5Charlie CTF - 0day
A write-up of the 0day Windows memory forensics challenge from 5Charlie CTF.
0day 1
0day 1 - Challenge
To access these challenges, ssh to volatility@forensics.5charlie.com using the attached private key.
A memory capture of this system is saved at /data/0day.bin
What is the Volatility profile for this image?
Attachments: id_volatility - SSH Key
0day 1 - Solution
Lets start out by asking Volatility what profile it thinks will match.
vol.py -f 0day.bin imageinfoWe can see that Volatility gives us a few different suggested profiles.
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win8SP0x64, Win81U1x64, Win2012R2x64_18340, Win2012R2x64, Win2012x64, Win8SP1x64_18340, Win8SP1x64
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/0day.bin)
PAE type : No PAE
DTB : 0x1aa000L
KDBG : 0xf80222515530L
Number of Processors : 4
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80222564000L
KPCR for CPU 1 : 0xffffd00194b60000L
KPCR for CPU 2 : 0xffffd00190d88000L
KPCR for CPU 3 : 0xffffd00190dc5000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-10-23 19:23:24 UTC+0000
Image local date and time : 2019-10-23 15:23:24 -0400
I’m not an expert with Volatility so I turn to Google and find this wonderful set of posts from Andrea Fortuna.
Maybe we can find a difference in the number of returned processes and modules when we do a KDBG scan utilizing each of the suggested profiles.
for i in Win8SP0x64 Win81U1x64 Win2012R2x64_18340 Win2012R2x64 Win2012x64 Win8SP1x64_18340 Win8SP1x64; do vol.py -f 0day.bin --profile=$i kdbgscan; doneWell, unfortunately, all the processes and modules match. All the profile suggestions match the requested profile. This only helps us narrow it down to Minor Build 9600 (Windows 8.1 or Windows Server 2012 SP2). Output truncated to relevant portions.
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win8SP0x64 (6.2.9200 64bit)
...
Profile suggestion (KDBGHeader): Win8SP0x64
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win81U1x64 (6.3.17031 64bit)
...
Profile suggestion (KDBGHeader): Win81U1x64
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit)
Profile suggestion (KDBGHeader): Win2012R2x64_18340
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win2012R2x64 (6.3.9601 64bit)
...
Offset (V) : 0xf80222515530
Profile suggestion (KDBGHeader): Win2012R2x64
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win2012x64 (6.2.9201 64bit)
Profile suggestion (KDBGHeader): Win2012x64
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win8SP1x64_18340 (6.3.9600 64bit)
...
Profile suggestion (KDBGHeader): Win8SP1x64_18340
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win8SP1x64 (6.3.9600 64bit)
Profile suggestion (KDBGHeader): Win8SP1x64
Version64 : 0xf80222515e58 (Major: 15, Minor: 9600)
PsActiveProcessHead : 0xfffff8022252e300 (67 processes)
PsLoadedModuleList : 0xfffff80222548550 (150 modules)
...
So we’ve narrowed our options down to Win81U1x64, Win2012R2x64_18340, Win2012R2x64 based upon the service packs and minor version.
At this point I wsa able to guess and check submitting as the flag until Win2012R2x64 was accepted as the solution.
I was sure to hang on to the Offset (V): 0xf80222515530 to use for future commands to minimize the number of sanity checks when running Volatility. (Another great tip from Andrea Fortuna)
Flag: Win2012R2x64
0day 2
0day 2 - Challenge
What was the startup time for this system? Format YYYY-MM-DD HH:MM:SS
0day 2 - Solution
This can be solved by looking at the Start datetime in pslist
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 pslistVolatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe0011123e740 System 4 0 107 0 ------ 0 2019-10-17 21:36:43 UTC+0000
... [truncated]
Flag: 2019-10-17 21:36:43
0day 3
0day 3 - Challenge
What is the system’s hostname?
0day 3 - Solution
This can be solved by looking at the system environment variables for the COMPUTERNAME variable.
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 envvarsI’ll focus in on the DumpIt.exe process since it was run by a user rather than a service and likely has more variables.
Pid Process Block Variable Value
-------- -------------------- ------------------ ------------------------------ -----
...[truncated]
4948 DumpIt.exe 0x000000dc75320860 COMPUTERNAME WEB-SERVER-DMZ
...
Flag: WEB-SERVER-DMZ
0day 4
0day 4 - Challenge
What is the name of the active directory domain?
0day 4 - Solution
This can be solved by looking at the system environment variables for the USERDOMAIN variable.
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 envvarsI’ll focus in on the DumpIt.exe process since it was run by a user rather than a service and likely has more variables.
Pid Process Block Variable Value
-------- -------------------- ------------------ ------------------------------ -----
...[truncated]
4948 DumpIt.exe 0x000000dc75320860 USERDOMAIN area116
...
Flag: area116
0day 5
0day 5 - Challenge
What is the system’s IP address?
0day 5 - Solution
For this challenge we can take a look at the local address in the network sessions.
It will likely be an IPv4 address that is NOT a lookpack address (127.0.0.0/8) or wildcard (0.0.0.0).
