All I know is that this dump is from a machine running a web server which has been compromised. I don't know how it was compromised, nor do I have any other details about the server itself.
Identify the OS profile
Set environment variable 'mem' to /mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw)
PAE type : No PAE
DTB : 0x122000L
KDBG : 0x8190ac98L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0x8190b800L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2015-06-11 22:29:32 UTC+0000
Image local date and time : 2015-06-11 18:29:32 -0400
Would be reasonable to assume it will be Win2008 based on the 'web server' part of the challenge.
Processes of interest;
Server appears to be a Windows 2008 box running Tomcat7.
Pull network information
Looks like this server is listening on 192.168.56.30.
There's a remote connection associated with PID 1728 / Tomcat7.exe
This PID is also the PPID for numerous cmd.exe
Let's run pstree to see the family (could also run pstree -v)
Dump Tomcat PID memory (1728)
Strings output 1728.dmp to readable
Looking for shells
Let's see when 58.64.141.245 first accessed the web server.
Let's focus on the activity around 'GET /webfiles'
Authorisation is base64. Let's decode it.
Found interesting strings in 1728strings.txt
Let's focus on that.
Let's find this shell.
Right. C:\fakepath\12.bat - let's dump this batch script
So it's windows credential editor. -e for credentials, -o for output.
Review sm.gif
Identifying tasks
Dump security logs to identify who created scheduled task
Renamed file.None.0x831ef6a0.vacb to file.None.0x831ef6a0.vacb.evtx
Opened in Event Viewer, refined by ID 4698 (new scheduled task has been created)
Executive Summary
We have a Tomcat7 installation on a Windows 2008 server. Access was gained with default tomcat credentials (tomcat/tomcat). A file was uploaded which provided SYSTEM level access. Windows Credential Editor (WCE) was uploaded, a scheduled task was created which executed WCE and dumped local credentials into a single file. The attacker downloaded that file remotely, gaining access to the local Administrator account credentials. All attacks took place on 11th June 2015 from the IP 58.64.141.245
26019082706f9898a716d8803f57cc70365c821b /mnt/volatility/DF/tomcat-dump/file.None.0x8362fb20.img
$ strings file.None.0x8362fb20.img
WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa ([email protected])
Use -h for help.
Options:
-l List logon sessions and NTLM credentials (default).
Optional: -r<refresh interval>.
-s Changes NTLM credentials of current logon session.
Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-o saves all output to a file.
-r Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
-c Run <cmd> in a new session with the specified NTLM credentials.
Parameters: <cmd>.
-e Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
Parameters: <filename>.
-i Specify LUID instead of use current logon session.
Parameters: <luid>.
-d Delete NTLM credentials from logon session.
Parameters: <luid>.
-a Use Addresses.
Parameters: <addresses>
-f Force 'safe mode'.
-g Generate LM & NT Hash.
Parameters: <password>.
-K Dump Kerberos tickets to file (unix & 'windows wce' format)
Error in cmdline!. Bye!.
-k Read Kerberos tickets from file and insert into Windows cache
username wrong format!.
-w Dump cleartext passwords stored by the digest authentication package
-v verbose output.
