SECCON 2016 – Memory Analysis Forensic (100)

Posted on 14 December, 2016 by KALRONG

As I told you before we didn’t have too much time to participate in this CTF so this will be the last writeup I can give you of the challenges we solved.

We get the following challenge:

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!

memoryanalysis.zip
The challenge files are huge, please download it first.

Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc

Again the give us the investigation part almost complete, we know that this is a memory dump and, as per the svchost process, that is a windows.

There is also a clue about using volatility, a really useful tool for this kind of challenges, I recommend you to check it out if you don’t know it already.

I this case I took a different route and tried a method that already worked for me in other forensic challenges, and that was using strings.

To make the searches faster I dumped the strings results to a file:

 

strings forensic_100.raw > forensic_100.strings

But, this way I can’t file the hosts file, right? With volatility I should have been able to search the process and extract the file, but knowing the default content of the hosts file I searched for the ip 127.0.0.1 and made grep show me the following line to avoid false positives; in the case that I needed more results I could always ask for more:

grep -A 1 127.0.0.1 forensic_100.strings

This give us the following result:

127.0.0.1
tIcfChangeNotificationDestroy
--
127.0.0.1
0,0,0,0,0,0
--
F127.0.0.1
 + 0x%X
--
127.0.0.1
Unrecoverable memory allocation failure
--
v127.0.0.1
255.240.0.0
--
127.0.0.1
tIcfChangeNotificationDestroy
--
127.0.0.1
255.240.0.0
--
127.0.0.1
0,0,0,0,0,0
--
127.0.0.1       localhost
153.127.200.178    crattack.tistory.com attack.tistory.com 
--
127.0.0.1
Unrecoverable memory allocation failure
--
127.0.0.1
tIcfChangeNotificationDestroy
--
127.0.0.1
255.240.0.0
--
127.0.0.1
0,0,0,0,0,0
--
127.0.0.1       localhost
153.127.200.178    crattack.tistory.com 
--
127.0.0.1:1028
crattack-747355:0
--
127.0.0.1:1033
svchost.exe:1320
--
127.0.0.1:1900
svchost.exe:1036
--
127.0.0.1:123
H49	t

There we can see two very promising results pointing at crattack.tistory.con and the ip 153.127.200.178, we try doing another search using the domain:

grep crattack.tistory.com forensic_100.strings

And we get this:

Host: crattack.tistory.com
Referer: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Host: crattack.tistory.com
Access-Control-Allow-Origin: http://crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
http://crattack.tistory.com/trackback/90W
153.127.200.178    crattack.tistory.com attack.tistory.com 
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/rss
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
\http://crattack.tistory.com/plugin/CallBack_bootstrapperSrc?nil_profile=tistory&nil_type=copied_post
g;http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
153.127.200.178    crattack.tistory.com 
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
"C:\Program Files\Internet Explorer\iexplore.exe" http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
crattack.tistory.com
crattack.tistory.com
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
:2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
:2016120620161207: SYSTEM@:Host: crattack.tistory.com
:2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
://crattack.tistory.com/favicon.ico
tp://crattack.tistory.com/favicon.ico
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
w:2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
://crattack.tistory.com/favicon.ico
w:2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
tp://crattack.tistory.com/favicon.ico
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
crattack.tistory.com
>Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
crattack.tistory.com:http
crattack.tistory.com

Looks like we found the URL that we needed, knowing that instead of using the DNS record we need to use the ip we found earlier we visit the following website:

http://153.127.200.178/entry/Data-Science-import-pandas-as-pd

It will download a file that once we open it will show the flag:

SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

Maybe I will try to solve this challenge again using volatility but as you can see, with only two basic command we were able to solve it without major issues.

This is probably gonna be the last writeup of the SECCON this year, as the platform is still open, and if I have time, I will try to finish some of the other challenges that I left half completed and will show you how I did it.

As always, thanks for your visit!

 

This entry was posted in ctf, forensic, seccon, writeups. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.