Rootme Command and control level 2
Root-me.org
Command & Control - Level 2
Memory analysis
This time we got a memory dump. We’ll have to use volatility to retrieve the hostname of the workstation.
Volatility can be found here -> https://github.com/volatilityfoundation/volatility
bzip2 -d ch2.tbz2
tar xvf ch2.tar
We’ll start by gathering some basic info on the memory dump.
python ./vol.py imageinfo -f ~/CTF/rootme/forensic/ch2/ch2.dmp
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/p0pp3t/CTF/rootme/forensic/ch2/ch2.dmp)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82929be8L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x8292ac00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2013-01-12 16:59:18 UTC+0000
Image local date and time : 2013-01-12 17:59:18 +0100
We’ll dealing with an windows 7 memory dump. So we now have a profile.
We’ll look at the registry first, there’s big chances we’ll find the hostname inside.
The hostname is usually found in SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
python ./vol.py --profile=Win7SP1x86_23418 hivelist -f ~/CTF/rootme/forensic/ch2/ch2.dmp
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0x8ee66740 0x141c0740 \SystemRoot\System32\Config\SOFTWARE
0x90cab9d0 0x172ab9d0 \SystemRoot\System32\Config\DEFAULT
0x9670e9d0 0x1ae709d0 \??\C:\Users\John Doe\ntuser.dat
0x9670f9d0 0x04a719d0 \??\C:\Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY
0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x8b20c008 0x039e1008 [no name]
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
0x8b23c008 0x02ccf008 \REGISTRY\MACHINE\HARDWARE
0x8ee66008 0x141c0008 \Device\HarddiskVolume1\Boot\BCD
We’ll dump the memory from 0x8b21c008
and specific the key path (Where the
hostname key is) using the -K option
python ./vol.py --profile=Win7SP1x86_23418 printkey -o 0x8b21c008 -f ~/CTF/rootme/forensic/ch2/ch2.dmp
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144} (S)
Last updated: 2013-01-12 16:37:53 UTC+0000
Subkeys:
(S) ControlSet001
(S) ControlSet002
(S) MountedDevices
(S) RNG
(S) Select
(S) Setup
(S) WPA
(V) CurrentControlSet
Values:
Here we need to specific the path to the key. The path being ControlSet001\Control\ComputerName\ComputerName
p0pp3t@foxy:~/Git/volatility$ python ./vol.py --profile=Win7SP1x86_23418 printkey -o 0x8b21c008 -K "ControlSet001\Control\ComputerName\ComputerName" -f ~/CTF/rootme/forensic/ch2/ch2.dmp
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2013-01-12 00:58:30 UTC+0000
Subkeys:
Values:
REG_SZ : (S) mnmsrvc
REG_SZ ComputerName : (S) WIN-ETSA91RKCFP
And there it is.