first thing we have to find the profile image to proceed our analysis
we will use the imageinfo pulgin
Copy vol.py -f flounder-pc-memdump.elf imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/infosec/dumps/mem_dumps/01/flounder-pc-memdump.elf)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800027fe0a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff800027ffd00L
KPCR for CPU 1 : 0xfffff880009eb000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-10-04 18:07:30 UTC+0000
Image local date and time : 2017-10-04 11:07:30 -0700 first thing we will list the processes as a tree using the pstree plugin
Copy remnux@remnux:~/ctf/memoryctf/reminiscent$ vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf pstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa800169bb30:csrss.exe 348 328 9 416 2017-10-04 18:04:29 UTC+0000
0xfffffa8001f63b30:wininit.exe 376 328 3 77 2017-10-04 18:04:29 UTC+0000
. 0xfffffa8001ff2b30:lsass.exe 492 376 8 590 2017-10-04 18:04:30 UTC+0000
. 0xfffffa8001fcdb30:services.exe 476 376 11 201 2017-10-04 18:04:29 UTC+0000
.. 0xfffffa8002204960:svchost.exe 384 476 17 386 2017-10-04 18:04:30 UTC+0000
... 0xfffffa8001efa500:csrss.exe 396 384 9 283 2017-10-04 18:04:29 UTC+0000
.... 0xfffffa8000e90060:conhost.exe 2772 396 2 55 2017-10-04 18:06:58 UTC+0000
... 0xfffffa8001f966d0:winlogon.exe 432 384 4 112 2017-10-04 18:04:29 UTC+0000
.. 0xfffffa80021044a0:svchost.exe 792 476 21 443 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa800209bb30:VBoxService.ex 664 476 12 118 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa800217cb30:svchost.exe 900 476 41 977 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa8002294b30:spoolsv.exe 1052 476 13 277 2017-10-04 18:04:31 UTC+0000
.. 0xfffffa8002122060:sppsvc.exe 1840 476 4 145 2017-10-04 18:04:37 UTC+0000
.. 0xfffffa80021b4060:SearchIndexer. 1704 476 16 734 2017-10-04 18:04:47 UTC+0000
... 0xfffffa80023ed550:SearchFilterHo 812 1704 4 92 2017-10-04 18:04:48 UTC+0000
... 0xfffffa80024f4b30:SearchProtocol 1960 1704 6 311 2017-10-04 18:04:48 UTC+0000
.. 0xfffffa80021ccb30:svchost.exe 988 476 13 286 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa8002390620:svchost.exe 1196 476 28 333 2017-10-04 18:04:31 UTC+0000
.. 0xfffffa800096eb30:wmpnetwk.exe 2248 476 18 489 2017-10-04 18:06:33 UTC+0000
.. 0xfffffa8002245060:taskhost.exe 1720 476 8 148 2017-10-04 18:04:36 UTC+0000
.. 0xfffffa80022bbb30:svchost.exe 1092 476 19 321 2017-10-04 18:04:31 UTC+0000
.. 0xfffffa8000945060:svchost.exe 2120 476 12 335 2017-10-04 18:06:32 UTC+0000
.. 0xfffffa8002001b30:svchost.exe 600 476 12 360 2017-10-04 18:04:30 UTC+0000
... 0xfffffa8000801b30:WmiPrvSE.exe 2924 600 10 204 2017-10-04 18:06:26 UTC+0000
... 0xfffffa8000930b30:WmiPrvSE.exe 592 600 9 127 2017-10-04 18:06:35 UTC+0000
.. 0xfffffa8002166b30:svchost.exe 868 476 21 429 2017-10-04 18:04:30 UTC+0000
... 0xfffffa80022c8060:dwm.exe 2020 868 4 72 2017-10-04 18:04:41 UTC+0000
.. 0xfffffa80020b5b30:svchost.exe 728 476 7 270 2017-10-04 18:04:30 UTC+0000
. 0xfffffa8001fffb30:lsm.exe 500 376 11 150 2017-10-04 18:04:30 UTC+0000
0xfffffa80006b7040:System 4 0 83 477 2017-10-04 18:04:27 UTC+0000
. 0xfffffa8001a63b30:smss.exe 272 4 2 30 2017-10-04 18:04:27 UTC+0000
0xfffffa80020bb630:explorer.exe 2044 2012 36 926 2017-10-04 18:04:41 UTC+0000
. 0xfffffa80022622e0:VBoxTray.exe 1476 2044 13 146 2017-10-04 18:04:42 UTC+0000
. 0xfffffa80007e0b30:thunderbird.ex 2812 2044 50 534 2017-10-04 18:06:24 UTC+0000
. 0xfffffa800224e060:powershell.exe 496 2044 12 300 2017-10-04 18:06:58 UTC+0000
.. 0xfffffa8000839060:powershell.exe 2752 496 20 396 2017-10-04 18:07:00 UTC+0000 and we can see the explorer.exe is a suspicious process since it has the powershell process as a child process so this means that the attacker has executed some powershell commands in the memory
First Method :
