Question/Challenge:
Step 1. Download the file.
The link takes you to a google drive hosted file.
The file's details are:
Name: flagflag_crew.7z-89b4071371d484987c8a0431636128b46e8ee99a9185d50fa74f34df9ff40ae7
Size: 55.5 MB (58,230,361 bytes)
SHA256: 89b4071371d484987c8a0431636128b46e8ee99a9185d50fa74f34df9ff40ae7
Step 2. Extract contents.
Inside the .7z file is one file:
Name: lime.dump
Size: 0.99 GB (1,073,207,392 bytes)
SHA256: 2ee1ad807663d951bd8f3f3dff88d2321ae343e3e6c26c5f8cf90d261e30cef2
Lime of course is a linux memory dumping tool. The content of the .7z is a linux memory dump, as stated by the challenge.
Step 3. Acquire Volatility profile.
The description of the challenge states that this image was taken from a 16.04 Ubuntu server. Since I will use Volatility as my memory analysis tool, I will need the proper profile for this OS version. After some Googling I landed on this page which has a collection of Ubuntu profiles:
https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64
We will need Ubuntu1604.zip.
Save the zip file to the following location:
volatility/plugins/overlays/linux/
Instructions here: https://github.com/volatilityfoundation/volatility/wiki/Linux
Verify that the memory profile has been loaded:
python vol.py --info
Profiles
--------
LinuxUbuntu1604x64 - A Profile for Linux Ubuntu1604 x64
You should see something like this if it was loaded properly.
Step 4. Investigate the memory image.
I used pslist, pstree and psxview to get an idea of what is running:
python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_pslist
python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_pstree
python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_psxview
I will then take a look at the bash history since I saw that NC was running on the system:
python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_bash 
Interesting.. Netcat is writing to flagflag.7z on the Ramdisk.
Let's see what is mounted on the system:
python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_mount
We see that the location of the ramdisk is at /home/user/ramfs
Step 5. Investigate the "flagflag.7z" file.
Let's see if this file is open currently:
python vol.py --profile=LinuxUbuntu1604x64 -f ../lime.dump linux_lsof
We now have the location of the flagflag file.
We have two options here:
Option 1: Is there a way to dump the entire ramfs from memory to disk?
No time to research and do that!
Option 2: Just carve the entire memory image for .7z files.
This one is much quicker to do and no research involved.
Step 6. Carve the file
We will use a tool called scalpel to carve for magic numbers of files. In our case we want the .7z files.
To specify byte signature, we need to edit the config file:
nano scalpel.conf
Edit it so that it contains the following entry to only find .7z files:
7z y 2147483648 \x37\x7a\xbc\xaf\x27\x1c
Make a directory for the output:
mkdir scalpel_output Run scalpel on the memory dump:
scalpel -b -c ./scalpel.conf -o scalpel_output/ ../lime.dump
Extract one of the .7z files
cd scalpel_output/
cd 7z-0-0/
ls -alh
7za e 00000000.7z
cat out the contents of the flag:
ls
cat flagflag.txt
flag{Memory_Forensics_is_hard_Let's_go_shopping}
We now have our flag.
Pictures for the above commands below:
No comments:
Post a Comment