Rootme Find me
Root-me.org
Find me
Forensic
In this challenge we need to find the login password in the memory dump.
Like always let’s identify the OS from the dump.
vol.py -f dump imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/somewhere/CTF/rootme/forensic/ch18/dump)
PAE type : No PAE
DTB : 0x185000L
KDBG : 0x8294bbe8L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x8294cc00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2016-09-15 10:12:31 UTC+0000
Image local date and time : 2016-09-15 12:12:31 +0200
More Windows 32 bits.
Let’s look at the obvious part. Let’s dump the hashes.
vol.py --profile=Win7SP1x86 -f dump hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404ee:57e82f46aff390080f143c09ab2c5b68:::
info:1002:aad3b435b51404eeaad3b435b51404ee:dc3817f29d2199446639538113064277:::
Crackstation allowed us to find the password of the user info. The password is ‘#1Godfather’. I’m not sure this helps tho. We’ll keep it just incase this is useful later on.
Let’s take a look at the processes.
vol.py --profile=Win7SP1x86 -f dump pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x83f2f9e8 System 4 0 87 494 ------ 0 2016-09-15 10:10:39 UTC+0000
0x84e5d020 smss.exe 268 4 2 29 ------ 0 2016-09-15 10:10:39 UTC+0000
0x84d9cd40 csrss.exe 344 336 8 404 0 0 2016-09-15 10:10:40 UTC+0000
0x853fa2b8 wininit.exe 380 336 3 76 0 0 2016-09-15 10:10:40 UTC+0000
0x84f19030 csrss.exe 388 372 7 301 1 0 2016-09-15 10:10:40 UTC+0000
0x85422368 winlogon.exe 416 372 4 113 1 0 2016-09-15 10:10:40 UTC+0000
0x85435310 services.exe 476 380 8 192 0 0 2016-09-15 10:10:40 UTC+0000
0x8543fb18 lsass.exe 484 380 9 724 0 0 2016-09-15 10:10:40 UTC+0000
0x85443030 lsm.exe 492 380 10 144 0 0 2016-09-15 10:10:40 UTC+0000
0x854fe6c8 svchost.exe 584 476 11 353 0 0 2016-09-15 10:10:42 UTC+0000
0x8550dd40 VBoxService.ex 640 476 13 115 0 0 2016-09-15 10:10:42 UTC+0000
0x85631030 svchost.exe 692 476 7 273 0 0 2016-09-15 10:10:42 UTC+0000
0x85653ac0 svchost.exe 764 476 20 494 0 0 2016-09-15 10:10:42 UTC+0000
0x85666a60 svchost.exe 844 476 32 547 0 0 2016-09-15 10:10:42 UTC+0000
0x8566dad8 svchost.exe 872 476 34 746 0 0 2016-09-15 10:10:42 UTC+0000
0x85699030 svchost.exe 992 476 22 468 0 0 2016-09-15 10:10:43 UTC+0000
0x856c1598 svchost.exe 1104 476 20 378 0 0 2016-09-15 10:10:43 UTC+0000
0x856e9bd0 spoolsv.exe 1204 476 15 290 0 0 2016-09-15 10:10:44 UTC+0000
0x85703888 svchost.exe 1232 476 21 319 0 0 2016-09-15 10:10:44 UTC+0000
0x85736030 svchost.exe 1320 476 23 332 0 0 2016-09-15 10:10:44 UTC+0000
0x857f3030 dwm.exe 1892 844 4 67 1 0 2016-09-15 10:10:52 UTC+0000
0x8571cd40 taskhost.exe 1912 476 11 169 1 0 2016-09-15 10:10:52 UTC+0000
0x8582ca58 explorer.exe 1956 1884 48 1015 1 0 2016-09-15 10:10:52 UTC+0000
0x8589a770 rundll32.exe 540 296 4 59 1 0 2016-09-15 10:10:53 UTC+0000
0x8580ca50 rundll32.exe 600 544 4 59 1 0 2016-09-15 10:10:53 UTC+0000
0x858cbd40 VBoxTray.exe 1124 1956 14 167 1 0 2016-09-15 10:10:53 UTC+0000
0x858fe610 SearchIndexer. 940 476 13 560 0 0 2016-09-15 10:10:59 UTC+0000
0x85931030 wmpnetwk.exe 392 476 18 439 0 0 2016-09-15 10:10:59 UTC+0000
0x85979a58 SearchProtocol 2152 940 9 262 1 0 2016-09-15 10:11:00 UTC+0000
0x85964690 SearchFilterHo 2172 940 5 77 0 0 2016-09-15 10:11:00 UTC+0000
0x85983aa0 svchost.exe 2292 476 8 344 0 0 2016-09-15 10:11:00 UTC+0000
0x859b0198 WmiPrvSE.exe 2456 584 8 113 0 0 2016-09-15 10:11:01 UTC+0000
0x85a39ab8 mspaint.exe 2644 1956 7 147 1 0 2016-09-15 10:11:13 UTC+0000
0x85a3db10 svchost.exe 2672 476 8 105 0 0 2016-09-15 10:11:14 UTC+0000
0x85a57d40 firefox.exe 2720 1956 49 756 1 0 2016-09-15 10:11:15 UTC+0000
0x85a89030 WmiPrvSE.exe 2864 584 6 112 0 0 2016-09-15 10:11:16 UTC+0000
0x84e27030 TrueCrypt.exe 3224 1956 14 326 1 0 2016-09-15 10:11:20 UTC+0000
0x8579a030 notepad.exe 3716 3684 2 59 1 0 2016-09-15 10:11:59 UTC+0000
So we got a few things to notice in this list. A few softwares were running in the time of the dump.
