Hackllebarde 2 : Memory Dump Forensics

Task

There was a breach and we are given a memory dump to investigate for an URL, a malicious executable, an IP adress and a port number.

Process

First, we look for a banner in our memory dump to try to figure out what OS the machine was running on using volatility 3.

PS C:\Users\Ravaka\Desktop\volatility3> python vol.py -f ..\pentesting\weirdfiles\forensics\ransomware2\dumpmem.raw banners.Banners
Volatility 3 Framework 2.2.0
Progress:  100.00               PDB scanning finished
Offset  Banner

0x33af3a58      Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174)
0x3b2001a0      Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174)
0x3c196dd4      Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174)

We need a Linux Kernel which version is 5.4.0-107 that has been compiled using gcc 7.5.0. So we replicate the same setup in a virtual machine and use the kernel to retrieve the symbol and type information needed for the analysis of our memory dump.

To install the correct kernel :

$ sudo apt install linux-image-5.4.0-107
$ sudo apt install -y linux-headers-$(uname -r)

Then we install gcc and check if it's the right version :

$ sudo apt install gcc
$ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

Well it's all good !

We can now clone volatility 2 and head to the tools to create the profile.

$ cd volatility/tools/linux && make

With the file created we can now analyse the dump. First, we look for the IP adress and the port using :

$ python vol.py --profile=LinuxUbuntu_5_4_0-107-generic_profilex64 -f ../dumpmem.raw linux_netstat

We find a suspicious TCP connection.

TCP      192.168.61.2    :13598 192.168.61.137  :38088 ESTABLISHED                    nc/2647

From that we have 2 parts of our flag: - Attackers IP Adress : 192.168.61.137 - Port used on the machine to exfiltrate data : 13598

Then we can look at the processes for our malicious executable :

$ python vol.py --profile=LinuxUbuntu_5_4_0-107-generic_profilex64 -f ../dumpmem.raw linux_psaux

We look and we find our malicious executable name :

2645   1000   1000   /usr/bin/python3 ./JeNeSuisPasDuToutUnFichierMalveillant

Finally we need to find out the URL of a ressource the attacker accessed during the attack :

$ strings dumpmem.raw | grep 'http://'

And after getting Rick Rolled a few times we did it ! We found the last part of our flag which is a link to a hacking course : https://www.youtube.com/watch?v=3Kq1MIfTWCE

Flag : 404CTF{192.168.61.137:13598:JeNeSuisPasDuToutUnFichierMalveillant:https://www.youtube.com/watch?v=3Kq1MIfTWCE}