Lab 1 - Beginner's Luck

Link to the lab : Lab 1 - Beginner's Luck

Challenge description

My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.

Note: This challenge is composed of 3 flags.

Solution

Initial thoughts

First, let us list down the important points from the description.

  • We have to get important files from the system

  • They saw a black window pop up and execute something (this might be command prompt)

  • The person was trying to draw something (drawing application might be opened)

Profile

As I mentioned I'll be using Vol2, so first we have to get the profile of the memory image.

python2 ~/Downloads/vol2/vol.py -f MemoryDump_Lab1.raw imageinfo

  • We can use "Win7SP1x64" as the profile for the memory image.

Process list

A good place to start is by listing all the processes that were running at the time of memory capture. 

python2 ~/Downloads/vol2/vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 psscan

  • Use psscan to view the processes that are hidden too.

  • From the output, we can see some obvious processes that would be of interest to us (revisit the initial thoughts to see why are they of interest).

  • They are cmd.exe, mspaint.exe, WinRAR.exe. Make a note of their PIDs.

  • If you find or don't know about any other processes, just google their name to see their purpose.

  • DumpIT.exe is another unknown process which might have been used to capture the memory.

Command Prompt

Let's pick one process and investigate it further. Let's look at the command line to know what was executed.

python2 ~/Downloads/vol2/vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 consoles

  • consoles shows the command typed as well as the I/O buffer.

  • From the output we can see that "St4G3$1" is run and a string is output to the consol.

  • The the look of it we can see that it is a base64 string because it contains 'a-z' and is padded with '='

echo ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= | base64 -d

  • By decoding the base64 string, we got the first flag.

flag{th1s_1s_th3_1st_st4g3!!}

MS Paint

Let's examine the memory of mspaint.exe to examine further. 

python2 ~/Downloads/vol2/vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 memdump -p 2424 -D ./output

  • Now we have dumped the memory of mspaint.exe to the output directory we specified.

  • Upon researching how to view the content of MS Paint after dumping, found that we should change the extension of the dump from ".dmp" to ".data" and open it with GIMP (GNU Image Manipulation Program).

PreviousMemlabsNextAnalysis

Last updated