[ECW] - DumpCyber
Table of Contents
ECW 2023 - This article is part of a series.
Statement #
Identifying the file type #
We are given a file named task.raw, given the size of the file (1GB) and the results of the file and strings commands:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ file task.raw
task.raw: Windows Event Trace Log
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ strings task.raw | head -n100
FACP
VBOX VBOXFACP
ASL a
DSDTS#
!VBOX VBOXBIOS
INTL(
DBG0
DBG0
DHE1
DBG0
DHE2
DBG0
DHE4 [
DBG0
DCHR
HEX_
phDHE1
HEX2
phDHE2
HEX4
phDHE4
SLEN
$S2BF ph`rSLEN`
BUFF
`phBUFF
BUFF
MIN_
SCMP
ph`pS2BF``pS2BFiap
dpSLENhepSLENifpMIN_efg
MTCH
ph`piapSCMP`ab
*DBG_
ph`pS2BF`ap
a`v`p
`v`p
DCHRub
MSWV
A$MSWN
MSWV
MSWVp
MSWVDBG_
_OS:
DBG__OS_DBG_
_OSI
DBG_
_OSI exists
_OSI
Windows 2001
MSWV
_OSI
Windows 2001.1
MSWV
_OSI
Windows 2006
MSWV
_OSI
Windows 2009
MSWV
_OSI
Windows 2012
MSWV
_OSI
Windows 2013
MSWV
_OSI
Windows 2015
MSWV
>_OSI
Windows 2006 SP2
DBG_
Windows 2006 SP2 supported
MSWV
&MTCH_OS_
Microsoft Windows NT
MSWV
9MTCH_OS_
Microsoft WindowsME: Millennium Edition
MSWV
_REV
DBG_
_REV:
HEX4_REV
MSWV
_REV
MSWV
DBG_
ACPI rev mismatch, not a Microsoft OS
MSWVDBG_
Determined MSWV:
HEX4MSWV
MSWV
PICM
!_PIC
DBG_
Pic mode:
HEX4hphPICM[
SYSI
SYSI
IDX0 DAT0 [
We can easily assume that this is a capture of the RAM of a Windows VM in VirtualBox (because we see the mention “VBOX” and “Windows” in the file headers)
To be sure I will use the volatility3 tool:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.info
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf8000260c000
DTB 0x187000
Symbols file:///home/kali/Desktop/Tools/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdDebuggerDataBlock 0xf800027fd0a0
NTBuildLab 7601.17514.amd64fre.win7sp1_rtm.
CSDVersion 1
KdVersionBlock 0xf800027fd068
Major/Minor 15.7601
MachineType 34404
KeNumberProcessors 1
SystemTime 2023-08-17 16:20:26
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 34404
PE TimeDateStamp Sat Nov 20 09:30:02 2010
The windows.info command would have returned an error if the file was not a RAM Dump of a Windows system (which remind us the name of the challenge)
Ram Investigation #
Processes launched #
One of the first things to do when investigating a RAM dump is to find out which processes were started by the machine before the capture.
