ROOTCON RECOVERY MODE — CTF : Forensics (Warm Up)

Al Francis
5 min readOct 11, 2020

--

rootcon recovery mode edition

My friends and I participated in Rootcon Recovery Mode CTF this year. This is my 2nd time to join Rootcon CTF, and for this year, as expected the country’s best and experienced teams are competing. My team manages to pass the qualifiers and move to the finals (without my help) since I was asked to join the team after and in short notice.

This year CTF is different, and the challenges are frustratingly hard, but it was fun. There are different categories for each challenge to solve, and from those choices, I tried one first from Forensic, which is not really my forte. This might be the easy one, which I’m going to discuss below.

Lets start and dig in.

Challenge Writeups

Category: Forensics

Challenge: Warm Up

Points: 100

We are given a .zip file that contains challenge.raw file. Since this is a memory image file, I decided to use volatility tools for this challenge.

It worked! I get a suggested profile and confirmed that this is a memory image file.

Now let’s start solving the questions:

Number 1: What is the hostname of the source of this memory image?

For this one, I dump the hives to get the offset where we will get the hostname:

\registry\machine\system

Then I dump the registry key where the hostname is revealed.

computername

Question number 2, 3, and 4 has the same goal which is to get the password of the users.

What is the password of user Le?

What is the password of user Li?

What is the password of user S?

I’m interested in the 2 offsets: SYSTEM (-y) and SAM (-s)

I use crackstation.net, an online password hash cracker to crack the password. I was able to crack the first user and the others.

Now let’s proceed to Number 5, 6, and 7 which needs the IP Address and port of backdoor listening on.

What is the attacker’s IP address?

What is the victim’s IP address?

Which port is the backdoor listening on?

I run connections and connscan but it seems the profile does not support this command so I look for other solutions and found that we need to run netscan command. From there, I get the IP Address of the Attacker and Victim and port which is the backdoor listening on.

netscan

Now let’s proceed to questions Number 8 to 13, which takes me longer to solve. I won’t discuss the other steps I tried here. I’ll just go straight to the right solution. Since we are looking for malware I run pslist and pstree command. pstree uses the same technique as pslist but the result is based on the parent-child relationship between the processes.

For example, here we can see that nc64.exe started cmd.exe which in turn started the instances of lsass.exe and svchost.exe. So we search for commands and can be done using thecmdline

Analysis:

  1. The attacker run nc64.exe
  2. Download the lsass.exe and the path is located at C:\Users\samael\lsass.exe
  3. Execute the lsass.exe that's running on pid 1952to download svchost.exelocated at C:\Users\samael\svchost.exe
  4. Execute the svchost.exe that's running on pid 2972, the file is mimikatz upon analysis

I assume the lsass.exeis malware. I dump a process’s executable by using the procdump command and uploaded it to the virustotal.com. Few AV detected this as malware.

I use memdump, a simple analysis of these files can be done by using the “strings”, we are looking for a relation between the piece of information already retrieved from the dump (especially the opened TCP connection towards the 10.163.7.130 IP)

strings 1952.dmp | grep -Fi “10.163.7.130” -C 5

Look what I found, So it seems lsass.exeprocesses is to download a new file svchost.exe

I suspected that this file is malware. I run procdump again on pid 2972and uploaded it to virustotal.com and look what I found?! Its mimikatz!!!

mimikatz

So now I identify all process name of malware running in lower and higher pid and the path.

Number 8: lsass.exe

Number 9: 1952

Number 10: svchost.exe

Number 11: 2972

Number 12:C:\Users\samael\lsass.exe

Number 13:C:\Users\samael\svchost.exe

Now we combine all the results and run md5sum

printf ‘%s’ “RC-MINIONS~darklighter~97sunfire~poisonthewell~10.163.7.130~10.163.7.100~5900~lsass.exe~1952~svchost.exe~2972~C:\Users\samael\lsass.exe~C:\Users\samael\svchost.exe” | md5sum

Voila!!!

rc14{81cd8971d7cdbf45d2cdf4c90fbaa339}

Conclusion

I would like to thanks my teammates (Sai and Chris). Thanks also to ROOTCON and PWN DE MANILA for the challenge.

I hope you guys enjoyed reading this write-up!

For references, you may look into these links:

  1. Volatility Command Reference — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
  2. https://www.secjuice.com/malware-analysis-memory-forensics/

--

--

Al Francis
Al Francis

Written by Al Francis

Co-Founder of Kalasag and Project Access Granted Society. A Certified Ethical Hacker,EC-Council Certified Incident Handler and Certified Blockchain Developer.

No responses yet