Volatility3 Exercise — MemLabs Lab 1
Hi, this is an old challenge that was uploaded 4 years ago. There are already many writeups availabe in the internet regarding this. I only created this writeup as an exercise for me and as well as a learning experience for everyone in exploring volatility3. There are alot of changes from volatility2 and volatility3 which I saw first hand while doing this challenge. Memory dump is provided by MemLabs.
p.s. I will be using a mix of both Volatility3 in Windows and Linux since I can’t get all plugins to work in just one platform 😅
MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics.
Context: My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Memory dump: https://mega.nz/#!6l4BhKIb!l8ATZoliB_ULlvlkESwkPiXAETJEF7p91Gf9CWuQI70
I’ve done a bit of googling and found that normally in volatility2, it’s custom to use imageinfo first to find and specify a profile to use in between commands but this is no longer necessary when using volatility3. First, we check for interesting processes using the command.
python vol.py -f MemoryDump_Lab1.raw windows.pslist.PsList
What we want to do here is filter out processes that stand out. By understanding the context, she described a black window pop up that is likely cmd.exe and that she drawing something, we can see mspaint.exe in the processes. Additionally, there is also WinRAR.exe that we can take a look later.
Let’s start with cmd.exe (PID 1984). Unlike volatility2, wherein you can type command console and it will output all command history that was done here. But we’re using volatility3 so we are doing a different approach. I’m not sure if this is the most efficient way, but this is the one that worked for me.
python vol.py -f MemoryDump_Lab1.raw windows.handles --pid 1984
When you see a Type — File, means this is a physical file that is linked with the process. In an ideal scenario, we can just try dumping it using command
python vol.py -f MemoryDump_Lab1.raw -o "dump" windows.dumpfile --pid 1984 --virtaddr 0xfa80021b5070Unfortunately, this will not work so what we’ll do is create a memory dump of cmd.exe using the command below, convert it using Strings and manually look for clues from there.
python vol.py -f MemoryDump_Lab1.raw -o "dump" windows.memmap.Memmap --pid 1984 --dump
Opened the extracted file in Notepad++ and tried to look for any occurences of cmd.exe but didn’t find anything helpful. Remember earlier, we saw that cmd.exe is liked to path \Users\SmartNet. I used this as my search string and from here, I saw an interesting .bat file written in desktop.
Extracted it using commands
python vol.py -f MemoryDump_Lab1.raw windows.filescan.FileScan | grep St4G3
python vol.py -f MemoryDump_Lab1.raw -o "dump" windows.dumpfiles.DumpFiles --physaddr 0x3edcfc20
It will be automatically saved with a .dat file extension. Remove it then open in a text editor and see it’s contents. We see that there is a base64 encoded command.
Let’s move on with mspaint.exe (PID 2424). After doing some research, you can directly extract it’s memory and then change the file extension to .data which can the be opened in Gimp.
python vol.py -f MemoryDump_Lab1.raw -o "dump" windows.memmap.Memmap --pid 2424 --dump
Rename-Item pid.2424.dmp -NewName pid.2424.data
Finally, winrar.exe (PID 1512). Let’s try to look at it’s handles and any File type since this usually is worth checking out first.
python vol.py -f MemoryDump_Lab1.raw windows.handles --pid 1512 | Select-String File
There are alot of results but what stands out for us is the the path with \Alissa Simpson\Documents. The others looks like something that’s related to the Windows operating system. Let’s repeat the process show above, dump memory process > using strings convert it to .txt > look for clues specifically for Alissa Simpson\Documents.
python vol.py -f MemoryDump_Lab1.raw -o "dump" windows.memmap.Memmap --pid 1512 --dump
python vol.py -f MemoryDump_Lab1.raw windows.filescan.FileScan | grep Important.rar
python vol.py -f MemoryDump_Lab1.raw -o "dump" windows.dumpfiles.DumpFiles --physaddr 0x3fa3ebc0
Important.rar is password protected but once we open it, we can see that there’s a comment beside saying that the Alissa’s NTLM hash (in uppercase) is the password.
We can acquire this using the command
python vol.py -f MemoryDump_Lab1.raw windows.hashdump
The NTLM hash is f4ff64c8baac57d22f22edc681055ba6 but remember to convert it in uppercase. There’s no need to crack the hash anymore.
Additional:
I just wanted to add something for the 3rd flag. In case that we had to crack the hash, we can always use John and hashcat but there’s also an online tool https://ntlm.pw that’s great if you have a simple NTLM hash that needs cracking. If we input it here, we can see that f4ff64c8baac57d22f22edc681055ba6 is goodmorningindia.
Reference: