RingZer0-86 - Do not Waste the Environment
Forensics
1/3 Do not waste the environment
Information
First thing is to run file
on the extracted file.
file 5bd2510a83e82d271b7bf7fa4e0970d1
> 5bd2510a83e82d271b7bf7fa4e0970d1: data
This does not give us a lot of information.
The second step is to use strings
on the file
strings 5bd2510a83e82d271b7bf7fa4e0970d1
We quickly see that the file contains some keywords like VBOX (VirtualBox) and a lot of files that refers to a Windows OS.
Hint
I had no idea what to do with this file, so i bought the hint.
Hint said that it was a memory dump and Volatility could help us out.
We can download volatility from their github.
The name of the challenge is Do not was the environment, which was an easy giveway to check the environment variables.
Volatility has an option to check them out.
But first of all we need to identify the OS
./volatility -f ~/Downloads/ringzer0_86/5bd2510a83e82d271b7bf7fa4e0970d1 imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (somewhere)
PAE type : No PAE
DTB : 0x185000L
KDBG : 0x82920be8L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x82921c00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2014-03-09 20:57:55 UTC+0000
Image local date and time : 2014-03-09 13:57:55 -0700
We found that it’s Win7SP0x86
Now let’s look for the environment variables using the options envars
./volatility -profile= Win7SP0x86 -f ~/Downloads/ringzer0_86/5bd2510a83e82d271b7bf7fa4e0970d1 envars
I kept looking for the keyword flag, as i was scouring the result i saw the actual flag.
284 explorer.exe 0x001aa330 F l a g - 66d7724d872da91af56907aea0f6bfb8
He hid it in multiple processes.
./volatility -f ~/Downloads/ringzer0_86/5bd2510a83e82d271b7bf7fa4e0970d1 envars | grep "F l a g"
1972 taskhost.exe 0x000d07f0 F l a g - 66d7724d872da91af56907aea0f6bfb8
216 dwm.exe 0x003e07f0 F l a g - 66d7724d872da91af56907aea0f6bfb8
284 explorer.exe 0x001aa330 F l a g - 66d7724d872da91af56907aea0f6bfb8
1336 VBoxTray.exe 0x004f07f0 F l a g - 66d7724d872da91af56907aea0f6bfb8
2528 notepad.exe 0x001807f0 F l a g - 66d7724d872da91af56907aea0f6bfb8
3488 DumpIt.exe 0x003a07f0 F l a g - 66d7724d872da91af56907aea0f6bfb8
The flag is : 66d7724d872da91af56907aea0f6bfb8