ROOTCON RECOVERY MODE — CTF : Forensics (Warm Up)
My friends and I participated in Rootcon Recovery Mode CTF this year. This is my 2nd time to join Rootcon CTF, and for this year, as expected the country’s best and experienced teams are competing. My team manages to pass the qualifiers and move to the finals (without my help) since I was asked to join the team after and in short notice.
This year CTF is different, and the challenges are frustratingly hard, but it was fun. There are different categories for each challenge to solve, and from those choices, I tried one first from Forensic, which is not really my forte. This might be the easy one, which I’m going to discuss below.
Lets start and dig in.
Challenge Writeups
Category: Forensics
Challenge: Warm Up
Points: 100
We are given a .zip file that contains challenge.raw file. Since this is a memory image file, I decided to use volatility tools for this challenge.
It worked! I get a suggested profile and confirmed that this is a memory image file.
Now let’s start solving the questions:
Number 1: What is the hostname of the source of this memory image?
For this one, I dump the hives to get the offset where we will get the hostname:
Then I dump the registry key where the hostname is revealed.
Question number 2, 3, and 4 has the same goal which is to get the password of the users.
What is the password of user Le?
What is the password of user Li?
What is the password of user S?
I’m interested in the 2 offsets: SYSTEM (-y) and SAM (-s)
I use crackstation.net, an online password hash cracker to crack the password. I was able to crack the first user and the others.
Now let’s proceed to Number 5, 6, and 7 which needs the IP Address and port of backdoor listening on.
What is the attacker’s IP address?
What is the victim’s IP address?
Which port is the backdoor listening on?
I run connections and connscan but it seems the profile does not support this command so I look for other solutions and found that we need to run netscan command. From there, I get the IP Address of the Attacker and Victim and port which is the backdoor listening on.
Now let’s proceed to questions Number 8 to 13, which takes me longer to solve. I won’t discuss the other steps I tried here. I’ll just go straight to the right solution. Since we are looking for malware I run pslist and pstree command. pstree uses the same technique as pslist but the result is based on the parent-child relationship between the processes.
For example, here we can see that nc64.exe started cmd.exe which in turn started the instances of lsass.exe and svchost.exe. So we search for commands and can be done using thecmdline
Analysis:
- The attacker run
nc64.exe - Download the
lsass.exeand the path is located atC:\Users\samael\lsass.exe - Execute the
lsass.exethat's running on pid1952to downloadsvchost.exelocated atC:\Users\samael\svchost.exe - Execute the
svchost.exethat's running on pid2972, the file is mimikatz upon analysis
I assume the lsass.exeis malware. I dump a process’s executable by using the procdump command and uploaded it to the virustotal.com. Few AV detected this as malware.
I use memdump, a simple analysis of these files can be done by using the “strings”, we are looking for a relation between the piece of information already retrieved from the dump (especially the opened TCP connection towards the 10.163.7.130 IP)
strings 1952.dmp | grep -Fi “10.163.7.130” -C 5
Look what I found, So it seems lsass.exeprocesses is to download a new file svchost.exe
I suspected that this file is malware. I run procdump again on pid 2972and uploaded it to virustotal.com and look what I found?! Its mimikatz!!!
So now I identify all process name of malware running in lower and higher pid and the path.
Number 8: lsass.exe
Number 9: 1952
Number 10: svchost.exe
Number 11: 2972
Number 12:C:\Users\samael\lsass.exe
Number 13:C:\Users\samael\svchost.exe
Now we combine all the results and run md5sum
printf ‘%s’ “RC-MINIONS~darklighter~97sunfire~poisonthewell~10.163.7.130~10.163.7.100~5900~lsass.exe~1952~svchost.exe~2972~C:\Users\samael\lsass.exe~C:\Users\samael\svchost.exe” | md5sum
Voila!!!
rc14{81cd8971d7cdbf45d2cdf4c90fbaa339}
Conclusion
I would like to thanks my teammates (Sai and Chris). Thanks also to ROOTCON and PWN DE MANILA for the challenge.
I hope you guys enjoyed reading this write-up!
For references, you may look into these links:
