19:10:13 |
On looking the timestamps given by processes, I chose svchost.exe
Question 2: How many times has 'A' been executed?
Since we have determined the which process is ‘A’ (svchost.exe), from the above table, we can get the answer to this question from the value specified in the Run Counter
column, we can see that the svchost.exe was run 1
time.
Question 3: What is the sha-1 hash value of 'A'?
As we need the SHA-1 hash of svchost.exe
, we can get the sha-1 hash from Sysmon records. As its not been enabled, we can get those details from the Amcache.hve
file. Along with the SHA-1 hash, from the Amcahe.hve, we can also get recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program. Luckily, this file was present in the system.
Path: \%SystemRoot%\AppCompat\Programs\Amcache.hve
We can use Eric Zimmerman’s tool AmcacheParser to parse the files.
We extract the following files
Next, we powerup the PowerShell to properly parse the files into .CSV
format.
The excel file required in this case is the Amcache_UnassociatedFileEntries.csv
.
So we now have the SHA-1 hash of the file as: d68960b8ecb374dd98ef6a33fed45dddd9796402
By concatenating all the 3 answers gives us the flag.
FLAG: Defenit{svchost.exe_1_d68960b8ecb374dd98ef6a33fed45dddd9796402}
$ volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 pslist
As we see from the process list, cmd.exe
, chrome.exe
, firefox.exe
and WinRAR.exe
as active running processes.
Let us check the chrome’s history.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 chromehistory
This seem to be an interesting pastebin link.
The Pastebin link contains another Google Docs link, lets head there. The docs link is: click here
The doc contains a lot of spam but there is one interesting link which leads us to a mega drive: https://mega.nz/#!SrxQxYTQ.
However, to download the file present in the mega drive, we need to find the KEY. However, the text in the Pastebin link tells us that “David sent the key in mail”.
Okay, let me use the Screenshot
plugin, it might help us.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 screenshot -D .
We can see that firefox window is open with the Gmail and has a subject Mega Drive Key. Now its time for some raw analysis. As the browser data is stored in JSON files. So we might get the message attached to that subject from raw analysis.
So we can use the strings
command, as we can get the data stored in JSON file from the memory.
$ strings MemoryDump_Lab6.raw | grep "Mega Drive Key"
So the key is zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU.
So we find a PNG image in the Mega drive. However, PNG is corrupted. Fixing the IHDR of the image gives us the 1st part of the flag.
The first part is: inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_
As WinRAR is running, that imply that user opened a rar archive, So we will search for a rar archive
in the memory.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 filescan | grep rar
we see a folder named pr0t3ct3d and which contains a RAR archive with the name flag.rar
Let us dump the RAR archive with the help of the dumpfiles plugin.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D .
However, the archive is password protected. Also, brute-forcing for the password might not help us. So lets check the other running processes.
As cmd.exe
is running, Using the cmdscan
plugin, we see that env
command has been used. So let us look at the Environment variables.
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 cmdscan
$ volatility --plugins=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab6.raw --profile=Win7SP1x64 envars
We observe a custom variable created named RAR password.
So it gives out the password as easypeasyvirus. Now we get the last part of the flag.
So now let us concatenate the 2 parts to finish this lab.
FLAG: inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?aN_Am4zINg!igU3Ss???_}
Note: Due to some markdown issue, ‘_’ is not being displayed properly, so check it out.
That’s how you finish this MemLabs, Lab – 6.
If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi
]]>