Forensics

1/3 Do not waste the environment

Information

First thing is to run file on the extracted file.

file 5bd2510a83e82d271b7bf7fa4e0970d1
> 5bd2510a83e82d271b7bf7fa4e0970d1: data

This does not give us a lot of information.

The second step is to use strings on the file

strings 5bd2510a83e82d271b7bf7fa4e0970d1

We quickly see that the file contains some keywords like VBOX (VirtualBox) and a lot of files that refers to a Windows OS.

Hint

I had no idea what to do with this file, so i bought the hint.
Hint said that it was a memory dump and Volatility could help us out.
We can download volatility from their github.
The name of the challenge is Do not was the environment, which was an easy giveway to check the environment variables.

Volatility has an option to check them out.

But first of all we need to identify the OS

./volatility -f ~/Downloads/ringzer0_86/5bd2510a83e82d271b7bf7fa4e0970d1 imageinfo


Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (somewhere)
                      PAE type : No PAE
                           DTB : 0x185000L
                          KDBG : 0x82920be8L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x82921c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2014-03-09 20:57:55 UTC+0000
     Image local date and time : 2014-03-09 13:57:55 -0700

We found that it’s Win7SP0x86
Now let’s look for the environment variables using the options envars

./volatility -profile= Win7SP0x86 -f ~/Downloads/ringzer0_86/5bd2510a83e82d271b7bf7fa4e0970d1 envars

I kept looking for the keyword flag, as i was scouring the result i saw the actual flag.

     284 explorer.exe         0x001aa330 F l a g -                      66d7724d872da91af56907aea0f6bfb8

He hid it in multiple processes.

./volatility -f ~/Downloads/ringzer0_86/5bd2510a83e82d271b7bf7fa4e0970d1 envars | grep "F l a g" 

    1972 taskhost.exe         0x000d07f0 F l a g -                      66d7724d872da91af56907aea0f6bfb8
     216 dwm.exe              0x003e07f0 F l a g -                      66d7724d872da91af56907aea0f6bfb8
     284 explorer.exe         0x001aa330 F l a g -                      66d7724d872da91af56907aea0f6bfb8
    1336 VBoxTray.exe         0x004f07f0 F l a g -                      66d7724d872da91af56907aea0f6bfb8
    2528 notepad.exe          0x001807f0 F l a g -                      66d7724d872da91af56907aea0f6bfb8
    3488 DumpIt.exe           0x003a07f0 F l a g -                      66d7724d872da91af56907aea0f6bfb8

The flag is : 66d7724d872da91af56907aea0f6bfb8