W1n_W0n
Category: Miscellaneous
100 points
My friend hid something on my system. I want to know what it is, But Im bad at analysing. Can you do it for me?
Win_W0n
Author:OrkinKing
Solution
Given file is a windows memory dump.
I used Volatility 2 to get the flag in below steps.
python ~/git/volatility/vol.py --profile=Win7SP1x64_23418 -f Challenge.raw cmdline
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 292
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 388
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
wininit.exe pid: 432
Command line : wininit.exe
************************************************************************
csrss.exe pid: 448
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
services.exe pid: 496
Command line : C:\Windows\system32\services.exe
************************************************************************
winlogon.exe pid: 528
Command line : winlogon.exe
************************************************************************
lsass.exe pid: 544
Command line : C:\Windows\system32\lsass.exe
************************************************************************
lsm.exe pid: 556
Command line : C:\Windows\system32\lsm.exe
************************************************************************
svchost.exe pid: 668
Command line : C:\Windows\system32\svchost.exe -k DcomLaunch
************************************************************************
svchost.exe pid: 748
Command line : C:\Windows\system32\svchost.exe -k RPCSS
************************************************************************
svchost.exe pid: 840
Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
************************************************************************
svchost.exe pid: 880
Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
************************************************************************
svchost.exe pid: 912
Command line : C:\Windows\system32\svchost.exe -k netsvcs
************************************************************************
audiodg.exe pid: 992
Command line : C:\Windows\system32\AUDIODG.EXE 0x2e4
************************************************************************
svchost.exe pid: 328
Command line : C:\Windows\system32\svchost.exe -k LocalService
************************************************************************
svchost.exe pid: 960
Command line : C:\Windows\system32\svchost.exe -k NetworkService
************************************************************************
spoolsv.exe pid: 1132
Command line : C:\Windows\System32\spoolsv.exe
************************************************************************
svchost.exe pid: 1160
Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
************************************************************************
VGAuthService. pid: 1488
Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
************************************************************************
dwm.exe pid: 1496
Command line : "C:\Windows\system32\Dwm.exe"
************************************************************************
explorer.exe pid: 1524
Command line : C:\Windows\Explorer.EXE
************************************************************************
taskhost.exe pid: 1568
Command line : "taskhost.exe"
************************************************************************
vmtoolsd.exe pid: 1656
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
************************************************************************
vm3dservice.ex pid: 1900
Command line : "C:\Windows\System32\vm3dservice.exe" -u
************************************************************************
vmtoolsd.exe pid: 1916
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
************************************************************************
dllhost.exe pid: 1356
Command line : C:\Windows\system32\dllhost.exe /Processid:{AA463B27-DFAF-404C-BC1E-4A5665D5E9EF}
************************************************************************
WmiPrvSE.exe pid: 1604
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
dllhost.exe pid: 1932
Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
************************************************************************
msdtc.exe pid: 2204
Command line : C:\Windows\System32\msdtc.exe
************************************************************************
svchost.exe pid: 2376
Command line : C:\Windows\system32\svchost.exe -k bthsvcs
************************************************************************
VSSVC.exe pid: 2480
Command line : C:\Windows\system32\vssvc.exe
************************************************************************
SearchIndexer. pid: 2576
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
************************************************************************
SearchFilterHo pid: 2692
Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 536 540 548 65536 544
************************************************************************
SearchProtocol pid: 2728
Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
************************************************************************
WmiPrvSE.exe pid: 1028
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
cmd.exe pid: 832
Command line : "C:\Windows\system32\cmd.exe"
************************************************************************
conhost.exe pid: 2300
Command line : \??\C:\Windows\system32\conhost.exe
************************************************************************
WmiApSrv.exe pid: 2324
Command line : C:\Windows\system32\wbem\WmiApSrv.exe
************************************************************************
MRCv120.exe pid: 2984
Command line : "C:\Users\anon\Desktop\MRCv120.exe"
************************************************************************
WinRAR.exe pid: 1640
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\anon\Documents\1mP.zip"
************************************************************************
dllhost.exe pid: 824
WinRAR caught my attention, especially the archive file. I wanted to check if 1mP.zip
is retrievable.
python ~/git/volatility/vol.py --profile=Win7SP1x64_23418 -f Challenge.raw filescan | grep 1mP.zip
Volatility Foundation Volatility Framework 2.6.1
0x0000000009793930 16 0 R--rwd \Device\HarddiskVolume2\Users\anon\Documents\1mP.zip
python ~/git/volatility/vol.py --profile=Win7SP1x64_23418 -f Challenge.raw dumpfiles -Q 0x0000000009793930 --dump-dir .
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x09793930 None \Device\HarddiskVolume2\Users\anon\Documents\1mP.zip
The archive was password protected. But fortunately I found the password in below way.
python ~/git/volatility/vol.py --profile=Win7SP1x64_23418 -f Challenge.raw cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: conhost.exe Pid: 2300
CommandHistory: 0x298bd0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x10
Cmd #0 @ 0x2975a0: W1np@55
Cmd #15 @ 0x230158: )
Cmd #16 @ 0x297d30: )
And extracted the file with flag.
7z x file.None.0xfffffa80030291a0.dat
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=pl_PL.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (306C3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 4096 bytes (4 KiB)
Extracting archive: file.None.0xfffffa80030291a0.dat
WARNINGS:
There are data after the end of archive
--
Path = file.None.0xfffffa80030291a0.dat
Type = zip
WARNINGS:
There are data after the end of archive
Physical Size = 250
Tail Size = 3846
Enter password (will not be echoed):
Everything is Ok
Archives with Warnings: 1
Warnings: 1
Size: 28
Compressed: 4096
cat 5eCr3T.txt
wtfCTF{W1nd0w5_1s_f0r_N0085}
Flag
wtfCTF{W1nd0w5_1s_f0r_N0085}