[hsb] Presents: OtterCTF 2018 — Memory Forensics Write-Up
I was getting so busy at work so I needed some time off to sharpen my (rusty) skills, so my team and I decided to participate in an online CTF called OtterCTF. I̶’̶m̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶o̶u̶t̶ ̶o̶f̶ ̶c̶o̶n̶t̶e̶n̶t̶ ̶f̶o̶r̶ ̶t̶h̶e̶ ̶y̶e̶a̶r̶ I found the questions challenging and interesting, so I decided to do a write-up! 😅
Step 0: Preparation
Whenever I am given a memory image to analyze, I do the following steps first as part of my routine:
1. Identify the suggested profile for the memory image using
We can see the profiles that were suggested by
volatility. We’ll opt to use the first one:
volatility commands from now on, should include the
--profile=Win7SP1x64 profile flag.
2. List the available registry hives
This task is pretty easy to execute since we just have to execute the
volatility command while using the
Take note of the virtual addresses of the registry hives since we’ll be using them on the next step.
3. Dump the available registry hives (For system profiling/creds dumping)
This task is also easy to execute since we have the
Executing the command:
volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpregistry -o <virtual memory address of the hive> -D <output directory>
Will dump the registry hives in the specified output directory.
4. Perform quick
regripper runs on the dumped hives
Execute the following command to perform a quick run of
regripper on the specified hives:
rip -r <registry file> -f <sam/security/software/system> > <output file>
In my opinion, doing the above commands prior to analysis makes sure that you already have the preliminary data you need to perform a quick, but thorough analysis of memory images.
1 — What the password?
Instinctively, I used the
hashdump plugin to list the stored NTLM hashes on the memory image.
However, the stored NTLM hash for Rick’s password:
518172d012f97d3a8fcc089615283940, when passed in online NTLM crackers do not result to any plaintext passwords.
The only hope we have are when the password is misplaced (i.e. stored in a text file, config file, etc.) and — since it is a Windows 7 memory image — if the password is stored in the machine’s LSA secrets.
True enough, running
volatility with the
lsadump plugin displays the following:
2 — General Info
To check for the system’s IP Address, we can use
netscan plugin and check for the local address:
Since we already ran
regripper on the registry hives, we can check for the hostname listed under the
3 — Play Time
Based on the
netscan output on the previous question, we can see that there is a running process called:
A quick Google search tells us that it is a MapleStory server. Therefore,
4 — Name Game
For this question, our hope relies on the memory-resident pages of the
LunarMS.exe process. The
netscan command we executed earlier provided the process id of the
LunarMS.exe process. (
pid 708), with this we can now dump its memory-resident pages using the
Now, we can search for the relevant strings pertaining to the question using:
$ strings 708.dmp | grep -a Lunar\-3 -C 5
The string below the second result catches our eye, therefore:
5 — Name Game 2
This one’s fairly easy to do, I opened up the dump of the
LunarMS.exe process using my favorite Hex Editor: 010Editor and searching for the last 4 bytes (
5A 0C 00 00):
6 — Silly Rick
The challenge gives us a huge clue on how to solve this. Since he always does a copy and paste to input his password, we have huge chance of getting it via the
7 — Hide and Seek
pslist on the memory image, we can see the following interesting processes:
Currently, we have 2 perpetrators:
Rick and Morty season 1 download.exe
Why vmware-tray.exe? Because if you look at its
ppid (Parent Process ID), it was spawned by
pid 3820 — Rick and Morty season 1 download.exe. To further support our analysis, we can run
This shows that the process
vmware-tray.exe is running on an unknown/suspicious path (Temp, anyone?). Therefore:
Hmm. It looks like Rick’s system was infected via a malicious torrent file.
8 — Path to Glory
Since we have indicators that this malware came from a torrent file, we need to locate the said torrent file on the memory image itself using the
Dumping the file using the
dumpfiles plugin and displaying its information will show us the following:
This further supports our hypothesis that Rick’s system was infected via a malicious torrent file. But how?
9 — Path to Glory 2
For this question, I got the hunch that the file was downloaded somewhere, so I looked into Rick’s browsing history via Google Chrome. A user’s History is located at:
We can locate it by using the
Extracting the file using
dumpfiles and using
sqlitebrowser will display the following:
To know where the
.torrent file was downloaded, we must look at the site_url:
We can see that the download was referred to by “
mail.com”. Which means that the malware found its way through the system by a malicious attachment on an email. However, we still don’t have the credentials used by Rick to log into his email account. Or do we?
To extract e-mail-related artifacts, I used bulk_extractor. Displaying the contents of its resulting
grep-ing for “
@mail.com” shows the following entries:
We can see that
email@example.com exists. If you remember the previous questions, we already have Rick’s email password. We got it thanks to the
clipboard plugin (
We can now login to Rick’s email account!
10 — Bit 4 Bit
This question can be solved by executing the
strings command on the dumped exe file of process 3720 (extract using
procdump) with the little endian flag set:
11 — Graphic’s For the Weak
I solved this by using
foremost on the dumped exe file of process 3720. It will then extract a
12 — Recovery
strings on the memory dump of the malware process with the little-endian flag set will display the following:
Please pay attention to the highlighted string. At first glance, the string seems harmless but when you look at its surrounding strings, it’s really unusual that it appears next to the computer’s hostname and appears after encrypted files (i.e. Flag.txt) and appears before a ransomware’s common targets (e.g.
.xlsx, etc.). Therefore:
13 — Closure
If you look at the indicators that are present in the malware:
These will point you to
$ucyLocker , a
To decrypt the file (Flag.txt — located on Rick’s Desktop), I used this tool: HiddenTear Decrypter.
However, some changes need to be made on the file itself before it can be decrypted. First, we need to add the
.WINDOWS file extension. Also, we need to remove the trailing NULL bits.
After doing so, supplying the password will decrypt the file: