Lab 1 - Beginner's Luck

Hey there, fellow cyber enthusiasts! Buckle up, because today, we're diving into another lab.

Challenge description

My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.

Challenge file: MemLabs_Lab1

Sounds like a plot from a tech-thriller, right? Let's unravel this together!

This challenge is packed with three flags to uncover. Armed with the memory dump, we set out on our forensics adventure. Here’s how the saga unfolds:

First things first, let’s unzip the lab file. Use the command below to extract the contents:

7z x MemLabs-Lab1.7z

With the files ready, it’s time to probe into the memory dump using Volatility.To analyze the memory dump, I need to identify the correct profile. Here’s how I did it:

volatility -f MemoryDump_Lab1.raw imageinfo

Next, to ensure we have the right profile, I ran:

volatility -f MemoryDump_Lab1.raw kdbgscan 

With the profile confirmed as Win7SP1x64, let’s list the active processes:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist

From the description,the biggest hints for me were drawing,something being executed and important files. So the saga starts from this point.FRom the process list what captures my attention were

• cmd.exe
• mspaint.exe
• WinRAR.exe

Given the black window hint, we dive into the command history:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan

Among the findings, this string caught my eye:

St4G3$1

Hmm, intriguing! Let's dig deeper by examining the console history:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles

A base64 encoded string surfaced in my search:

ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= 

Decoding it revealed our first flag:

echo -n "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" | base64 -d

flag 1:

flag{th1s_1s_th3_1st_st4g3!!}

1 hint down to more to go. So for this i started digging on mspaint.exe, as it’s pid was mentioned in the process list. I memdumped the paint to get to know what was being drawn at that time.

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D .
#-p for process id
# -D for directory where u wanna dump the file.

Renaming the dumped file for clarity:

mv 2424.dmp 2424.data

Using GIMP to visualize the data . Offset and dimensions courtesy of The Cyber Expert coz it was way guessy and gonna took years (at least for me; otherwise my procratination would mind hehe) to figure out.

gimp 2424.data 

With offset 6774541, width 1230, and height 10000, I extracted the second flag.

Flag 2:

flag{good_boy_bad_girl}

Finally, I turn my attention to the command-line arguments of processes to locate a suspicious RAR file (the last hint):

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdline

As our current target is WinRAR file, so as the argument passed with it

C:\Users\Alissa Simpson\Documents\Important.rar

now let’s scan this file to get it’s address.

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan | grep -i important.rar

Dumping the file:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D .
ls

Renaming and extracting the RAR:

file file.None.0xfffffa8001034450.dat
mv file.None.0xfffffa8001034450.dat important.rar
unrar -e important.rar

The important.rar file was password protected. But when i ran the unrar command, it gave the hint for password, which was NTLM hash of alisa’s account. let’s hashdump it.

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump

password: F4FF64C8BAAC57D22F22EDC681055BA6

eog flag3.png

flag 3:

flag{w3ll_3rd_stage_was_easy}

And there you have it! Through a series of clever forensics steps, we’ve uncovered all three flags hidden within the memory dump. Stay curious, keep exploring, and happy hunting!