My friends and I participated in Rootcon Recovery Mode CTF this year. This is my 2nd time to join Rootcon CTF, and for this year, as expected the country’s best and experienced teams are competing. My team manages to pass the qualifiers and move to the finals (without my help) since I was asked to join the team after and in short notice.
This year CTF is different, and the challenges are frustratingly hard, but it was fun. There are different categories for each challenge to solve, and from those choices, I tried one first from Forensic, which is not really my forte. This might be the easy one, which I’m going to discuss below.
Lets start and dig in.
Challenge: Warm Up
We are given a .zip file that contains challenge.raw file. Since this is a memory image file, I decided to use volatility tools for this challenge.
It worked! I get a suggested profile and confirmed that this is a memory image file.
Now let’s start solving the questions:
Number 1: What is the hostname of the source of this memory image?
For this one, I dump the hives to get the offset where we will get the hostname:
Then I dump the registry key where the hostname is revealed.
Question number 2, 3, and 4 has the same goal which is to get the password of the users.
What is the password of user Le?
What is the password of user Li?
What is the password of user S?
I’m interested in the 2 offsets: SYSTEM (-y) and SAM (-s)
I use crackstation.net, an online password hash cracker to crack the password. I was able to crack the first user and the others.
Now let’s proceed to Number 5, 6, and 7 which needs the IP Address and port of backdoor listening on.
What is the attacker’s IP address?
What is the victim’s IP address?
Which port is the backdoor listening on?
connscan but it seems the profile does not support this command so I look for other solutions and found that we need to run
netscan command. From there, I get the IP Address of the Attacker and Victim and port which is the backdoor listening on.
Now let’s proceed to questions Number 8 to 13, which takes me longer to solve. I won’t discuss the other steps I tried here. I’ll just go straight to the right solution. Since we are looking for malware I run
pstree uses the same technique as
pslist but the result is based on the parent-child relationship between the processes.
For example, here we can see that
cmd.exe which in turn started the instances of
svchost.exe. So we search for commands and can be done using the
- The attacker run
- Download the
lsass.exeand the path is located at
- Execute the
lsass.exethat's running on pid
- Execute the
svchost.exethat's running on pid
2972, the file is mimikatz upon analysis
I assume the
lsass.exeis malware. I dump a process’s executable by using the
procdump command and uploaded it to the virustotal.com. Few AV detected this as malware.
memdump, a simple analysis of these files can be done by using the “strings”, we are looking for a relation between the piece of information already retrieved from the dump (especially the opened TCP connection towards the
strings 1952.dmp | grep -Fi “10.163.7.130” -C 5
Look what I found, So it seems
lsass.exeprocesses is to download a new file
I suspected that this file is malware. I run
procdump again on pid
2972and uploaded it to virustotal.com and look what I found?! Its mimikatz!!!
So now I identify all process name of malware running in lower and higher pid and the path.
Number 8: lsass.exe
Number 9: 1952
Number 10: svchost.exe
Number 11: 2972
Now we combine all the results and run md5sum
printf ‘%s’ “RC-MINIONS~darklighter~97sunfire~poisonthewell~10.163.7.130~10.163.7.100~5900~lsass.exe~1952~svchost.exe~2972~C:\Users\samael\lsass.exe~C:\Users\samael\svchost.exe” | md5sum
I would like to thanks my teammates (Sai and Chris). Thanks also to ROOTCON and PWN DE MANILA for the challenge.
I hope you guys enjoyed reading this write-up!
For references, you may look into these links: