11
Dec
2011

PHD CTF Quals 2011 – Forensics #1

The zip file found on the Monolith server (seemingly) contains a VMware image of Ubuntu Server 10.10.

Archive:  jhc_rc2.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1298  2011-05-06 13:40   jhc_rc2/readme
1834352640  2011-05-06 17:10   jhc_rc2/Ubuntu 10.10 Server i386.vmdk
536870912  2011-04-25 12:40   jhc_rc2/Ubuntu 10.10 Server i386.vmem
     2496  2011-05-06 17:10   jhc_rc2/Ubuntu 10.10 Server i386.vmx


In the readme we find some helpful pointers:

host is compromised
core binaries were patched by malware

challenge info: four keys in archive

This post describes finding one of the four keys.

We examine Ubuntu 10.10 Server i386.vmem using strings, which surprisingly returns many Windows(?!) references.

Using the awesome Volatility framework, we further analyze the memory dump:

$ volatility pslist -f Ubuntu\ 10.10\ Server\ i386.vmem 
Name                 Pid    PPid   Thds   Hnds   Time  
System               4      0      57     249    Thu Jan 01 00:00:00 1970  
smss.exe             548    4      3      19     Thu Apr 21 08:55:17 2011  
csrss.exe            612    548    10     350    Thu Apr 21 08:55:19 2011  
winlogon.exe         636    548    23     520    Thu Apr 21 08:55:19 2011  
services.exe         680    636    16     255    Thu Apr 21 08:55:19 2011  
lsass.exe            692    636    22     329    Thu Apr 21 08:55:19 2011  
vmacthlp.exe         848    680    1      25     Thu Apr 21 08:55:19 2011  
svchost.exe          860    680    19     196    Thu Apr 21 08:55:20 2011  
svchost.exe          932    680    10     231    Thu Apr 21 08:55:20 2011  
svchost.exe          1024   680    63     1151   Thu Apr 21 08:55:20 2011  
svchost.exe          1072   680    6      75     Thu Apr 21 08:55:20 2011  
svchost.exe          1132   680    15     196    Thu Apr 21 08:55:22 2011  
spoolsv.exe          1384   680    15     126    Thu Apr 21 08:55:23 2011  
explorer.exe         1604   1560   12     307    Thu Apr 21 08:55:24 2011  
VMwareTray.exe       1748   1604   1      50     Thu Apr 21 08:55:25 2011  
VMwareUser.exe       1756   1604   4      108    Thu Apr 21 08:55:25 2011  
vmtoolsd.exe         2032   680    6      219    Thu Apr 21 08:55:41 2011  
VMUpgradeHelper      328    680    6      100    Thu Apr 21 08:55:49 2011  
wscntfy.exe          1180   1024   1      28     Thu Apr 21 08:55:50 2011  
alg.exe              1532   680    6      101    Thu Apr 21 08:55:52 2011  
wuauclt.exe          888    1024   7      171    Thu Apr 21 08:56:34 2011  
WinRAR.exe           2000   1604   3      82     Thu Apr 21 09:00:03 2011  

Aha, indeed looks like a Windows guest running in VMware. Nothing out of the ordinary, except for the WinRAR process.

Let’s see what it was up to…

$ volatility files -p 2000 -f *.vmem
Pid: 2000  
File   \Documents and Settings\user\Desktop\madness.rar
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File   \Documents and Settings\user\Desktop\madness
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83

madness.rar? Sounds interesting. Let’s attempt to grab it using Foremost.

$ foremost Ubuntu\ 10.10\ Server\ i386.vmem 
Processing: Ubuntu 10.10 Server i386.vmem
|******|
$ ls -l output/rar/
-rw-r--r-- 1 eindbaas eindbaas   128 Dec 11 16:01 00063776.rar
-rw-r--r-- 1 eindbaas eindbaas    32 Dec 11 16:01 00423200.rar
-rw-r--r-- 1 eindbaas eindbaas   128 Dec 11 16:01 00477332.rar
-rw-r--r-- 1 eindbaas eindbaas 45985 Dec 11 16:01 00527379.rar
-rw-r--r-- 1 eindbaas eindbaas   128 Dec 11 16:02 00986896.rar
-rw-r--r-- 1 eindbaas eindbaas   128 Dec 11 16:02 00991728.rar

Foremost has managed to extracted multiple RAR archives (mostly duplicates) – one sticks out:

$ unrar vt output/rar/00477332.rar
Archive output/rar/00477332.rar

Pathname/Comment
                  Size   Packed Ratio  Date   Time     Attr      CRC   Meth Ver
-------------------------------------------------------------------------------
*blueprint.txt
                    32       48 150% 21-04-11 01:45  .....A.   994751E5 m3b 2.9
-------------------------------------------------------------------------------
    1               32       48 150%

The asterisk in front of the filename denotes the file is encrypted. Instead of going the bruteforce/dictionary attack route, recall we found a running WinRAR process in the memory dump. Could this archive be madness.rar? And if so, would the WinRAR process happen to have the password in it’s memory? Let’s find out..

$ volatility procdump -f *.vmem -p 2000
************************************************************************
Dumping WinRAR.exe, pid: 2000   output: executable.2000.exe

We run the output file through strings and keep an eye out for anything resembling a password:

C:\Documents and Settings\user\Desktop\madness.rar
TRUST_ATTRIBUTE_UPLEVEL_AWESOMENESS
$ unrar x -pTRUST_ATTRIBUTE_UPLEVEL_AWESOMENESS output/rar/00477332.rar

Extracting from output/rar/00477332.rar

Extracting  blueprint.txt                                             OK 
All OK

$ cat blueprint.txt 
476c8d8d91958dc3d8e465fb5413f8f1

Awesomeness++

{3 Responses to “PHD CTF Quals 2011 – Forensics #1”}

  1. Hey would it be possible to send me your irc channel/server?
    Im impressed by your team’s skills.
    I would like to meet/talk with the team.

    Nurfed
  2. Which version of volatility are you using? 2.1 which I downloaded gets nothing from pslist.
    If you have 1.4, any chance you could tar.gz and upload it anywhere?

    Jack Aston
  3. I’ve learned a lot from your writeups ^_^
    Thank you for sharing :))

    sp4nky