DEFCON 2019 forensics

Flag Format-flag Everything after the – is what you need to submit, your answer is the xyx.

1 / get your volatility on (5)

What is the SHA1 hash of triage.mem?

$ sha1sum winmem.mem
$ c95e8cc8c946f95a109ea8e47a6800de10a27abd winmem.mem

2 / pr0file (10)

What profile is the most appropriate for this machine? (ex: Win10x86_14393)

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem imageinfo

Volatility Foundation Volatility Framework 2.6.1  
INFO : volatility.debug : Determining profile based on KDBG search...   
Suggested Profile\(s\) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64\_24000, Win2008R2SP1x64\_23418, Win2008R2SP1x64, Win7SP1x64\_24000, Win7SP1x64\_23418

Since we can't just guess (there may be points deducted for incorrect guesses), we should at least try to find the most appropriate profile based on kernel debug scan (kdbgscan) which identifies the number of modules loaded.

$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem kdbgscan

3 / hey, write this down (12)

What was the process ID of notepad.exe?

4 / wscript can haz children (14)

Name the child processes of wscript.exe.

Instead of manually looking at PID and PPID (parent PID), we use pstree

5 / tcpip settings (18)

What was the IP address of the machine at the time the RAM dump was created?

flag

(Can also be dumped from TCPIP settings in registry)

6 / intel (18)

Based on the answer regarding to the infected PID, can you determine what the IP of the attacker was?

0x13e397190 TCPv4 10.0.0.101:49217 10.0.0.106:4444 ESTABLISHED 3496 UWkpjFjDzM.exe

flag

7 / i <3 windows dependencies (20)

What process name is VCRUNTIME140.dll associated with?

flag

8 mal-ware-are-you (20)

What is the md5 hash value the potential malware on the system?

Dump the exe and hash it

flag

9 lm-get bobs hash (24)

What is the LM hash of bobs account?

We look at LM hash format;

text$ python vol.py -f /mnt/ctf/Defcon2019/winmem.mem --profile=Win7SP1x64 hashdump

Volatility Foundation Volatility Framework 2.6.1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

(grep -B 10 for 10 lines before, and -A 10 for 10 lines after).

VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad Flags: NoChange: 1, Protection: 1 Protection: PAGE_READONLY

flag

11 more vads?! (25)

What protections did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

VAD node @ 0xfffffa80052652b0 Start 0x00000000033c0000 End 0x00000000033dffff Tag VadS Flags: CommitCharge: 32, PrivateMemory: 1, Protection: 24 Protection: PAGE_NOACCESS Vad Type: VadNone

flag

12 vacation bible school (25)

There was a VBS script run on the machine. What is the name of the script? (submit without file extension)

cmdscan would provide manually entered CMD history. We want to find all input & output consoles - no vbscript cmdline

flag

13 thx microsoft (25)

An application was run at 2019-03-07 23:06:58 UTC, what is the name of the program? (Include extension)

We're looking for historically executed programs. pslist shows current processes so it's not listed.

flag

14 lightbulb moment (35)

What was written in notepad.exe in the time of the memory dump?

Identify the PID based on pslist output pid=3032 use memdump to dump process's memory, not the executable/process itself (that would be procdump).

15 8675309 (35)

What is the shortname of the file at file record 59045? mftparser

$OBJECT_ID Object ID: 40000000-0000-0000-0010-000000000000 Birth Volume ID: 19050000-0000-0000-1905-000000000000 Birth Object ID: 31015ed0-1900-ffff-ffff-ffff82794711 Birth Domain ID: ffffffff-8279-4711-0000-000000000000

MFT entry found at offset 0x2193d400 Attribute: In Use & File Record Number: 59045 Link count: 2

$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Archive

$FILE_NAME Creation Modified MFT Altered Access Date Name/Path 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EMPLOY~1.XLS

$FILE_NAME Creation Modified MFT Altered Access Date Name/Path 2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EmployeeInformation.xlsx

$OBJECT_ID Object ID: 00fe50d2-4841-e911-8751-000c2958bc5f

flag

16 whats-a-metasploit? (50)

This box was exploited and is running meterpreter. What PID was infected? xfffffa8005a1d9e0 UWkpjFjDzM.exe 3496 5116 5 109 1 1 2019-03-22 05:35:33 UTC+0000

Dodgy. Let's dump the process and upload it to virus total.

https://www.hybrid-analysis.com/sample/b6bdfee2e621949deddfc654dacd7bb8fce78836327395249e1f9b7b5ebfcfb1?environmentId=100

flag