Open in app

Sign in

Write

Sign in

UDOM CTF 6_MEMORY TRYHACKME

blackninja23
9 min readJul 8, 2021

Hello guys, For those who are not aware of the site, tryhackme.com is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. There are a lot of other free challenging CTF machines available on tryhackme.com and I highly suggest attempting them, as it is a good way to sharpen your skills and also learn new techniques in a safe environment.

This room was created by me and mainly focuses on Memory forensics. It was private room to our UDOM CYBER CLUB (UDOM -University of Dodoma in Tanzania).I can admit that it really takes me time to create this room as it focuses to be competitive to Memory forensics rather than to tricky. For short, it was beginner level as it help my members to know more about Memory Forensics.

This room focuses on volatility 2 plugins and usage. But not focuses on volatility 3.

Installing volatility 2:

Commands

  1. cd ~ && git clone https://github.com/volatilityfoundation/volatility

You can install or you can just run it with python2 both works

Installing:

python ~/volatility/setup.py install

OR

Running with python

python ~/volatility/vol.py -h

This room is divided into five sections in which are Google is your friend, Help Utility, Practical time, CTF and focus.

Google is Your Friend

  1. which plugin is used for profiles? Answer: imageinfo
  2. which plugin used to list running processes? Answer: pslist
  3. which plugin used to view child and parent processes? Answer: pstree
  4. Which volatility plugin is used to examine processes that have been terminated? Answer:
  5. which plugin used to discover hidden processes? Answer: psscan
  6. which plugin used to discover hidden processes? Answer: psxview
  7. which plugin used to dump process’s executable? Answer: procdump
  8. which plugin used to extract the memory of process? Answer: memdump
  9. Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.Which plugin is used for this? Answer: userassist
  10. which plugin is used to display process command-line arguments? Answer: cmdline
  11. let say an attacker manages to kill cmd.exe, how can we recover history of command sessions? Answer: consoles
  12. let say an attacker didnot kill cmd.exe, which plugin used to scan the history of command sessions? Answer: cmdscan
  13. Can you help me to know which time the program was running in a machine?Answer in small letter?Hint: the answer is not start with letter p More hint: it deals with cache Answer: shimcache
  14. which plugin that outputs the same information you could get from netstat, but with a bonus: the creation timestamp of a bound socket or an established connection? Answer: netscan
  15. Now that you have learn about plugins that works with networks from question number 13.You should also understand that there are networks plugin but for XP and 2003 but sometime work for win7 which are connscan, connections, sockscan and sockets Answer: No Answer needed

XP/2003 SPECIFIC

vol.py -f “/path/to/file” ‑‑profile <profile> connscan

vol.py -f “/path/to/file” ‑‑profile <profile> connections

vol.py -f “/path/to/file” ‑‑profile <profile> sockscan

vol.py -f “/path/to/file” ‑‑profile <profile> sockets

16. which plugin is used to dump hash passwords of machine? Answer: hashdump

17. which plugin is used to locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk? Answer: hivelist

18. which plugin is used to display the subkeys, values, data, and data types contained within a specified registry key? Answer: printkey

19. which plugin is used to scan file? Answer: filescan

20. which plugin is used to scan file? Answer: dumpfiles

21: which plugin is used to extract screenshot of all open windows from memory dump? Answer: screenshot

22.Now that you had fun with plugin and these plugins are most useful in memory forensics. so for your time, try to go deep with plugins that you have learn and also learn new one that i didnot put here. No Answer needed

HELP UTILITY

  1. which options is used to ask for help in every command in linux?for our case in volatility Answer: -h
  2. which options is used to specify file in volatility? Answer: -f
  3. which options is used for specify profiles? Answer: — profile
  4. which options is used to specify additional plugin in volatility? Answer: — plugins

PRACTICAL TIME

Download memory dump so as to answer questions below

  1. As analyst, we need to make sure we have right file.what is md5sum of the file? Answer: 8eb50a6e44c3a0681fe0f43b916cef31

2. tell me most suggested profile of memory dump Answer: WinXPSP2x86

Commands: vol.py -f udomctf6.mem imageinfo

3. How many processes are in memory dump?

Hint:pslist

Answer: 23

Commands: vol.py -f udomctf6.mem — profile=WinXPSP2x86 pslist

4. which tool was used to dump memory from computer?

Answer: FTK Imager -From the image above this question, you can observe

5. which executable file has more processes than other processes?

