BofA Forensics and Volatility for the Win (DerbyCon 9)

My last solution during the CTF was the BofA forensics challenge.

BofA Forensics - Introduction

If you haven't checked out my first or second posts, then they have even more solutions.

This will be my final write-up, but hopefully you learned something from at least one of the challenges.

Forensics 101 (80 total points)

Up last was the forensics challenges, which you can follow along with here.

  • What is the name of the logged in user? (10 points)
  • What is the user's password? (30 points)
  • What is the hostname of the system? (10 points)
  • There is an odd process running, what is the process name? (10 points)
  • What was one of the last commands run from the command line? (10 points)
  • What is the IP address of the host? (10 points)

First, I unzipped the archive locally.

root@kali:~/bofa# 7z e memdump.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 214907435 bytes (205 MiB)

Extracting archive: memdump.7z
--
Path = memdump.7z
Type = 7z
Physical Size = 214907435
Headers Size = 130
Method = LZMA2:24
Solid = -
Blocks = 1

Everything is Ok  

Size:       1073741824
Compressed: 214907435

Next, I used Volatility to analyze the memory dump.

root@kali:~/bofa# volatility -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/bofa/memdump.mem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a39110L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a3ad00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-07-26 19:37:05 UTC+0000
     Image local date and time : 2019-07-26 12:37:05 -0700

Using the profile and the sessions command, I was able to discover the odd process.

root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 sessions
Volatility Foundation Volatility Framework 2.6
**************************************************
Session(V): fffff88003e82000 ID: 0 Processes: 28
PagedPoolStart: fffff900c0000000 PagedPoolEnd fffff920bfffffff
Process: 328 csrss.exe 2019-07-26 19:23:26 UTC+0000
Process: 364 wininit.exe 2019-07-26 19:23:27 UTC+0000
Process: 460 services.exe 2019-07-26 19:23:28 UTC+0000
Process: 468 lsass.exe 2019-07-26 19:23:28 UTC+0000
Process: 476 lsm.exe 2019-07-26 19:23:28 UTC+0000
Process: 568 svchost.exe 2019-07-26 19:23:29 UTC+0000

... < snip > ...

Process: 1908 taskhost.exe 2019-07-26 19:25:42 UTC+0000
Process: 1300 regsvr32.exe 2019-07-26 19:25:44 UTC+0000
Process: 1940 cmd.exe 2019-07-26 19:32:22 UTC+0000
Process: 744 conhost.exe 2019-07-26 19:32:22 UTC+0000
Process: 2368 flag449.exe 2019-07-26 19:35:49 UTC+0000
Process: 1760 conhost.exe 2019-07-26 19:35:49 UTC+0000
Process: 2064 FTK Imager.exe 2019-07-26 19:36:06 UTC+0000
Image: 0xfffffa8002219fc0, Address fffff960000b0000, Name: win32k.sys
Image: 0xfffffa8002bbc240, Address fffff96000500000, Name: dxg.sys
Image: 0xfffffa8000cca240, Address fffff96000850000, Name: framebuf.dll

Next, with the consoles command, I was able to find the username and hostname of the system from the whoami command.

root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6

... < snip > ...

**************************************************
ConsoleProcess: conhost.exe Pid: 744
Console: 0xffdd6200 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: Administrator: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 1940 Handle: 0x60
----
CommandHistory: 0x22ef70 Application: whoami.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x22ec50 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x22d810: whoami
----
Screen 0x211100 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]                                            
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                 
                                                                                
C:\Users\CTF-User-Admin>whoami
ctf-win-7\ctf-user-admin
                                                                                
C:\Users\CTF-User-Admin>

With the hivelist command, in combination with the printkey command, I was able to verify the hostname.

root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a004d64010 0x000000002311d010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x000000002719a010 [no name]
0xfffff8a000024010 0x00000000270a5010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a0000531f0 0x00000000271d41f0 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000534410 0x0000000024038410 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000549010 0x0000000023ff8010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000d21010 0x0000000021127010 \SystemRoot\System32\Config\SECURITY
0xfffff8a000d93010 0x0000000018bff010 \SystemRoot\System32\Config\SAM
0xfffff8a000e06010 0x00000000185ff010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000e98010 0x0000000017f08010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a0010c6010 0x0000000010ce9010 \??\C:\Users\sshd_server\ntuser.dat
0xfffff8a001152010 0x00000000101b7010 \??\C:\Users\sshd_server\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0011cf010 0x000000000f764010 \??\C:\System Volume Information\Syscache.hve
0xfffff8a0014c0010 0x00000000309e3010 \??\C:\Users\CTF-User-Admin\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a001a6b410 0x0000000035afa410 \??\C:\Users\CTF-User-Admin\ntuser.dat

root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2019-07-26 19:15:19 UTC+0000

