BofA Forensics and Volatility for the Win (DerbyCon 9)

My last solution during the CTF was the BofA forensics challenge.

BofA Forensics – Introduction

If you haven’t checked out my first or second posts, then they have even more solutions.

This will be my final write-up, but hopefully you learned something from at least one of the challenges.

Forensics 101 (80 total points)

Up last was the forensics challenges, which you can follow along with here.

  • What is the name of the logged in user? (10 points)
  • What is the user’s password? (30 points)
  • What is the hostname of the system? (10 points)
  • There is an odd process running, what is the process name? (10 points)
  • What was one of the last commands run from the command line? (10 points)
  • What is the IP address of the host? (10 points)

First, I unzipped the archive locally.

[email protected]:~/bofa# 7z e memdump.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 214907435 bytes (205 MiB)

Extracting archive: memdump.7z
--
Path = memdump.7z
Type = 7z
Physical Size = 214907435
Headers Size = 130
Method = LZMA2:24
Solid = -
Blocks = 1

Everything is Ok  

Size:       1073741824
Compressed: 214907435

Next, I used Volatility to analyze the memory dump.

[email protected]:~/bofa# volatility -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/bofa/memdump.mem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a39110L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a3ad00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-07-26 19:37:05 UTC+0000
     Image local date and time : 2019-07-26 12:37:05 -0700

Using the profile and the sessions command, I was able to discover the odd process.

[email protected]:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 sessions
Volatility Foundation Volatility Framework 2.6
**************************************************
Session(V): fffff88003e82000 ID: 0 Processes: 28
PagedPoolStart: fffff900c0000000 PagedPoolEnd fffff920bfffffff
Process: 328 csrss.exe 2019-07-26 19:23:26 UTC+0000
Process: 364 wininit.exe 2019-07-26 19:23:27 UTC+0000
Process: 460 services.exe 2019-07-26 19:23:28 UTC+0000
Process: 468 lsass.exe 2019-07-26 19:23:28 UTC+0000
Process: 476 lsm.exe 2019-07-26 19:23:28 UTC+0000
Process: 568 svchost.exe 2019-07-26 19:23:29 UTC+0000

... < snip > ...

Process: 1908 taskhost.exe 2019-07-26 19:25:42 UTC+0000
Process: 1300 regsvr32.exe 2019-07-26 19:25:44 UTC+0000
Process: 1940 cmd.exe 2019-07-26 19:32:22 UTC+0000
Process: 744 conhost.exe 2019-07-26 19:32:22 UTC+0000
Process: 2368 flag449.exe 2019-07-26 19:35:49 UTC+0000
Process: 1760 conhost.exe 2019-07-26 19:35:49 UTC+0000
Process: 2064 FTK Imager.exe 2019-07-26 19:36:06 UTC+0000
Image: 0xfffffa8002219fc0, Address fffff960000b0000, Name: win32k.sys
Image: 0xfffffa8002bbc240, Address fffff96000500000, Name: dxg.sys
Image: 0xfffffa8000cca240, Address fffff96000850000, Name: framebuf.dll

Next, with the consoles command, I was able to find the username and hostname of the system from the whoami command.

[email protected]:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6

... < snip > ...

**************************************************
ConsoleProcess: conhost.exe Pid: 744
Console: 0xffdd6200 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: Administrator: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 1940 Handle: 0x60
----
CommandHistory: 0x22ef70 Application: whoami.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x22ec50 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x22d810: whoami
----
Screen 0x211100 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]                                            
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                 
                                                                                
C:\Users\CTF-User-Admin>whoami
ctf-win-7\ctf-user-admin
                                                                                
C:\Users\CTF-User-Admin>

With the hivelist command, in combination with the printkey command, I was able to verify the hostname.

[email protected]:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a004d64010 0x000000002311d010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x000000002719a010 [no name]
0xfffff8a000024010 0x00000000270a5010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a0000531f0 0x00000000271d41f0 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000534410 0x0000000024038410 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000549010 0x0000000023ff8010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000d21010 0x0000000021127010 \SystemRoot\System32\Config\SECURITY
0xfffff8a000d93010 0x0000000018bff010 \SystemRoot\System32\Config\SAM
0xfffff8a000e06010 0x00000000185ff010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000e98010 0x0000000017f08010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a0010c6010 0x0000000010ce9010 \??\C:\Users\sshd_server\ntuser.dat
0xfffff8a001152010 0x00000000101b7010 \??\C:\Users\sshd_server\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0011cf010 0x000000000f764010 \??\C:\System Volume Information\Syscache.hve
0xfffff8a0014c0010 0x00000000309e3010 \??\C:\Users\CTF-User-Admin\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a001a6b410 0x0000000035afa410 \??\C:\Users\CTF-User-Admin\ntuser.dat

[email protected]:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2019-07-26 19:15:19 UTC+0000

Subkeys:

Values:
REG_SZ                        : (S) mnmsrvc
REG_SZ        ComputerName    : (S) CTF-WIN-7

Next, I used the pslist command to verify that flag449.exe was the odd process.

[email protected]:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                         
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------
0xfffffa8000ca4820 System                    4      0     85      509 ------      0 2019-07-26 19:23:24 UTC+0000  
0xfffffa80021cdb10 smss.exe                260      4      2       29 ------      0 2019-07-26 19:23:24 UTC+0000  
0xfffffa80029e7b10 csrss.exe               328    320      9      428      0      0 2019-07-26 19:23:26 UTC+0000  
0xfffffa8002a108f0 wininit.exe             364    320      3       78      0      0 2019-07-26 19:23:27 UTC+0000  
0xfffffa8002a928f0 services.exe            460    364     10      211      0      0 2019-07-26 19:23:28 UTC+0000  

... < snip > ...
                   
0xfffffa8002dd8b10 taskhost.exe           1908    460      8      151      2      0 2019-07-26 19:25:42 UTC+0000  
0xfffffa8000e6cb10 regsvr32.exe           1300    240      0 --------      2      0 2019-07-26 19:25:44 UTC+0000  
0xfffffa8000f76b10 cmd.exe                1940    240      1       22      2      0 2019-07-26 19:32:22 UTC+0000  
0xfffffa8001055060 conhost.exe             744   3000      2       52      2      0 2019-07-26 19:32:22 UTC+0000  
0xfffffa8001462750 SearchProtocol          844   2196      7      379      0      0 2019-07-26 19:34:30 UTC+0000  
0xfffffa8002eddb10 flag449.exe            2368    240      1       20      2      1 2019-07-26 19:35:49 UTC+0000                                 
0xfffffa8000dfe580 conhost.exe            1760   3000      2       52      2      0 2019-07-26 19:35:49 UTC+0000  
0xfffffa8000fadb10 FTK Imager.exe         2064    240     22      422      2      0 2019-07-26 19:36:06 UTC+0000  

With the netscan command, I was able to get the local IP address of the system.

[email protected]:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x34af390          UDPv4    127.0.0.1:65359                *:*                                   2772     @????L     2019-07-26 19:34:30 UTC+0000
0x9daa730          UDPv4    0.0.0.0:5355                   *:*                                   272      svchost.exe    2019-07-26 19:33:34 UTC+0000
0x9daa730          UDPv6    :::5355                        *:*                                   272      svchost.exe    2019-07-26 19:33:34 UTC+0000
0x15dbad00         UDPv4    127.0.0.1:55107                *:*                                   33935680 ?B             2019-07-26 19:34:37 UTC+0000

...

0x3ddba210         UDPv4    192.168.88.15:1900             *:*                                   1152     svchost.exe    2019-07-26 19:25:38 UTC+0000

Finally, I just needed to get the password for CTF-User-Admin. First, I installed the Volatility Mimikatz plugin.

[email protected]:~/bofa# cd /usr/share/volatility/
[email protected]:/usr/share/volatility# mkdir plugins
[email protected]:/usr/share/volatility# cd plugins/
[email protected]:/usr/share/volatility/plugins# wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
--2019-09-05 14:51:39--  https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.4.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.4.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23657 (23K) [text/plain]
Saving to: 'mimikatz.py'

mimikatz.py         100%[===================>]  23.10K  --.-KB/s    in 0.03s   

2019-09-05 14:51:39 (778 KB/s) - 'mimikatz.py' saved [23657/23657]

[email protected]:/usr/share/volatility/plugins# apt-get install python-crypto

With the plugin installed, I executed it within Volatility, and obtained the plaintext password!

[email protected]:~/bofa# volatility --plugins=/usr/share/volatility/plugins --profile=Win7SP1x64 -f memdump.mem mimikatz
Volatility Foundation Volatility Framework 2.6
Module   User             Domain           Password                                
-------- ---------------- ---------------- ----------------------------------------
wdigest  CTF-User-Admin   CTF-WIN-7        ctfadmin
wdigest  sshd_server      CTF-WIN-7        [email protected]
wdigest  CTF-WIN-7$       WORKGROUP

BofA Forensics – Conclusion

This was a great introduction to CTF forensics, and I hope to post about Volatility more.

While I mentioned in the last post that I got 355 points, I was also rewarded my challenge coin!

The front was the same as last year, with the BofA logo and the security team.

BofA Forensics - Coin front

The back had a cool logo and a reference to DerbyCon 9, which was great.

BofA Forensics - Coin back

I’m glad that I participated in this CTF again, and added another challenge coin to my collection.

Stay tuned for more CTF write-ups, including some for EverSec CTF.

2 thoughts on “BofA Forensics and Volatility for the Win (DerbyCon 9)”

  1. Pingback: alphaSeclab/awesome-forensics Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics. – GitHub热门精选

  2. Pingback: Awesome Forensics Resources | ZeroOne.in

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.