MemLabs Lab 6 - The Reckoning

This is a writeup for Memlab 6 by stuxnet999


Challenge Description

We received this memory dump from the Intelligence Bureau Department. They say this evidence might hold some secrets of the underworld gangster David Benjamin. This memory dump was taken from one of his workers whom the FBI busted earlier this week. Your job is to go through the memory dump and see if you can figure something out. FBI also says that David communicated with his workers via the internet, so that might be a good place to start.

Note: This challenge is composed of 1 flag split into two parts.

The flag format for this lab is: inctf{s0me_l33t_Str1ng}

Challenge file: MemLabs_Lab6

Tools used


imageinfo

We use the imageinfo plugin of vol.py and get the following summary

We will use the 1st suggested profile Win7SP1x64.


Gathering Data

Since plugins takes time to produce output we will save the output of common plugins to their corresponding file

vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 iehistory > iehisotry.txt
vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 filescan > filescan.txt
vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 envars > envars.txt
vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 pslist > pslist.txt

pslist

Volatility Foundation Volatility Framework 2.6.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80012a5040 System                    4      0     78      495 ------      0 2019-08-19 14:40:07 UTC+0000
0xfffffa8002971470 smss.exe                264      4      2       29 ------      0 2019-08-19 14:40:07 UTC+0000
0xfffffa800234cb30 csrss.exe               336    328     10      415      0      0 2019-08-19 14:40:10 UTC+0000
0xfffffa8002aae910 wininit.exe             384    328      3       74      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002ab7060 csrss.exe               396    376      9      499      1      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002b66560 winlogon.exe            436    376      6      116      1      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002b99200 services.exe            480    384      9      194      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002bb4600 lsass.exe               496    384      7      513      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa80022ff910 lsm.exe                 504    384     10      152      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002ce8740 svchost.exe             608    480     10      358      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002d13060 VBoxService.ex          668    480     13      136      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002d4bb30 svchost.exe             724    480      6      257      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002d4fb30 svchost.exe             780    480     19      405      0      0 2019-08-19 14:40:11 UTC+0000
0xfffffa8002dcf5f0 svchost.exe             896    480     22      452      0      0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002de1b30 svchost.exe             948    480     35      893      0      0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002e0b1c0 audiodg.exe            1008    780      7      132      0      0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002e645f0 svchost.exe             400    480     13      275      0      0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002eac740 svchost.exe            1052    480     17      368      0      0 2019-08-19 14:40:12 UTC+0000
0xfffffa8002e76b30 spoolsv.exe            1176    480     14      279      0      0 2019-08-19 14:40:13 UTC+0000
0xfffffa8002f4d780 svchost.exe            1212    480     21      311      0      0 2019-08-19 14:40:13 UTC+0000
0xfffffa8002f79b30 svchost.exe            1308    480     17      253      0      0 2019-08-19 14:40:13 UTC+0000
0xfffffa8003144250 taskhost.exe           1812    480      9      147      1      0 2019-08-19 14:40:18 UTC+0000
0xfffffa8003160120 dwm.exe                1868    896      4       70      1      0 2019-08-19 14:40:18 UTC+0000
0xfffffa8003164b30 taskeng.exe            1876    948      5       81      0      0 2019-08-19 14:40:18 UTC+0000
0xfffffa800319a060 explorer.exe           1944   1844     35      894      1      0 2019-08-19 14:40:19 UTC+0000
0xfffffa8003227060 GoogleCrashHan         1292   1928      7      105      0      1 2019-08-19 14:40:19 UTC+0000
0xfffffa8003219060 GoogleCrashHan          924   1928      6       93      0      0 2019-08-19 14:40:19 UTC+0000
0xfffffa8003277810 VBoxTray.exe           1108   1944     14      139      1      0 2019-08-19 14:40:20 UTC+0000
0xfffffa8002324b30 cmd.exe                 880   1944      1       21      1      0 2019-08-19 14:40:26 UTC+0000
0xfffffa800231e370 conhost.exe             916    396      3       50      1      0 2019-08-19 14:40:26 UTC+0000
0xfffffa8003315060 SearchIndexer.          856    480     13      689      0      0 2019-08-19 14:40:27 UTC+0000
0xfffffa800234eb30 chrome.exe             2124   1944     27      662      1      0 2019-08-19 14:40:46 UTC+0000
0xfffffa800234f780 chrome.exe             2132   2124      9       75      1      0 2019-08-19 14:40:46 UTC+0000
0xfffffa800314fab0 chrome.exe             2168   2124      3       55      1      0 2019-08-19 14:40:49 UTC+0000
0xfffffa80032d9060 WmiPrvSE.exe           2292    608     13      288      0      0 2019-08-19 14:40:52 UTC+0000
0xfffffa80032f9a70 chrome.exe             2340   2124     12      282      1      0 2019-08-19 14:40:52 UTC+0000
0xfffffa8003741b30 chrome.exe             2440   2124     13      263      1      0 2019-08-19 14:40:54 UTC+0000
0xfffffa800374bb30 chrome.exe             2452   2124     14      167      1      0 2019-08-19 14:40:54 UTC+0000
0xfffffa8002b74060 WmiApSrv.exe           2800    480      6      115      0      0 2019-08-19 14:40:57 UTC+0000
0xfffffa8002d9eab0 WmiPrvSE.exe           2896    608      7      124      0      0 2019-08-19 14:40:57 UTC+0000
0xfffffa80032d4380 chrome.exe             2940   2124      9      172      1      0 2019-08-19 14:41:06 UTC+0000
0xfffffa8003905b30 firefox.exe            2080   3060     59      970      1      1 2019-08-19 14:41:08 UTC+0000
0xfffffa80021fa630 firefox.exe            2860   2080     11      210      1      1 2019-08-19 14:41:09 UTC+0000
0xfffffa80013a4580 firefox.exe            3016   2080     31      413      1      1 2019-08-19 14:41:10 UTC+0000
0xfffffa8001415b30 firefox.exe            2968   2080     22      323      1      1 2019-08-19 14:41:11 UTC+0000
0xfffffa8001454b30 firefox.exe            3316   2080     21      307      1      1 2019-08-19 14:41:13 UTC+0000
0xfffffa80035e71e0 WinRAR.exe             3716   1944      7      201      1      0 2019-08-19 14:41:43 UTC+0000
0xfffffa800156e400 DumpIt.exe             4084   1944      5       46      1      1 2019-08-19 14:41:55 UTC+0000
0xfffffa80014c1060 conhost.exe            4092    396      2       50      1      0 2019-08-19 14:41:55 UTC+0000
0xfffffa80014aa060 sppsvc.exe             1224    480      5        0 ------      0 2019-08-19 14:42:39 UTC+0000
0xfffffa800157eb30 GoogleUpdate.e         2256   2396      3      118 ------      1 2019-08-19 14:42:40 UTC+0000
0xfffffa80014f9060 GoogleCrashHan         1192   2256      3       46 ------      1 2019-08-19 14:42:41 UTC+0000
0xfffffa80035e3700 GoogleCrashHan          864   2256      1 127...45      0      0 2019-08-19 14:42:41 UTC+0000