We can search for network connections on Vista+ boxes using netscan
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 envvarsOffset(P) Proto Local Address Foreign Address State Pid Owner Created
0x80627490 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80627490 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80627ba0 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80627ba0 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x806281f0 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x806281f0 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80628900 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80628900 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80629660 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80629660 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80629ba0 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x80629ba0 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x8062a490 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x8062a490 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x8062ad70 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x8062ad70 UDPv6 :::0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
0x8062b660 UDPv4 0.0.0.0:0 *:* 796 csrss.exe 2019-10-23 14:25:02 UTC+0000
...[truncated, but more of the same tens of thousands of times]
That’s weird. I don’t know what would cause Volatility to find so many wildcard UDP binds.
It’s not relevant to our task, so I’ll just negate the repeating pattern using egrep -v "(UDPv4|UDPv6) {4}(0.0.0.0|::):0"
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 envvars | egrep -v "(UDPv4|UDPv6) {4}(0.0.0.0|::):0"Offset(P) Proto Local Address Foreign Address State Pid Owner Created
...[truncated]
0x848349f0 TCPv4 172.116.5.105:52856 172.116.4.4:135 CLOSED 500 lsass.exe
0x84c7d9f0 TCPv4 172.116.5.105:135 192.168.3.71:19794 CLOSED 612 svchost.exe
0x852279f0 TCPv4 172.116.5.105:445 192.168.3.16:57010 ESTABLISHED 4 System
0x8563f300 TCPv4 172.116.5.105:49154 192.168.3.71:31668 ESTABLISHED 816 svchost.exe
0x857c4300 TCPv4 172.116.5.105:52873 172.116.4.4:88 CLOSED 500 lsass.exe
0x85a389f0 TCPv4 172.116.5.105:135 192.168.3.49:37492 CLOSED 612 svchost.exe
...
We can see that the local address 172.116.5.105 has been used multiple times.
Flag: 172.116.5.105
0day 6
0day 6 - Challenge
What SID proves session 4 is granted domain admin rights?
0day 6 - Solution
This can be determined by cross-referencing sessions to getsids.
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 sessionsHere we see a few PIDs associated with session 4. Let’s make note of these. I’m gonna focus in on 4220 (iexplore.exe).
...[truncated]
**************************************************
Session(V): ffffd00191135000 ID: 4 Processes: 10
PagedPoolStart: fffff90140000000 PagedPoolEnd fffff9213fffffff
Process: 796 csrss.exe 2019-10-23 14:44:33 UTC+0000
Process: 4120 winlogon.exe 2019-10-23 14:44:33 UTC+0000
Process: 1916 dwm.exe 2019-10-23 14:44:33 UTC+0000
Process: 4832 taskhostex.exe 2019-10-23 15:04:25 UTC+0000
Process: 3036 explorer.exe 2019-10-23 15:04:25 UTC+0000
Process: 5076 vmtoolsd.exe 2019-10-23 15:04:35 UTC+0000
Process: 4080 iexplore.exe 2019-10-23 15:05:00 UTC+0000
Process: 4220 iexplore.exe 2019-10-23 15:05:00 UTC+0000
Process: 416 mmc.exe 2019-10-23 16:01:35 UTC+0000
Process: 1356 LogonUI.exe 2019-10-23 16:22:26 UTC+0000
Now to get the security identifiers (SID).
vol.py -f 0day.bin --profile=Win2012R2x64 --kdbg=0xf80222515530 getsidsWe could grep these to the PID we’re looking for, but I didn’t do so this time.
...[truncated]
iexplore.exe (4220): S-1-5-21-4092088994-1057394591-2624646455-1491
iexplore.exe (4220): S-1-5-21-4092088994-1057394591-2624646455-513 (Domain Users)
iexplore.exe (4220): S-1-1-0 (Everyone)
iexplore.exe (4220): S-1-5-32-545 (Users)
iexplore.exe (4220): S-1-5-32-544 (Administrators)
iexplore.exe (4220): S-1-5-4 (Interactive)
iexplore.exe (4220): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
iexplore.exe (4220): S-1-5-11 (Authenticated Users)
iexplore.exe (4220): S-1-5-15 (This Organization)
iexplore.exe (4220): S-1-5-5-0-123049355 (Logon Session)
iexplore.exe (4220): S-1-2-0 (Local (Users with the ability to log in locally))
iexplore.exe (4220): S-1-5-21-4092088994-1057394591-2624646455-512 (Domain Admins)
iexplore.exe (4220): S-1-18-1 (Authentication Authority Asserted Identity)
iexplore.exe (4220): S-1-5-21-4092088994-1057394591-2624646455-572
iexplore.exe (4220): S-1-16-4096 (Low Mandatory Level)
...
There we go, iexplore.exe (4220): S-1-5-21-4092088994-1057394591-2624646455-512 (Domain Admins).
Internet Explorer running as Domain Admin. That’s probably not a good idea.
Flag: S-1-5-21-4092088994-1057394591-2624646455-512