Answer: svchost -From the image in question 3, you can see this executable has many processes than others

6. tell me the name of process whose parent process id is zero Answer: System — -From image you can see System is the one which ppid = 0

7. The first process id of svchost? — Find first svchost’s process ‘s id Answer: 688

8. tell me process id of explorer? Answer: 1248

9. How many child processes does explorer has? Answer: 4

To view child processes in good way

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 pstree

There are 4 of them as it has arrange them so that those processes has processes id of 1248

10. Among child processes of explorer,which one has process of 800? Answer: mspaint

11. Can you tell name of pdf file exist in this memory dump? Answer: FTKImager_UserGuide

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 filescan| grep pdf

12.
I was drawing something in windows.Can you dump that memory of process and give md5sum of that memory? Answer: c1ff414488b5af8ee0c92a410b7b3cb9

First, find process id of mspaint as it used for drawing which is 800

Second, dump memory of process

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 — pid 800 memdump — dump-dir .

Third, Command: md5sum 800.dmp

13. Can you tell me password of administrator? Answer: Pa$$w0rd

First use plugin hashdump to dump passwords

Second, Crack second hash in Administrator which is 92937945b518814341de3f726500d4ff to get the password.

I will use online tool : https://crackstation.net/ to crack it

14. tell me executable full path of mspaint? Answer: C:\WINDOWS\system32\mspaint.exe

To find full path of mspaint where it execute from, you should use first cmdline later consoles if cmdline does not show anything

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 cmdline

15. How many processes exist in consoles? Answer:

Use consoles and count processes

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 consoles

16.Can you tell me ip address of computer? Answer: 192.168.0.178

As this profile is Window XP then we can use plugin connscan As Already show it in section of Google is your friend question 15 Other wise if it is not also Window Server 2003, you should use netscan

17. Tell me remote ip address with port that explorer interract with?

Answer format is like ip:port example like 127.0.0.1:80

Answer: 192.168.0.164:135

First, we know pid of browser is 1248 then

Second, we see all pids show in connscan has same ip and same port

18. Can you tell me AccessData FTK imager version from opening windows in memory dump? Answer: 3.1.2.0

First, from first question we should know this uses plugin called screenshot

Second, we need to dump all windows that we were opened and not closed during memory dump by using screenshot

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 screenshot — dump-dir .

Third, we need to investigate them

After open them and investigate, i found the version of AccessData FTK imager

19. How many files were dumping from opening windows in memory dump in question 18? Answer: 7

20. do you know the SAM file in windows computer?

Can you tell me the last time SAM file was updated?

Answer format is like this 2021–06–25 12:09:10 with space between them

Answer: 2020–03–18 21:23:34

Use printkey

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 printkey

or

Specify SAM in printkey

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 printkey -K ‘SAM’

Things To Note in second command is that don’t confuse SAM file with SAM key. As SAM file has SAM key and also SECURITY file hash SAM file too

21: How many processes are hidden from pslist? Answer: 33

First, use psxview plugin

Second, count processes that are false in pslist column

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 psxview

22. Can you tell me OS name in memory dump?

Hint : environment are most important things in computers.

Answer: Windows_NT

From hint, we need to find environment variables of the system in which the plugin is envars

After that find OS name

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 envars

23. Can you tell me Computer name in memory dump?

Hint : environment are most important things in computers.

Answer: FXP

From hint same as question 22, we need to find environment variables of the system in which the plugin is envars.

After that find Computer name

Command: vol.py -f udomctf6.mem — profile=WinXPSP2x86 envars

CTF TIME

  1. Did you check if he kills cmd.exe?

Answer format is flag{}

From hint, if he kills cmd.exe then we need to check by using consoles plugin

As i already Show before that , you need to find profile first then use that profile and with plugin consoles.

Second you will see base64 after execute consoles then decode it you get the flag

So finish this at your time since you know profile, consoles and also you know cryptography

FOCUS

This room focus more on reality as i try my best. I think this room is quite make you learn something about memory forensics especially in TASK 1, TASK 2 AND TASK 3. With knowlege that you have grasp, you can do TASK 4.So do this CTF since it takes me time to assemble all necessary materials and important concepts. This CTF start today. so do your best.

Prepared by blackninja23

Thanks my members who participate in this CTF and i hope you had good time with my CTF that deals with Memory Forensics.

Also Thanks to Baraka Range and LyMo

Security
Tryhackme Walkthrough
Tryhackme Writeup
Udom
Udomcyber

--

--

blackninja23

Written by blackninja23

24 Followers

Cyber geek

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams