Cyberdefenders writeup DumpMe

7 min readSep 21, 2021

Scenario

After doing an walkthrough about volatility 2 in my first article, it is my pleasure to do this ctf from cyberdefenders. you can check my first article from https://blackninja23.medium.com/?p=e0a86ef56bf6

You can find this lab from https://cyberdefenders.org/labs/65

First download challenge and start practise.After download it, you will need to unzip with password give in description

Start with Challenge questions

First Challenge question: What is the SHA1 hash of triage.mem (memory dump)?. So we need to find hash of memory dump

Now we have the answer

Second Challenge: What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393). Now we need to do start our understand what profile are we dealing with.Then there is plugin called imageinfo

COMMAND: python2 volatility/vol.py -f Triage-Memory.mem imageinfo

Our profile is Win7SP1x64 (the most suggested profile)

Third Challenge: What was the process ID of notepad.exe? From here, we can use plugin called pslist to list our processes during memory dump

COMMAND: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 pslist

Result:

Parent process id for notepad is 1432 and process id of notepad is 3032

Then answer is 3032

Fourth Challenge: Name the child process of wscript.exe.The challenge need us to understand more about process called wscript.exe and not just to know the process id but to also know what this process wscript.exe has open other process once it was open in windows 7.You can use the same plugin as in third challenge but we can do better by using pstree as it show clearly

Command: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 pstree

How do you define child process? you can define by the dot. the one with one dot is process that stand itself meaning that it is not child process. the one with two dots makes it to be child process of process with one dot and even the one with three dot makes it to be child process of process with two dots. I think now you have knowledge about how pstree do its things

You can see even the process wscript.exe is child process of hfs.exe which is not easily to see these process wscript.exe with pslist escecially if there are lot of processes. Then these process wscript.exe open another process UWkpjFjDzM.exe which inturn open cmd process which is very dangerous

The our answer is UWkpjFjDzM.exe

Fifth challenge: What was the IP address of the machine at the time the RAM dump was created?

You can try to use connscan, connections,sockscan, sockets but they are not support to this kind of profile.You can read more from first article but here we can use netscan as it works and try to focus to applications that have established network to outside

Our first established network in the analysis is UWkpjFjDzM.exe and these must give the impression or confirmation that this process is more suspicious

the answer is 10.0.0.101

Sixth Challenge: Based on the answer regarding the infected PID, can you determine the IP of the attacker? Now that we know our suspicious process from fifth challenge and from our prevous screenshot, we can see the ip address of remote is 10.0.0.106.

the answer is 10.0.0.106

Seventh Challenge: How many processes are associated with VCRUNTIME140.dll? Understand that dll from google is that VCRUNTIME140.dll is a runtime library of the Microsoft Visual Studio and it is used to run the programs or software developed in the Microsoft Visual Studio. You can see the article that i read from https://www.softwaretestinghelp.com/vcruntime140-dll-not-found-error-fixed/ and for our case, maybe the question want us to know process that are working with those microsoft visual studio’s programs. We can use plugin dlllist to see what process the dll is interact with and grep that |grep VCRUNTIME140.dll to get how many processes that dll interact with

Command: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 dlllist|grep VCRUNTIME140.dll

Our answer is that there are 5 processes

Eight challenge: After dumping the infected process, what is its md5 hash?

We know our infected process is UWkpjFjDzM.exe then we need to know process id of that infected process and we can use the plugin pstree with command python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 pstree and see our pid is 3496

Now that we have pid and we do the dump of that process with plugin called procdump COMMAND: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 procdump -p3496 — dump-dir .Now that we have dump the process and we do md5sum according to question

our answer is 690ea20bc3bdfb328e23005d9a80c290

Nine Challenge: What is the LM hash of Bob’s account?

In this challenge, it want us find LM hash. In here, we can use plugin called hashdump to dump hashes

command: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 hashdump

Now can see two hashes, first hash from left side is LM hash and second hash is password hash. Then our LM hash of Bob is aad3b435b51404eeaad3b435b51404ee.

Ten challenge: What memory protection constants does the VAD node at 0xfffffa800577ba10 have?What is VAD? VAD is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirutalAlloc, the memory manager creates an entry in the VAD tree. You can read more from https://www.sciencedirect.com/science/article/pii/S1742287607000503 Plugin that we can use is vadinfo.

COMMAND: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 vadinfo|grep 0xfffffa800577ba10 -C 4

Now we can see protection is PAGE_READONLY

Eleven Challenge: What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

Command: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 vadinfo|grep ‘0x00000000033c0000 End 0x00000000033dffff’ -C 4

Our permission now is PAGE_NOACCESS

Twelve Challenge: There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)

Run on the machine meaning that we should check the one that execute in a certain command with path. the plugin cmdline is useful in this situation

COMMAND: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 cmdline|grep -i vbs -B 2

Name of script is vhjReUDEuumrX

Thirteen challenge: An application was run at 2019–03–07 23:06:58 UTC. What is the name of the program? (Include extension)

we can try the application using cmdline and consoles which fails.

CMDLINE: it fails because the program was closed and also they specified the word ‘was’

CONSOLES:It fails because the program was not only closed but the history of command for that process doesnot exist and maybe they turn off PC so i wont exist

Now we can use plugin shimcache to check for that process that was last modified

COMMAND: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 shimcache|grep -i ‘2019–03–07 23:06:58 UTC’

It is Skype.exe

Fourthteen challenge: What was written in notepad.exe at the time when the memory dump was captured?

we know pid process of notepad as we already done and it is 3032

COMMAND: python2 volatility/vol.py -f Triage-Memory.mem — profile=Win7SP1x64 memdump -p3032 — dump-dir . and use strings -e l as this is for windows file with 16 bits little indian