Friday, February 24, 2017

Forensics CTF challenge - RAMDisk writeup

This is a continuation to the write ups for the CTF competition held within the company I work for. I am bringing you all another forensics challenge I was able to solve. This one was valued at 400 points.

Question/Challenge:



Step 1. Download the file.
The link takes you to a google drive hosted file.
The file's details are: 
 Name: flagflag_crew.7z-89b4071371d484987c8a0431636128b46e8ee99a9185d50fa74f34df9ff40ae7   
 Size: 55.5 MB (58,230,361 bytes)
 SHA256: 89b4071371d484987c8a0431636128b46e8ee99a9185d50fa74f34df9ff40ae7  

Step 2. Extract contents.
Inside the .7z file is one file:
 Name: lime.dump   
 Size: 0.99 GB (1,073,207,392 bytes)
 SHA256: 2ee1ad807663d951bd8f3f3dff88d2321ae343e3e6c26c5f8cf90d261e30cef2  



Lime of course is a linux memory dumping tool. The content of the .7z is a linux memory dump, as stated by the challenge.

Step 3. Acquire Volatility profile.
The description of the challenge states that this image was taken from a 16.04 Ubuntu server. Since I will use Volatility as my memory analysis tool, I will need the proper profile for this OS version. After some Googling I landed on this page which has a collection of Ubuntu profiles:
https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64

We will need Ubuntu1604.zip.

Save the zip file to the following location:
 volatility/plugins/overlays/linux/  

Instructions here: https://github.com/volatilityfoundation/volatility/wiki/Linux
Verify that the memory profile has been loaded:
 python vol.py --info  
 Profiles  
 --------  
 LinuxUbuntu1604x64 - A Profile for Linux Ubuntu1604 x64  

You should see something like this if it was loaded properly.


Step 4. Investigate the memory image.

I used pslist, pstree and psxview to get an idea of what is running:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_pslist  
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_pstree  
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_psxview  

I will then take a look at the bash history since I saw that NC was running on the system:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_bash  

Interesting.. Netcat is writing to flagflag.7z on the Ramdisk.


Let's see what is mounted on the system:
 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_mount   


We see that the location of the ramdisk is at /home/user/ramfs


Step 5. Investigate the "flagflag.7z" file.


Let's see if this file is open currently:

 python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_lsof  


We now have the location of the flagflag file.


We have two options here:


Option 1: Is there a way to dump the entire ramfs from memory to disk?
No time to research and do that!

Option 2: Just carve the entire memory image for .7z files.

This one is much quicker to do and no research involved.

Step 6. Carve the file


We will use a tool called scalpel to carve for magic numbers of files. In our case we want the .7z files.

To specify byte signature, we need to edit the config file:
 nano scalpel.conf   

Edit it so that it contains the following entry to only find .7z files:
    7z  y   2147483648   \x37\x7a\xbc\xaf\x27\x1c  

Make a directory for the output:
 mkdir scalpel_output  

Run scalpel on the memory dump:
 scalpel -b -c ./scalpel.conf -o scalpel_output/ ../lime.dump   

Extract one of the .7z files
 cd scalpel_output/  
 cd 7z-0-0/  
 ls -alh  
 7za e 00000000.7z   

cat out the contents of the flag:
 ls  
 cat flagflag.txt   
 flag{Memory_Forensics_is_hard_Let's_go_shopping}  

We now have our flag.

Pictures for the above commands below: