KnightCTF 2024 mem challenges

mem dump Download Link : https://drive.google.com/file/d/1-NCGNf8dBIu2LuA3Rl6BWlx2QBp0hmdW/view

Challenge 1 OS :

to view OS related informations we are going to open the memory dmp file in windbg and execute the command !analyze -s

scrolling down the results we will find the OS version

Flag :

KCTF{7.1.7601.24214}

Challenge 2 Password :

First i tried the lsadump plugin to dump plain text passowrds from the memoty but it didn't contain any passwords

$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP lsadump > lsadump.txt
$ cat lsadump.txt
DefaultPassword
0x00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010  e0 4b c9 10 e9 e2 76 c1 8e 40 e0 7e c2 0e 0d 21   .K....v..@.~...!

NL$KM
0x00000000  40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   @...............
0x00000010  40 d6 21 e7 0a 7e 0c d5 50 7a b8 a4 3c e7 c3 5d   @.!..~..Pz..<..]
0x00000020  00 da 39 66 19 0e 34 fd cb eb 67 ea 95 9b 6c 60   ..9f..4...g...l`
0x00000030  ea 61 e6 32 a1 6e 55 c7 57 6c d1 a4 4d c7 37 ba   .a.2.nU.Wl..M.7.
0x00000040  ca ff ee 1e ba bf e6 b1 02 71 ac 37 f8 84 d0 95   .........q.7....
0x00000050  8f 21 6c 0d c3 86 c0 48 63 ed fb 91 ba 47 53 a0   .!l....Hc....GS.

DPAPI_SYSTEM
0x00000000  2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ,...............
0x00000010  01 00 00 00 fd 3c 8e 3b 13 14 6e 7a 48 b7 75 4a   .....<.;..nzH.uJ
0x00000020  8f 53 37 f5 bf e0 86 56 cc d7 50 73 53 72 59 52   .S7....V..PsSrYR
0x00000030  6f 65 94 1a d4 97 ca ce 35 8f 4c 29 00 00 00 00   oe......5.L)....

then i used the plugin hashdump to extract users hashes from the SAM database

$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP hashdump > hashdump.txt
$ cat hashdump.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10eca58175d4228ece151e287086e824:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
siam:1001:aad3b435b51404eeaad3b435b51404ee:7ab3201ceecd554f772573bb064a0f38:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:99d22b68c0d197f683f3d994c7f31254:::

and then took the NTLMv2 hashes and crack them at crackstation website, 3 passwords were successfully cracked but one that contains text password which is the siam user password

Flag :

KCTF{squad}

Challenge 3 IP Addr :

we will use the plugin netscan to view all the connections related information and in the local address we can find the system address

$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP netscan > netscan.txt
$ cat netscan.txt

Flag :

KCTF{10.0.2.15}

Challenge 4 Note :

we will use the plugin filescan to enumerate all the system files

$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP filescan > filescan.txt

and we get a huge list of files

we know that the boss have left a text file so we will use grep to search for files with .txt extension

$ cat filescan.txt | grep ".txt"
0x00000000b9ba7bb0     16      0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text2.txt
0x00000000b9d1ef20     16      0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text.txt
0x00000000bbd7f950      1      1 -W-rw- \Device\HarddiskVolume2\Users\siam\AppData\Local\Temp\FXSAPIDebugLogFile.txt

and we have 2 text files, to read their contents we will use the plugin dumpfiles

azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB
$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP dumpfiles -Q 0x00000000b9ba7bb0,0x00000000b9d1ef20 --dump-dir=/e/Sherloks\ HTB/dumpedText/
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0xb9ba7bb0   None   \Device\HarddiskVolume2\Users\siam\Documents\text2.txt
DataSectionObject 0xb9d1ef20   None   \Device\HarddiskVolume2\Users\siam\Documents\text.txt

azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB
$ cd dumpedText/

azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB/dumpedText
$ ls
file.None.0xfffffa8004edf270.dat

using cat command let's read its contents

azer@DESKTOP-OQ42TBR MINGW64 /e/Sherloks HTB/dumpedText
$ cat file.None.0xfffffa8004edf270.dat
S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0= RISC OS
RISCOS
Fire OS
FireOS
macOS
mac OS
Mac OS X
OS X
macOS Server
macOSServer
Mac OS X Server
MacOSXServer
...

and we can see a base64 encoded string let's decode it

$ echo "S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0=" | base64 -d
KCTF{Respect_Y0ur_Her4nki}

Flag :

KCTF{Respect_Y0ur_Her4nki}

Challenge 5 Execution :

to see what the attacker has done on the infected machine which we have its memory dump we will dump the cmd history. we will use the plugin consoles

$ volatility.exe --profile=Win7SP0x64 -f KnightSquad.DMP consoles > consoles.txt
$ cat consoles.txt
**************************************************
ConsoleProcess: conhost.exe Pid: 4888
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
Title: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
AttachedProcess: ModuleCoreServ Pid: 4880 Handle: 0x60
----
CommandHistory: 0x2df850 Application: ModuleCoreService.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
----
Screen 0x2d0bb0 X:80 Y:300
Dump:

**************************************************
ConsoleProcess: conhost.exe Pid: 4580
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 2656 Handle: 0x60
----
CommandHistory: 0x8ebe0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x679d0: C:\Users\siam\Documents\windows.bat
Cmd #1 at 0x6d340: C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
----
Screen 0x710b0 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\siam>C:\Users\siam\Documents\windows.bat
"KCTF{W3_AR3_tH3_Kn1GHt}"

C:\Users\siam>C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash

C:\Users\siam>

so the program executed is windows.bat and the flag is the output of the program executed

Flag :

KCTF{W3_AR3_tH3_Kn1GHt}

Challenge 6 Path of the Executable :

the program that outputed the prevoius flag is windows.bat

Flag :

KCTF{C:\Users\siam\Documents}

Challenge 7 Malicious :

using the filescan output generated previously we can grep for all exe files

reading through the executables we can find an executable called MadMan.exe

$ cat filescan.txt | grep ".exe" > exefiles.txt
$ cat exefiles.txt
...
...
...
0x00000000b9894c00     16      0 R--r-d \Device\HarddiskVolume2\Users\ezyzip\MadMan.exe
...
...
...

i searched in google for this executable and i found that its a virus

there is another method by using the autoruns plugin from this repository

GitHub - tomchop/volatility-autoruns: Autoruns plugin for the Volatility frameworkGitHub

which enumerates all the registry keys where a malicious program would hide itself to persist

first we have to clone the repository

git clone https://github.com/tomchop/volatility-autoruns.git

and then run it with volatility

$ volatility.exe --plugins=volatility-autoruns/ --profile=Win7SP0x64 -f KnightSquad.DMP autoruns > autoruns.txt
$ cat autoruns.txt
Autoruns==========================================

Hive: \SystemRoot\System32\Config\SOFTWARE 
    Microsoft\Windows\CurrentVersion\Run (Last modified: 2022-10-06 21:56:19 UTC+0000)
        %SystemRoot%\system32\VBoxTray.exe : VBoxTray (PIDs: 3576)

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)
        %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )

Hive: \??\C:\Users\siam\ntuser.dat 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
        Danger                         :  (PIDs: )

Hive: \??\C:\Users\siam\ntuser.dat 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
        C:\Users\ezyzip\MadMan.exe     : Danger (PIDs: )

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)
        %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:28 UTC+0000)
        C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:38 UTC+0000)
        C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )
...
...
...

and we can see Dangerous autorun C:\Users\ezyzip\MadMan.exe by the word Danger in front of it

Flag :

KCTF{MadMan.exe}