Subkeys:

Values:
REG_SZ                        : (S) mnmsrvc
REG_SZ        ComputerName    : (S) CTF-WIN-7

Next, I used the pslist command to verify that flag449.exe was the odd process.

root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                         
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------
0xfffffa8000ca4820 System                    4      0     85      509 ------      0 2019-07-26 19:23:24 UTC+0000  
0xfffffa80021cdb10 smss.exe                260      4      2       29 ------      0 2019-07-26 19:23:24 UTC+0000  
0xfffffa80029e7b10 csrss.exe               328    320      9      428      0      0 2019-07-26 19:23:26 UTC+0000  
0xfffffa8002a108f0 wininit.exe             364    320      3       78      0      0 2019-07-26 19:23:27 UTC+0000  
0xfffffa8002a928f0 services.exe            460    364     10      211      0      0 2019-07-26 19:23:28 UTC+0000  

... < snip > ...
                   
0xfffffa8002dd8b10 taskhost.exe           1908    460      8      151      2      0 2019-07-26 19:25:42 UTC+0000  
0xfffffa8000e6cb10 regsvr32.exe           1300    240      0 --------      2      0 2019-07-26 19:25:44 UTC+0000  
0xfffffa8000f76b10 cmd.exe                1940    240      1       22      2      0 2019-07-26 19:32:22 UTC+0000  
0xfffffa8001055060 conhost.exe             744   3000      2       52      2      0 2019-07-26 19:32:22 UTC+0000  
0xfffffa8001462750 SearchProtocol          844   2196      7      379      0      0 2019-07-26 19:34:30 UTC+0000  
0xfffffa8002eddb10 flag449.exe            2368    240      1       20      2      1 2019-07-26 19:35:49 UTC+0000                                 
0xfffffa8000dfe580 conhost.exe            1760   3000      2       52      2      0 2019-07-26 19:35:49 UTC+0000  
0xfffffa8000fadb10 FTK Imager.exe         2064    240     22      422      2      0 2019-07-26 19:36:06 UTC+0000  

With the netscan command, I was able to get the local IP address of the system.

root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x34af390          UDPv4    127.0.0.1:65359                *:*                                   2772     @????L     2019-07-26 19:34:30 UTC+0000
0x9daa730          UDPv4    0.0.0.0:5355                   *:*                                   272      svchost.exe    2019-07-26 19:33:34 UTC+0000
0x9daa730          UDPv6    :::5355                        *:*                                   272      svchost.exe    2019-07-26 19:33:34 UTC+0000
0x15dbad00         UDPv4    127.0.0.1:55107                *:*                                   33935680 ?B             2019-07-26 19:34:37 UTC+0000

...

0x3ddba210         UDPv4    192.168.88.15:1900             *:*                                   1152     svchost.exe    2019-07-26 19:25:38 UTC+0000

Finally, I just needed to get the password for CTF-User-Admin. First, I installed the Volatility Mimikatz plugin.

root@kali:~/bofa# cd /usr/share/volatility/
root@kali:/usr/share/volatility# mkdir plugins
root@kali:/usr/share/volatility# cd plugins/
root@kali:/usr/share/volatility/plugins# wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
--2019-09-05 14:51:39--  https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.4.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.4.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23657 (23K) [text/plain]
Saving to: 'mimikatz.py'

mimikatz.py         100%[===================>]  23.10K  --.-KB/s    in 0.03s   

2019-09-05 14:51:39 (778 KB/s) - 'mimikatz.py' saved [23657/23657]

root@kali:/usr/share/volatility/plugins# apt-get install python-crypto

With the plugin installed, I executed it within Volatility, and obtained the plaintext password!

root@kali:~/bofa# volatility --plugins=/usr/share/volatility/plugins --profile=Win7SP1x64 -f memdump.mem mimikatz
Volatility Foundation Volatility Framework 2.6
Module   User             Domain           Password                                
-------- ---------------- ---------------- ----------------------------------------
wdigest  CTF-User-Admin   CTF-WIN-7        ctfadmin
wdigest  sshd_server      CTF-WIN-7        D@rj33l1ng
wdigest  CTF-WIN-7$       WORKGROUP

BofA Forensics - Conclusion

This was a great introduction to CTF forensics, and I hope to post about Volatility more.

While I mentioned in the last post that I got 355 points, I was also rewarded my challenge coin!

The front was the same as last year, with the BofA logo and the security team.

BofA Forensics - Coin front

The back had a cool logo and a reference to DerbyCon 9, which was great.

BofA Forensics - Coin back

I'm glad that I participated in this CTF again, and added another challenge coin to my collection.

Stay tuned for more CTF write-ups, including some for EverSec CTF.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.