OtterCTF 2018 Memory Forensics Write-up (Part I)
The last week I was getting bored, while looking for something new one of my friends suggested me to go for Memory Forensics.Since this was an entirely new topic I decided to do some research before I delve into it.
I found this very cool framework- Volatility mainly focused on Memory Analysis.The best part is its open source 😍 and is designed to be expanded by plugins.
Fast forward 10 YouTube tutorials and a half hearted attempt to read “The Art of Memory Forensics”, I decided to put my skills into practice.I found OtterCTF has a nice set of challs on Memory Forensics.Having said that, lets get hunting flags ;)
We are given a memory file to analyze. Let us first perform some reconnaissance on the memory file.
Reconnaissance phase
— — — — — — — — — — — — — —
Identify the correct profile for the memory image using imageinfo
Seems like volatility suggested us a number of profiles. Let us check using kdbgscan if the first profile (Win7SP1X64) is correct.
Ahaan!! 63 processes and 156 modules so our profile choice was perfect. Hence forth we will be using the --profile=Win7SP1x64 profile flag for every volatility command.
Use hivelist to get virtual address of registry hives in memory
We are particularly interested in virtual offset of SYSTEM or SAM generally. In this case, let us first dig through SYSTEM.
Virtual Offset for SYSTEM hive: 0xfffff8a000024010
Virtual Offset for SAM hive: 0xfffff8a0016d4010
Attack phase
— — — — — — — — —
So we need to get the password. Why not use hashdump to extract and decrypt cached domain credentials stored in the registry.
To use hashdump, we need to pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, like this:
So what we get are NTLM hashes for various users.
Rick’s NTLM Hash: 518172d012f97d3a8fcc089615283940
We tried various online NTLM hash cracking sites but with no sucess :(
Being a Windows 7 memory image we have a high possibility that we might have the password dumped into the machines LSA secrets in text format.For this we will use Volatility’s lsadump plugin.
Finally lsadump gives us the pasword to Rick’s Windows profile.
Flag : CTF{MortyIsReallyAnOtter}
Since we have already dumped the hive using hivelist we can dump the registry key of SYSTEM that is where the hostname will be revealed.
PC Name:
WIN-LO6FAF3DTFE
As far as IP is concerned a quick netscan will reveal the local IP address of the PC.
PC IP: 192.168.202.131
Flag 1 : CTF{192.168.202.131}
Flag2 : CTF{WIN-L06FAF3DTFE}
‣‣‣You just read Frost Bite. Hope you enjoyed it…
