We need you 1/5
Category: Forensics
50 points
Interpol and the FBI have been investigating for over a year now. They are trying to get their hands on two hackers very well known for their ransomware and their ultra efficient botnet.
After long months of investigation, they managed to get their hands on one of their servers. But, when they got it back the PC caught fire because of a defense mechanism set up by the two hackers.
The hard drive could not be saved, but they had time to put the RAM in liquid nitrogen and analyze it later.
You know what you have to do!
For this first step, find the name of the PC!
Download, here.
Author: Worty
Format: Hero{Name}
File: capture.mem
Solution
This challenge is the first from the chain of forensics challanges. It was also the first time, when I used Volatility 3 (before I was using only Volatility 2). Given file is Windows memory dump to analyze.
~/git/volatility3/vol.py -f capture.mem windows.info
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0x82656000
DTB 0x185000
Symbols file:///home/luc/git/volatility3/volatility3/symbols/windows/ntkrpamp.pdb/684DA42A30CC450F81C535B4D18944B1-2.json.xz
Is64Bit False
IsPAE True
primary 0 WindowsIntelPAE
memory_layer 1 FileLayer
KdDebuggerDataBlock 0x82780c28
NTBuildLab 7601.17514.x86fre.win7sp1_rtm.10
CSDVersion 1
KdVersionBlock 0x82780c00
Major/Minor 15.7601
MachineType 332
KeNumberProcessors 1
SystemTime 2021-04-19 17:30:00
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 332
PE TimeDateStamp Sat Nov 20 08:42:49 2010The goal is to retrieve computer name. Seems to be easy, let’s try…
~/git/volatility3/vol.py -f capture.mem envars | grep COMPUTERNAME
408gresswininit.exe 0x270d80PDB scanCOMPUTERNAMEd KANNIBAL
472 winlogon.exe 0x70d80 COMPUTERNAME KANNIBAL
492 services.exe 0x2b0f58 COMPUTERNAME KANNIBAL
500 lsass.exe 0x100f58 COMPUTERNAME KANNIBAL
508 lsm.exe 0x80f58 COMPUTERNAME KANNIBAL
628 svchost.exe 0x291090 COMPUTERNAME KANNIBAL
692 VBoxService.ex 0x271098 COMPUTERNAME KANNIBAL
748 svchost.exe 0x301118 COMPUTERNAME KANNIBAL
800 svchost.exe 0x1b1118 COMPUTERNAME KANNIBAL
932 svchost.exe 0x371090 COMPUTERNAME KANNIBAL
976 svchost.exe 0xd1090 COMPUTERNAME KANNIBAL
1092 svchost.exe 0x161118 COMPUTERNAME KANNIBAL
1188 svchost.exe 0x321118 COMPUTERNAME KANNIBAL
1320 spoolsv.exe 0x91090 COMPUTERNAME KANNIBAL
1356 svchost.exe 0x1b1118 COMPUTERNAME KANNIBAL
1456 svchost.exe 0x3b1118 COMPUTERNAME KANNIBAL
1956 taskhost.exe 0x1b10a8 COMPUTERNAME KANNIBAL
2000 dwm.exe 0x3310a8 COMPUTERNAME KANNIBAL
2012 explorer.exe 0x6910d0 COMPUTERNAME KANNIBAL
308 VBoxTray.exe 0x4310e8 COMPUTERNAME KANNIBAL
1244 SearchIndexer. 0x321090 COMPUTERNAME KANNIBAL
1280 cmd.exe 0x3c10e0 COMPUTERNAME KANNIBAL
2208 WmiPrvSE.exe 0x271090 COMPUTERNAME KANNIBAL
2528 sppsvc.exe 0x321118 COMPUTERNAME KANNIBAL
2572 svchost.exe 0x2c1090 COMPUTERNAME KANNIBAL
3296 nc.exe 0x5b1168 COMPUTERNAME KANNIBAL
3404 iexplore.exe 0x491128 COMPUTERNAME KANNIBAL
3504 iexplore.exe 0x211128 COMPUTERNAME KANNIBAL
2272 svchost.exe 0x341090 COMPUTERNAME KANNIBAL
1716 notepad.exe 0x1110e0 COMPUTERNAME KANNIBALFlag
Hero{KANNIBAL}