Interresting pocesses

  1. firefox
  2. WinRAR
  3. Chrome

RAR

Since WinRAR is running we grep for .rar files

and dump it with dumpsfile and rename it to flag.rar

flag.rar contains flag2.png, but a passwd is required to open it.

using grep in all the files for pass keyword, we get the password for the file as easypeasyvirus

using the passwd, we the get the second part of the flag


Chrome

Dumping the Chrome sqlite history file and viewing its contents we get a pastebin.com url

https://pastebin.com/RSGSi1hk

The content of the pastebin give us a google docs file

Docs contains a mega link but the file is encrypted with a key


key

seaching the cache files i found that firefox had few gmail cache files

❯ grep mail filescan.txt
0x00000000053f9070      3      0 -W-rw- \Device\HarddiskVolume2\Users\Jaffa\AppData\Roaming\Mozilla\Firefox\Profiles\84kisw0a.default-release\storage\default\https+++mail.google.com\cache\morgue\75\{f4ec0805-5e72-4cbe-a262-5a99a7abb04b}.tmp
0x00000000053fde20     16      0 R--rw- \Device\HarddiskVolume2\Users\Jaffa\AppData\Roaming\Mozilla\Firefox\Profiles\84kisw0a.default-release\storage\default\https+++mail.google.com\cache\morgue\63\{401978b9-d8ee-4339-8725-fcdb3224fd3f}.final
0x000000005d8e6f20     16      0 RW-rw- \Device\HarddiskVolume2\Users\Jaffa\AppData\Roaming\Mozilla\Firefox\Profiles\84kisw0a.default-release\storage\default\https+++mail.google.com\idb\1593787212uysretrs_irge.sqlite
0x000000005dac6440     16      0 R--rw- \Device\HarddiskVolume2\Users\Jaffa\AppData\Roaming\Mozilla\Firefox\Profiles\84kisw0a.default-release\storage\default\https+++mail.google.com\cache\morgue\154\{156622a5-b5aa-431f-b4f6-34922d9cb19a}.final
....
....

but I was not able to find the key in them, so I dumped memory of all the firefox processes with memdump plugin

greping key on dump.txt

❯ grep -i " key "  dump.txt

we obtain the key zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU so we download the flag_.png from the megalink


Not yet

We are unable to open the flag_.png (╯°□°)╯︵ ┻━┻ file the appears to be corrupted running pngcheck

❯ pngcheck flag_.png
flag_.png  first chunk must be IHDR
ERROR: flag_.png

IHDR seems to be corrupted googlefu found IHDR bytes

and staring bytes of flag_.png are

changing iHDR to IHDR fixes the png file

flag_.png


finally we get the full flag infctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_aN_Am4zINg_!_i_gU3Ss???_}