we have the resume email sent to the victim taking a look can find that the victim have downloaded a resume zip file from the attacker's server, so we can use the filescan plugin to list all the files in the system and therfore search for the resume file using grep
Copy vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf filescan > filescan.txt
Copy remnux@remnux:~/ctf/memoryctf/reminiscent$ cat filescan.txt | grep resume
0x000000001e1f6200 1 0 R--r-- \Device\HarddiskVolume2\Users\user\Desktop\resume.pdf.lnk
0x000000001e8feb70 1 1 R--rw- \Device\HarddiskVolume2\Users\user\Desktop\resume.pdf.lnk and now we will use the dumpfiles plugin to extract those files from the memory using the option -Q to select the offset
Copy remnux@remnux:~/ctf/memoryctf/reminiscent$ vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf dumpfiles -Q 0x000000001e1f6200,0x000000001e8feb70 --dump-dir=/home/remnux/ctf/memoryctf/reminiscent/dumpedResumes/ we can see that powershell commands are executed within the pdf file, the first base64 encoded text contains code that extracts another payload and execute it using invoke expression iex
and decoding the second big encoded base64 text reveals the flag
Second Method :
WinEVT Logs :
and there is another way to get the flag which is by looking at the winevt powershell operational logs since we know that a powershell payload has been executed by the attacker
using the filescan output we generated previously we can search for the powershell logs using grep
Copy emnux@remnux:~/ctf/memoryctf/reminiscent$ cat filescan.txt | grep -i "operational"
0x000000001e0816a0 7 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
0x000000001e14f070 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx
0x000000001e247d50 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx
0x000000001e28d070 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
0x000000001e308b70 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx
0x000000001e309f20 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
0x000000001e30cbb0 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
0x000000001e344bc0 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx
0x000000001e382700 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
0x000000001e394680 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx
0x000000001e39e820 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
0x000000001e444f20 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx
0x000000001e5ee910 9 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx
0x000000001e9d14a0 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx
0x000000001eb909f0 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
0x000000001ed0c720 19 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx
0x000000001fc41260 17 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
0x000000001fcdf9b0 18 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx
0x000000001fd58070 16 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
0x000000001fdbfda0 5 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx and this is the offset to the powershell operational logs
Copy 0x000000001fd58070 16 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx now using the dumpfiles plugin
Copy remnux@remnux:~/ctf/memoryctf/reminiscent$ vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf dumpfiles -Q 0x000000001fd58070 --dump-dir=/home/remnux/ctf/memoryctf/reminiscent/powershellOperationalDumpfiles/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1fd58070 None \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
SharedCacheMap 0x1fd58070 None \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx now using the command cat to read its content reveals all the powershell commands executed in the system reading through the commands we can find the flag
Flag :
Copy HTB{$_j0G_y0uR_M3m0rY_$} 
