DEFCON 2019 forensics

This is a brief write up for the DEFCON 2019 forensics CTF
Flag Format-flag Everything after the – is what you need to submit, your answer is the xyx.

1 / get your volatility on (5)

What is the SHA1 hash of triage.mem?
$ sha1sum winmem.mem
$ c95e8cc8c946f95a109ea8e47a6800de10a27abd winmem.mem

2 / pr0file (10)

What profile is the most appropriate for this machine? (ex: Win10x86_14393)
$ python -f /mnt/ctf/Defcon2019/winmem.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile\(s\) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64\_24000, Win2008R2SP1x64\_23418, Win2008R2SP1x64, Win7SP1x64\_24000, Win7SP1x64\_23418
Since we can't just guess (there may be points deducted for incorrect guesses), we should at least try to find the most appropriate profile based on kernel debug scan (kdbgscan) which identifies the number of modules loaded.
$ python -f /mnt/ctf/Defcon2019/winmem.mem kdbgscan

3 / hey, write this down (12)

What was the process ID of notepad.exe?
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 pslist
0xfffffa80054f9060 notepad.exe 3032 1432 1 60 1 0 2019-03-22 05:32:22 UTC+0000

4 / wscript can haz children (14)

Name the child processes of wscript.exe.
Instead of manually looking at PID and PPID (parent PID), we use pstree
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 pstree
. 0xfffffa8005a80060:wscript.exe 5116 3952 8 312 2019-03-22 05:35:32 UTC+0000
... 0xfffffa8005a1d9e0:UWkpjFjDzM.exe 3496 5116 5 109 2019-03-22 05:35:33 UTC+0000
.... 0xfffffa8005bb0060:cmd.exe 4660 3496 1 33 2019-03-22 05:35:36 UTC+0000

5 / tcpip settings (18)

What was the IP address of the machine at the time the RAM dump was created?
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 netscan`
(Can also be dumped from TCPIP settings in registry)

6 / intel (18)

Based on the answer regarding to the infected PID, can you determine what the IP of the attacker was?
0x13e397190 TCPv4 ESTABLISHED 3496 UWkpjFjDzM.exe

7 / i <3 windows dependencies (20)

What process name is VCRUNTIME140.dll associated with?
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 dlllist \| grep -B 50 VCRUNTIME140
OfficeClickToR pid: 1136 Command line : "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
EXCEL.EXE pid: 1272 Command line : "C:\Program Files \(x86\)\Microsoft Office\root\Office16\EXCEL.EXE"
OUTLOOK.EXE pid: 3688 Command line : "C:\Program Files \(x86\)\Microsoft Office\root\Office16\OUTLOOK.EXE"
iexplore.exe pid: 2780 Command line : "C:\Program Files \(x86\)\Internet Explorer\iexplore.exe"
POWERPNT.EXE pid: 4048 Command line : "C:\Program Files \(x86\)\Microsoft Office\root\Office16\POWERPNT.EXE"

8 mal-ware-are-you (20)

What is the md5 hash value the potential malware on the system?
Dump the exe and hash it
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 procdump -p 3496 -D /mnt/ctf/Defcon2019/dumpdir
md5sum executable.3496.exe

9 lm-get bobs hash (24)

What is the LM hash of bobs account?
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 hashdump
We look at LM hash format;
text$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
This is NTLM format. LM is the first part, NTLM is the second part.
## 10 vad the impaler \(25\)
What protections does the VAD node at 0xfffffa800577ba10 have?
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 vadinfo \| grep -B 10 -A 10 '0xfffffa800577ba10'
(grep -B 10 for 10 lines before, and -A 10 for 10 lines after).
VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad Flags: NoChange: 1, Protection: 1 Protection: PAGE_READONLY

11 more vads?! (25)

What protections did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 vadinfo \| grep -A 5 '0x00000000033c0000'`
VAD node @ 0xfffffa80052652b0 Start 0x00000000033c0000 End 0x00000000033dffff Tag VadS Flags: CommitCharge: 32, PrivateMemory: 1, Protection: 24 Protection: PAGE_NOACCESS Vad Type: VadNone

12 vacation bible school (25)

There was a VBS script run on the machine. What is the name of the script? (submit without file extension)
cmdscan would provide manually entered CMD history. We want to find all input & output consoles - no vbscript cmdline
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 cmdline \| grep vbs
Volatility Foundation Volatility Framework 2.6.1
Command line : "C:\Windows\System32\wscript.exe" //B //NOLOGO %TEMP%\vhjReUDEuumrX.vbs

13 thx microsoft (25)

An application was run at 2019-03-07 23:06:58 UTC, what is the name of the program? (Include extension)
We're looking for historically executed programs. pslist shows current processes so it's not listed.
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 shimcache \| grep '2019-03-07'
2019-03-07 23:06:58 UTC+0000 \??\C:\Program Files \(x86\)\Microsoft\Skype for Desktop\Skype.exe

14 lightbulb moment (35)

What was written in notepad.exe in the time of the memory dump?
Identify the PID based on pslist output pid=3032 use memdump to dump process's memory, not the executable/process itself (that would be procdump).
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 memdump -p 3032 -D /mnt/ctf/Defcon2019/dumpdir/

15 8675309 (35)

What is the shortname of the file at file record 59045? mftparser
$ python -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 mftparser \| grep -B 20 -A 20 '59045'
$OBJECT_ID Object ID: 40000000-0000-0000-0010-000000000000 Birth Volume ID: 19050000-0000-0000-1905-000000000000 Birth Object ID: 31015ed0-1900-ffff-ffff-ffff82794711 Birth Domain ID: ffffffff-8279-4711-0000-000000000000
MFT entry found at offset 0x2193d400 Attribute: In Use & File Record Number: 59045 Link count: 2
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Archive
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EMPLOY~1.XLS
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EmployeeInformation.xlsx
$OBJECT_ID Object ID: 00fe50d2-4841-e911-8751-000c2958bc5f

16 whats-a-metasploit? (50)

This box was exploited and is running meterpreter. What PID was infected? xfffffa8005a1d9e0 UWkpjFjDzM.exe 3496 5116 5 109 1 1 2019-03-22 05:35:33 UTC+0000
Dodgy. Let's dump the process and upload it to virus total.
$ sha1sum executable.3496.exe ab120a232492dcfe8ff49e13f5720f63f0545dc2 executable.3496.exe