To do this, we use the pstree command from volatility3:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.pstree
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0xfa8000c3d990 86 471 N/A False 2023-08-17 16:13:27.000000 N/A
* 272 4 smss.exe 0xfa8001ddbb30 2 29 N/A False 2023-08-17 16:13:27.000000 N/A
432 412 csrss.exe 0xfa800397d060 9 212 1 False 2023-08-17 16:13:42.000000 N/A
* 568 432 conhost.exe 0xfa8001032060 2 51 1 False 2023-08-17 16:20:19.000000 N/A
524 412 winlogon.exe 0xfa8003dc9740 5 113 1 False 2023-08-17 16:13:42.000000 N/A
1160 1140 explorer.exe 0xfa80041c8510 36 969 1 False 2023-08-17 16:13:47.000000 N/A
* 1280 1160 WinRAR.exe 0xfa8001000b30 6 188 1 False 2023-08-17 16:20:22.000000 N/A
* 2880 1160 notepad.exe 0xfa8000f8fb30 1 61 1 False 2023-08-17 16:20:23.000000 N/A
* 2144 1160 WinRAR.exe 0xfa8001025b30 6 188 1 False 2023-08-17 16:20:21.000000 N/A
* 2624 1160 WinRAR.exe 0xfa8000e2cb30 6 188 1 False 2023-08-17 16:20:25.000000 N/A
* 1320 1160 DumpIt.exe 0xfa8000dc4b30 2 45 1 True 2023-08-17 16:20:19.000000 N/A
* 2792 1160 notepad.exe 0xfa8000fe8b30 1 61 1 False 2023-08-17 16:20:24.000000 N/A
* 1428 1160 VBoxTray.exe 0xfa8004480b30 13 137 1 False 2023-08-17 16:13:48.000000 N/A
There are several processes:
smss.exe/csrss.exe/conhost.exe/winlogon.exeare processes used for starting Windows (session management, user interface, etc.)explorer.exeis the process for browsing applications files
Winrar.exeis a program for compressing and decompressing archives (.zip / .7zip / .rar …)
notepad.exeis the program Notepad
DumpIt.exeis the program that extracted the RAM from this machine (most likely used by the creator of the challenge to generate the task file .raw)VBoxTray.exeis an executable file relating to the proper functioning of the VirtualBox application
We can therefore conclude that the user connected to the Windows machine, then opened the file explorer (explorer.exe) before running Winrar.exe and notepad several times .exe, these last 2 processes are interesting!
Commands executed #
To have more information on what these processes did we will look for the commands executed on the machine, for this we use the cmdline command from volatility3:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.cmdline
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process Args
4 System Required memory at 0x20 is not valid (process exited?)
272 smss.exe \SystemRoot\System32\smss.exe
368 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
420 wininit.exe wininit.exe
432 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
496 services.exe C:\Windows\system32\services.exe
504 lsass.exe C:\Windows\system32\lsass.exe
512 lsm.exe C:\Windows\system32\lsm.exe
524 winlogon.exe winlogon.exe
644 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch
708 VBoxService.ex C:\Windows\System32\VBoxService.exe
764 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS
816 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
924 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
972 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
360 svchost.exe C:\Windows\system32\svchost.exe -k LocalService
1020 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService
1148 dwm.exe "C:\Windows\system32\Dwm.exe"
1160 explorer.exe C:\Windows\Explorer.EXE
1232 spoolsv.exe C:\Windows\System32\spoolsv.exe
1264 taskhost.exe "taskhost.exe"
1288 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1428 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
944 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
1948 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
1364 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1984 sppsvc.exe C:\Windows\system32\sppsvc.exe
1412 svchost.exe C:\Windows\System32\svchost.exe -k secsvcs
1916 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x178
376 SearchProtocol "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2496 SearchFilterHo "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512
1320 DumpIt.exe "\\VBoxSvr\windows-windows\DumpIt.exe"
568 conhost.exe \??\C:\Windows\system32\conhost.exe
2144 WinRAR.exe "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\vboxuser\Desktop\file.txt.rar"
1280 WinRAR.exe "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\vboxuser\Desktop\generator.rar"
2880 notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\vboxuser\Desktop\deesktop.ini
2792 notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\vboxuser\Desktop\dessktop.ini
2624 WinRAR.exe "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\vboxuser\Desktop\file.rar"
The last lines are very interesting, in fact we can see 4 files which were used by the Winrar.exe and notepad.exe processes:
- file.txt.rar
- generator.rar
- deesktop.ini
- desktop.ini
(⚠️ Pay attention to the naming, these are 2 different files)
Extracting files #
We would like to recover these files in order to analyze them, to do this we will first have to recover their physical addresses because volatility3 cannot extract files if we do not specify where they are located.
We then use the filescan command:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.filescan | grep -E "file.txt.rar|generator.rar|deesktop.ini|dessktop.ini"
0x3fab94a0 \Users\vboxuser\Desktop\generator.rar 216
0x3fabd070 \Users\vboxuser\Desktop\file.txt.rar 216
0x3fcd2430 \Users\vboxuser\Desktop\dessktop.ini 216
0x3fd737b0 \Users\vboxuser\Desktop\deesktop.ini 216
We can now extract the files with the dumpfiles command:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.dumpfiles --physaddr 0x3fab94a0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x3fab94a0 generator.rar file.0x3fab94a0.0xfa8003fc9160.DataSectionObject.generator.rar.dat
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.dumpfiles --physaddr 0x3fabd070
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x3fabd070 file.txt.rar file.0x3fabd070.0xfa800487b860.DataSectionObject.file.txt.rar.dat
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.dumpfiles --physaddr 0x3fcd2430
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x3fcd2430 dessktop.ini file.0x3fcd2430.0xfa8000c7d9e0.DataSectionObject.dessktop.ini.dat
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f task.raw windows.dumpfiles --physaddr 0x3fd737b0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x3fd737b0 deesktop.ini file.0x3fd737b0.0xfa8003e37b10.DataSectionObject.deesktop.ini.dat
We obtain .dat archives, I extract the files and here is the result:
File analysis #
The .ini and .txt.enc files cannot be interpreted, so we will have to look at the generator.exe file, as this file is an already compiled executable it will be necessary to reverse it.
For this I use IDA, I am not going to go into the details of reverse here because it is a forensics challenge, here is what we obtain:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[16]; // [esp+10h] [ebp-20h] BYREF
char Buffer[16]; // [esp+20h] [ebp-10h] BYREF
__main();
generate_key_iv(Buffer, v4);
write_key_iv_to_file(Buffer, v4, "dessktop.ini", "deesktop.ini");
puts("Key and IV written to files.");
return 0;
}
int __cdecl write_key_iv_to_file(void *Buffer, void *a2, char *FileName, char *a4)
{
FILE *v5; // [esp+18h] [ebp-10h]
FILE *Stream; // [esp+1Ch] [ebp-Ch]
Stream = fopen(FileName, "wb");
if ( !Stream )
{
puts("Failed to open key file for writing.");
exit(1);
}
v5 = fopen(a4, "wb");
if ( !v5 )
{
puts("Failed to open IV file for writing.");
exit(1);
}
fwrite(Buffer, 1u, 0x10u, Stream);
fwrite(a2, 1u, 0x10u, v5);
fclose(Stream);
return fclose(v5);
}
We see that the generator.exe file writes a key in desktop.ini and an IV in deesktop.ini
The encryption algorithm using a key and an IV is AES!
It is therefore sufficient to extract the key contained in the desktop.ini file and the IV in the deesktop.ini file to decrypt the contents of the file.txt.rar file via the AES algorithm
Flag #
We now have everything we need to find the flag. We will extract the data from the different files in hexadecimal using the xxd command:
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ xxd -p deesktop.ini
e609874a80d1b27efd46cc0a131a4dcd
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ xxd -p dessktop.ini
1b54ee420bd5b8396e15fc9fe01055f8
┌──(kali㉿kali)-[~/Desktop/CTF/ECW/DumpCyber]
└─$ xxd -p file.txt.enc
e609874a80d1b27efd46cc0a131a4dcd01a866f5e31a99ae56ed91d8c517
5c8b88a0d8d8c6412889bac60d5999cf61517bfdbf7f9fc6e2fa530e4263
bd92af6a
Thanks to the tool CyberChef we can find the flag by specifying the correct parameters:
- Algorithm: AES Decrypt
- Key: 1b54ee420bd5b8396e15fc9fe01055f8 (hexadecimal format)
- IV: e609874a80d1b27efd46cc0a131a4dcd (hexadecimal format)
- Mode: CBC/No Padding
- Input: Hex (because the key and IV values are in hexadecimal)
- Output: Raw (to obtain the result in raw text)
🚩 Flag: flag{82a30fadcfc07d634fbed1bffe4a2aa1}