This week marks the first of the final image for the Magnet weekly CTF challenge - memory forensics.For those who have yet to download the image, you can get it from here.
This week's challenge is a lengthy one that is split over 7 parts.
Challenge 9 ( Nov 30 - Dec 7 ) Part 1
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
The first step we have to take is to determine the profile to use for processing the image. Using Volatility's imageinfo
plugin, I decided to go with the first suggested profile: Win7SP1x64. I then ran pstree
plugin for a quick look at the likely processes we should investigate further. (Note: the following screenshot for processes was taken from MemProcFS but the same process list is obtainable from Volatility's pstree
plugin.)
From the output, I felt that the answer is likely hidden in Slack or Microsoft Word (WINWORD.EXE). Since the question mentioned that the user was talking to himself/herself, I decided to investigate Word process first.
Dumping the files for the WINWORD.EXE process using dumpfiles
plugin and using the -p
and -n
options to restrict files to process ID for WINWORD.EXE as well as including the extracted filename in the output, I did a grep search for keyword "password" and was pleasantly surprised to find a likely answer candidate in the form of an AutoRecovery save file.
Viewing the hexdump of the AutoRecovery save file and searching for keyword "password" as above, we found our answer to the first part of the challenge.
Answer: wow_this_is_an_uncrackable_password
Challenge 9 ( Nov 30 - Dec 7 ) Part 2
What is the md5 hash of the file which you recovered the password from?
This is thankfully straightforward as we just needed to use md5sum
to calculate the hash.
Answer: af1c3038dca8c7387e47226b88ea6e23
Challenge 9 ( Nov 30 - Dec 7 ) Part 3
What is the birth object ID for the file which contained the password?
This question is solved using Volatility's mftparser
plugin. A quick grep search through the plugin output for the AutoRecovery save file gives us the answer.
Answer: 31013058-7f31-01c8-6b08-210191061101
Challenge 9 ( Nov 30 - Dec 7 ) Part 4
What is the name of the user and their unique identifier which you can attribute the creation of the file document to?
Format: #### (Name)
From the previous screenshot of the MFT entry, file is found in Warren's AppData folder. Using Volatility's getsids
plugin for the Microsoft Word process, we can get his RID.
Answer: 1000 (Warren)
Challenge 9 ( Nov 30 - Dec 7 ) Part 5
What is the version of software used to create the file containing the password?
Format ## (Whole version number, don't worry about decimals)
For this question, I dumped the binary for the WINWORD.EXE process via procdump
plugin and checked for the executable's version information using exiftool
Answer: 15
Challenge 9 ( Nov 30 - Dec 7 ) Part 6
What is the virtual memory address offset where the password string is located in the memory image?
Format: 0x########
Referencing this post from Context Information Security, I decided to use the strings
plugin for Volatility, which matches physical offsets to virtual addresses. Note that the strings
plugin requires the physical offsets to be in decimal. (I submitted a wrong answer on the first try as I had the offsets in octal.)
Using strings
command with --radix=d
option to ensure my output was in decimal, I grep
for the password to find its physical offset in the image. That information is then fed to Volatility's strings
plugin to determine its virtual address.
Answer: 0x02180a2d
Challenge 9 ( Nov 30 - Dec 7 ) Part 7
What is the physical memory address offset where the password string is located in the memory image?
Format: 0x#######
Turns out I already had the answer from the steps in part 6, just that it was not in the required format. A simple bash printf
converted the decimal offset to hexadecimal.
Answer: 0x0af12a2d