Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
My last solution during the CTF was the BofA forensics challenge.
BofA Forensics – Introduction
If you haven’t checked out my first or second posts, then they have even more solutions.
This will be my final write-up, but hopefully you learned something from at least one of the challenges.
Forensics 101 (80 total points)
Up last was the forensics challenges, which you can follow along with here.
- What is the name of the logged in user? (10 points)
- What is the user’s password? (30 points)
- What is the hostname of the system? (10 points)
- There is an odd process running, what is the process name? (10 points)
- What was one of the last commands run from the command line? (10 points)
- What is the IP address of the host? (10 points)
First, I unzipped the archive locally.
root@kali:~/bofa# 7z e memdump.7z 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI) Scanning the drive for archives: 1 file, 214907435 bytes (205 MiB) Extracting archive: memdump.7z -- Path = memdump.7z Type = 7z Physical Size = 214907435 Headers Size = 130 Method = LZMA2:24 Solid = - Blocks = 1 Everything is Ok Size: 1073741824 Compressed: 214907435
Next, I used Volatility to analyze the memory dump.
root@kali:~/bofa# volatility -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/root/bofa/memdump.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002a39110L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002a3ad00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-07-26 19:37:05 UTC+0000 Image local date and time : 2019-07-26 12:37:05 -0700
Using the profile and the sessions command, I was able to discover the odd process.
root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 sessions Volatility Foundation Volatility Framework 2.6 ************************************************** Session(V): fffff88003e82000 ID: 0 Processes: 28 PagedPoolStart: fffff900c0000000 PagedPoolEnd fffff920bfffffff Process: 328 csrss.exe 2019-07-26 19:23:26 UTC+0000 Process: 364 wininit.exe 2019-07-26 19:23:27 UTC+0000 Process: 460 services.exe 2019-07-26 19:23:28 UTC+0000 Process: 468 lsass.exe 2019-07-26 19:23:28 UTC+0000 Process: 476 lsm.exe 2019-07-26 19:23:28 UTC+0000 Process: 568 svchost.exe 2019-07-26 19:23:29 UTC+0000 ... < snip > ... Process: 1908 taskhost.exe 2019-07-26 19:25:42 UTC+0000 Process: 1300 regsvr32.exe 2019-07-26 19:25:44 UTC+0000 Process: 1940 cmd.exe 2019-07-26 19:32:22 UTC+0000 Process: 744 conhost.exe 2019-07-26 19:32:22 UTC+0000 Process: 2368 flag449.exe 2019-07-26 19:35:49 UTC+0000 Process: 1760 conhost.exe 2019-07-26 19:35:49 UTC+0000 Process: 2064 FTK Imager.exe 2019-07-26 19:36:06 UTC+0000 Image: 0xfffffa8002219fc0, Address fffff960000b0000, Name: win32k.sys Image: 0xfffffa8002bbc240, Address fffff96000500000, Name: dxg.sys Image: 0xfffffa8000cca240, Address fffff96000850000, Name: framebuf.dll
Next, with the consoles command, I was able to find the username and hostname of the system from the whoami command.
root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 consoles Volatility Foundation Volatility Framework 2.6 ... < snip > ... ************************************************** ConsoleProcess: conhost.exe Pid: 744 Console: 0xffdd6200 CommandHistorySize: 50 HistoryBufferCount: 2 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: Administrator: C:\Windows\system32\cmd.exe AttachedProcess: cmd.exe Pid: 1940 Handle: 0x60 ---- CommandHistory: 0x22ef70 Application: whoami.exe Flags: CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x0 ---- CommandHistory: 0x22ec50 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x22d810: whoami ---- Screen 0x211100 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\CTF-User-Admin>whoami ctf-win-7\ctf-user-admin C:\Users\CTF-User-Admin>
With the hivelist command, in combination with the printkey command, I was able to verify the hostname.
root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a004d64010 0x000000002311d010 \SystemRoot\System32\Config\DEFAULT 0xfffff8a00000f010 0x000000002719a010 [no name] 0xfffff8a000024010 0x00000000270a5010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a0000531f0 0x00000000271d41f0 \REGISTRY\MACHINE\HARDWARE 0xfffff8a000534410 0x0000000024038410 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a000549010 0x0000000023ff8010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a000d21010 0x0000000021127010 \SystemRoot\System32\Config\SECURITY 0xfffff8a000d93010 0x0000000018bff010 \SystemRoot\System32\Config\SAM 0xfffff8a000e06010 0x00000000185ff010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a000e98010 0x0000000017f08010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xfffff8a0010c6010 0x0000000010ce9010 \??\C:\Users\sshd_server\ntuser.dat 0xfffff8a001152010 0x00000000101b7010 \??\C:\Users\sshd_server\AppData\Local\Microsoft\Windows\UsrClass.dat 0xfffff8a0011cf010 0x000000000f764010 \??\C:\System Volume Information\Syscache.hve 0xfffff8a0014c0010 0x00000000309e3010 \??\C:\Users\CTF-User-Admin\AppData\Local\Microsoft\Windows\UsrClass.dat 0xfffff8a001a6b410 0x0000000035afa410 \??\C:\Users\CTF-User-Admin\ntuser.dat root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName' Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: ComputerName (S) Last updated: 2019-07-26 19:15:19 UTC+0000 Subkeys: Values: REG_SZ : (S) mnmsrvc REG_SZ ComputerName : (S) CTF-WIN-7
Next, I used the pslist command to verify that flag449.exe was the odd process.
root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 pslist Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ 0xfffffa8000ca4820 System 4 0 85 509 ------ 0 2019-07-26 19:23:24 UTC+0000 0xfffffa80021cdb10 smss.exe 260 4 2 29 ------ 0 2019-07-26 19:23:24 UTC+0000 0xfffffa80029e7b10 csrss.exe 328 320 9 428 0 0 2019-07-26 19:23:26 UTC+0000 0xfffffa8002a108f0 wininit.exe 364 320 3 78 0 0 2019-07-26 19:23:27 UTC+0000 0xfffffa8002a928f0 services.exe 460 364 10 211 0 0 2019-07-26 19:23:28 UTC+0000 ... < snip > ... 0xfffffa8002dd8b10 taskhost.exe 1908 460 8 151 2 0 2019-07-26 19:25:42 UTC+0000 0xfffffa8000e6cb10 regsvr32.exe 1300 240 0 -------- 2 0 2019-07-26 19:25:44 UTC+0000 0xfffffa8000f76b10 cmd.exe 1940 240 1 22 2 0 2019-07-26 19:32:22 UTC+0000 0xfffffa8001055060 conhost.exe 744 3000 2 52 2 0 2019-07-26 19:32:22 UTC+0000 0xfffffa8001462750 SearchProtocol 844 2196 7 379 0 0 2019-07-26 19:34:30 UTC+0000 0xfffffa8002eddb10 flag449.exe 2368 240 1 20 2 1 2019-07-26 19:35:49 UTC+0000 0xfffffa8000dfe580 conhost.exe 1760 3000 2 52 2 0 2019-07-26 19:35:49 UTC+0000 0xfffffa8000fadb10 FTK Imager.exe 2064 240 22 422 2 0 2019-07-26 19:36:06 UTC+0000
With the netscan command, I was able to get the local IP address of the system.
root@kali:~/bofa# volatility -f memdump.mem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x34af390 UDPv4 127.0.0.1:65359 *:* 2772 @????L 2019-07-26 19:34:30 UTC+0000 0x9daa730 UDPv4 0.0.0.0:5355 *:* 272 svchost.exe 2019-07-26 19:33:34 UTC+0000 0x9daa730 UDPv6 :::5355 *:* 272 svchost.exe 2019-07-26 19:33:34 UTC+0000 0x15dbad00 UDPv4 127.0.0.1:55107 *:* 33935680 ?B 2019-07-26 19:34:37 UTC+0000 ... 0x3ddba210 UDPv4 192.168.88.15:1900 *:* 1152 svchost.exe 2019-07-26 19:25:38 UTC+0000
Finally, I just needed to get the password for CTF-User-Admin. First, I installed the Volatility Mimikatz plugin.
root@kali:~/bofa# cd /usr/share/volatility/ root@kali:/usr/share/volatility# mkdir plugins root@kali:/usr/share/volatility# cd plugins/ root@kali:/usr/share/volatility/plugins# wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py --2019-09-05 14:51:39-- https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.4.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.4.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 23657 (23K) [text/plain] Saving to: 'mimikatz.py' mimikatz.py 100%[===================>] 23.10K --.-KB/s in 0.03s 2019-09-05 14:51:39 (778 KB/s) - 'mimikatz.py' saved [23657/23657] root@kali:/usr/share/volatility/plugins# apt-get install python-crypto
With the plugin installed, I executed it within Volatility, and obtained the plaintext password!
root@kali:~/bofa# volatility --plugins=/usr/share/volatility/plugins --profile=Win7SP1x64 -f memdump.mem mimikatz Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest CTF-User-Admin CTF-WIN-7 ctfadmin wdigest sshd_server CTF-WIN-7 D@rj33l1ng wdigest CTF-WIN-7$ WORKGROUP
BofA Forensics – Conclusion
This was a great introduction to CTF forensics, and I hope to post about Volatility more.
While I mentioned in the last post that I got 355 points, I was also rewarded my challenge coin!
The front was the same as last year, with the BofA logo and the security team.
The back had a cool logo and a reference to DerbyCon 9, which was great.
I’m glad that I participated in this CTF again, and added another challenge coin to my collection.
Stay tuned for more CTF write-ups, including some for EverSec CTF.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
2 Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
[…] 2019.10 [doyler] BofA Forensics and Volatility for the Win (DerbyCon 9) […]
[…] 2019.10 [doyler] BofA Forensics and Volatility for the Win (DerbyCon 9) […]