mem dump Download Link : https://drive.google.com/file/d/1-NCGNf8dBIu2LuA3Rl6BWlx2QBp0hmdW/view
Challenge 1 OS :
to view OS related informations we are going to open the memory dmp file in windbg and execute the command !analyze -s
scrolling down the results we will find the OS version
Flag :
Challenge 2 Password :
First i tried the lsadump plugin to dump plain text passowrds from the memoty but it didn't contain any passwords
Copy $ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP lsadump > lsadump.txt
$ cat lsadump.txt
DefaultPassword
0x00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000010 e0 4b c9 10 e9 e2 76 c1 8e 40 e0 7e c2 0e 0d 21 .K....v..@.~...!
NL$KM
0x00000000 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
0x00000010 40 d6 21 e7 0a 7e 0c d5 50 7a b8 a4 3c e7 c3 5d @.!..~..Pz..<..]
0x00000020 00 da 39 66 19 0e 34 fd cb eb 67 ea 95 9b 6c 60 ..9f..4...g...l`
0x00000030 ea 61 e6 32 a1 6e 55 c7 57 6c d1 a4 4d c7 37 ba .a.2.nU.Wl..M.7.
0x00000040 ca ff ee 1e ba bf e6 b1 02 71 ac 37 f8 84 d0 95 .........q.7....
0x00000050 8f 21 6c 0d c3 86 c0 48 63 ed fb 91 ba 47 53 a0 .!l....Hc....GS.
DPAPI_SYSTEM
0x00000000 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,...............
0x00000010 01 00 00 00 fd 3c 8e 3b 13 14 6e 7a 48 b7 75 4a .....<.;..nzH.uJ
0x00000020 8f 53 37 f5 bf e0 86 56 cc d7 50 73 53 72 59 52 .S7....V..PsSrYR
0x00000030 6f 65 94 1a d4 97 ca ce 35 8f 4c 29 00 00 00 00 oe......5.L).... then i used the plugin hashdump to extract users hashes from the SAM database
Copy $ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP hashdump > hashdump.txt
$ cat hashdump.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10eca58175d4228ece151e287086e824:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
siam:1001:aad3b435b51404eeaad3b435b51404ee:7ab3201ceecd554f772573bb064a0f38:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:99d22b68c0d197f683f3d994c7f31254::: and then took the NTLMv2 hashes and crack them at crackstation website, 3 passwords were successfully cracked but one that contains text password which is the siam user password
Flag :
Challenge 3 IP Addr :
we will use the plugin netscan to view all the connections related information and in the local address we can find the system address
Copy $ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP netscan > netscan.txt
$ cat netscan.txt Flag :
Challenge 4 Note :
we will use the plugin filescan to enumerate all the system files
Copy $ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP filescan > filescan.txt and we get a huge list of files
we know that the boss have left a text file so we will use grep to search for files with .txt extension
Copy $ cat filescan.txt | grep ".txt"
0x00000000b9ba7bb0 16 0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text2.txt
0x00000000b9d1ef20 16 0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text.txt
0x00000000bbd7f950 1 1 -W-rw- \Device\HarddiskVolume2\Users\siam\AppData\Local\Temp\FXSAPIDebugLogFile.txt
and we have 2 text files, to read their contents we will use the plugin dumpfiles
Copy azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB
$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP dumpfiles -Q 0x00000000b9ba7bb0,0x00000000b9d1ef20 --dump-dir=/e/Sherloks\ HTB/dumpedText/
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0xb9ba7bb0 None \Device\HarddiskVolume2\Users\siam\Documents\text2.txt
DataSectionObject 0xb9d1ef20 None \Device\HarddiskVolume2\Users\siam\Documents\text.txt
azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB
$ cd dumpedText/
azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB/dumpedText
$ ls
file.None.0xfffffa8004edf270.dat using cat command let's read its contents
Copy azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB/dumpedText
$ cat file.None.0xfffffa8004edf270.dat
S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0= RISC OS
RISCOS
Fire OS
FireOS
macOS
mac OS
Mac OS X
OS X
macOS Server
macOSServer
Mac OS X Server
MacOSXServer
... and we can see a base64 encoded string let's decode it
Copy $ echo "S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0=" | base64 -d
KCTF{Respect_Y0ur_Her4nki} Flag :
Copy KCTF{Respect_Y0ur_Her4nki} Challenge 5 Execution :
to see what the attacker has done on the infected machine which we have its memory dump we will dump the cmd history. we will use the plugin consoles
Copy $ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP consoles > consoles.txt
$ cat consoles.txt
**************************************************
ConsoleProcess: conhost.exe Pid: 4888
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
Title: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
AttachedProcess: ModuleCoreServ Pid: 4880 Handle: 0x60
----
CommandHistory: 0x2df850 Application: ModuleCoreService.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
----
Screen 0x2d0bb0 X:80 Y:300
Dump:
**************************************************
ConsoleProcess: conhost.exe Pid: 4580
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 2656 Handle: 0x60
----
CommandHistory: 0x8ebe0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x679d0: C:\Users\siam\Documents\windows.bat
Cmd #1 at 0x6d340: C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
----
Screen 0x710b0 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\siam>C:\Users\siam\Documents\windows.bat
"KCTF{W3_AR3_tH3_Kn1GHt}"
C:\Users\siam>C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
C:\Users\siam> so the program executed is windows.bat and the flag is the output of the program executed
Flag :
Copy KCTF{W3_AR3_tH3_Kn1GHt} Challenge 6 Path of the Executable :
the program that outputed the prevoius flag is windows.bat
Flag :
Copy KCTF{C:\Users\siam\Documents} Challenge 7 Malicious :
using the filescan output generated previously we can grep for all exe files
reading through the executables we can find an executable called MadMan.exe
Copy $ cat filescan.txt | grep ".exe" > exefiles.txt
$ cat exefiles.txt
...
...
...
0x00000000b9894c00 16 0 R--r-d \Device\HarddiskVolume2\Users\ezyzip\MadMan.exe
...
...
... i searched in google for this executable and i found that its a virus
there is another method by using the autoruns plugin from this repository
which enumerates all the registry keys where a malicious program would hide itself to persist
first we have to clone the repository
Copy git clone https://github.com/tomchop/volatility-autoruns.git and then run it with volatility
Copy $ volatility.exe --plugins=volatility-autoruns/ --profile=Win7SP0x64 -f KnightSquad.DMP autoruns > autoruns.txt
$ cat autoruns.txt
Autoruns==========================================
Hive: \SystemRoot\System32\Config\SOFTWARE
Microsoft\Windows\CurrentVersion\Run (Last modified: 2022-10-06 21:56:19 UTC+0000)
%SystemRoot%\system32\VBoxTray.exe : VBoxTray (PIDs: 3576)
Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)
%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )
Hive: \??\C:\Users\siam\ntuser.dat
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
Danger : (PIDs: )
Hive: \??\C:\Users\siam\ntuser.dat
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
C:\Users\ezyzip\MadMan.exe : Danger (PIDs: )
Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)
%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )
Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:28 UTC+0000)
C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )
Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:38 UTC+0000)
C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )
...
...
... and we can see Dangerous autorun C:\Users\ezyzip\MadMan.exe by the word Danger in front of it
Flag :
