Friday, February 24, 2017

Forensics CTF challenge - RAMDisk writeup

This is a continuation to the write ups for the CTF competition held within the company I work for. I am bringing you all another forensics challenge I was able to solve. This one was valued at 400 points.

 Question/Challenge:

Step 1. Download the file.
The link takes you to a google drive hosted file.
The file's details are: 
 Name: flagflag_crew.7z-89b4071371d484987c8a0431636128b46e8ee99a9185d50fa74f34df9ff40ae7   
 Size: 55.5 MB (58,230,361 bytes)
 SHA256: 89b4071371d484987c8a0431636128b46e8ee99a9185d50fa74f34df9ff40ae7

Step 2. Extract contents.
Inside the .7z file is one file:
 Name: lime.dump   
 Size: 0.99 GB (1,073,207,392 bytes)
 SHA256: 2ee1ad807663d951bd8f3f3dff88d2321ae343e3e6c26c5f8cf90d261e30cef2



Lime of course is a linux memory dumping tool. The content of the .7z is a linux memory dump, as stated by the challenge.

 Step 3. Acquire Volatility profile.
The description of the challenge states that this image was taken from a 16.04 Ubuntu server. Since I will use Volatility as my memory analysis tool, I will need the proper profile for this OS version. After some Googling I landed on this page which has a collection of Ubuntu profiles:
https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64

 We will need Ubuntu1604.zip.

 Save the zip file to the following location:
 volatility/plugins/overlays/linux/

Instructions here: https://github.com/volatilityfoundation/volatility/wiki/Linux
Verify that the memory profile has been loaded:
 python vol.py --info  
 Profiles  
 --------  
 LinuxUbuntu1604x64 - A Profile for Linux Ubuntu1604 x64

You should see something like this if it was loaded properly.

Step 4. Investigate the memory image.
I used pslist, pstree and psxview to get an idea of what is running:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_pslist  
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_pstree  
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_psxview

I will then take a look at the bash history since I saw that NC was running on the system:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_bash

Interesting.. Netcat is writing to flagflag.7z on the Ramdisk.

 Let's see what is mounted on the system:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_mount


We see that the location of the ramdisk is at /home/user/ramfs

Step 5. Investigate the "flagflag.7z" file.

Let's see if this file is open currently:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_lsof


We now have the location of the flagflag file.

 We have two options here:
Option 1: Is there a way to dump the entire ramfs from memory to disk?
No time to research and do that!

Option 2: Just carve the entire memory image for .7z files.
This one is much quicker to do and no research involved.

Step 6. Carve the file

We will use a tool called scalpel to carve for magic numbers of files. In our case we want the .7z files.

To specify byte signature, we need to edit the config file: 
 nano scalpel.conf

Edit it so that it contains the following entry to only find .7z files:
    7z  y   2147483648   \x37\x7a\xbc\xaf\x27\x1c

Make a directory for the output: 
 mkdir scalpel_output

Run scalpel on the memory dump:
 scalpel -b -c ./scalpel.conf -o scalpel_output/ ../lime.dump

Extract one of the .7z files
 cd scalpel_output/  
 cd 7z-0-0/  
 ls -alh  
 7za e 00000000.7z

cat out the contents of the flag:
 ls  
 cat flagflag.txt   
 flag{Memory_Forensics_is_hard_Let's_go_shopping}

We now have our flag.

Pictures for the above commands below:

Posted by at No comments:
Subscribe to: Posts (Atom)