Notepad, firefox, mspaint and truecrypt are the one that really pop out.
TrueCrypt encrypts everything on the fly. That means that any file that we try to recover won’t be readable unless we get the key from truecrypt.
Luckily for us, volatility has a an option to find the password.
vol.py --profile=Win7SP1x86 -f dump truecryptsummary
Volatility Foundation Volatility Framework 2.6
Registry Version TrueCrypt Version 7.0a
Password R3sqdl3Fuuz2ZdbdYsf56opFFLe9sAsx at offset 0x87433e44
Process TrueCrypt.exe at 0x84e27030 pid 3224
Service truecrypt state SERVICE_RUNNING
Kernel Module truecrypt.sys at 0x87400000 - 0x87437000
Symbolic Link Volume{a4cc2add-7b2c-11e6-b853-0800271fb50b} -> \Device\TrueCryptVolumeF mounted 2016-09-15 10:11:42 UTC+0000
Driver \Driver\truecrypt at 0x1ee1d700 range 0x87400000 - 0x87436980
Device TrueCrypt at 0x84e1dc90 type FILE_DEVICE_UNKNOWN
We got the password that is used to encrypt the content, now let’s try to find what we’re looking for.
While looking at the strings found in the dump, i found something that looks very obvious.
strings dump | grep mspaint
"C:\Windows\system32\mspaint.exe" "C:\Users\info\Desktop\flag.png"
mspaint.exe
Alright, so a file called flag.png. Let’s try to find it with file scan then dump it.
While trying to find an address for the flag.png i found something else.
vol.py --profile=Win7SP1x86 -f dump filescan | grep Desktop
Volatility Foundation Volatility Framework 2.6
0x000000001e050db0 8 0 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop\desktop.ini
0x000000001e06d788 2 0 R--rw- \Device\HarddiskVolume2\Users\Public\Desktop\Mozilla Firefox.lnk
0x000000001e0948c0 8 0 R--rwd \Device\HarddiskVolume2\Users\info\Desktop\desktop.ini
0x000000001e0bcbe0 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x000000001e0bccd8 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x000000001e0bd038 2 1 R--rwd \Device\HarddiskVolume2\Users\info\Desktop
0x000000001e0bd398 2 1 R--rwd \Device\HarddiskVolume2\Users\info\Desktop
0x000000001e433900 2 0 R--rwd \Device\HarddiskVolume2\Users\info\Links\Desktop.lnk
0x000000001e6d7f80 1 1 R--rw- \Device\HarddiskVolume2\Users\info\Desktop
0x000000001ee20110 3 0 R--rwd \Device\HarddiskVolume2\Users\info\Desktop\findme
There’s also a file called findme and with got a memory address. Let’s dump it.
vol.py --profile=Win7SP1x86 -f dump dumpfiles -Q 0x000000001ee20110 -D dumps/ -u -n -S sum
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1ee20110 None \Device\HarddiskVolume2\Users\info\Desktop\findme
Strings on the file doesn’t give anything. I would assume the file is encrypted from truecrypt.
TChunt-ng is a tool that will try to find if a file is encrypted or not. This isn’t 100% accurate but it gives us an idea.
https://github.com/antagon/TCHunt-ng
tchuntng file.None.0x84e13338.findme.dat
file.None.0x84e13338.findme.dat
echo $?
0
0 means, there’s a high change that it’s encrypted. Let’s use truecrypt to mount the findme file.
sudo add-apt-repository ppa:stefansundin/truecrypt
sudo truecrypt --text --mount-options=readonly --password='R3sqdl3Fuuz2ZdbdYsf56opFFLe9sAsx' file.None.0x84e13338.findme.dat mount/
Enter keyfile [none]:
cd mount/
ls
flag.png readme.odt readme.txt
Well shit it worked and there’s the image that we saw in the Desktop of info.
After taking a look at the image, we’ll see that it’s only a troll. There’s no flag inside.
There’s also a readme.txt
cat readme.txt
Father : Try to find the flag !!!!!!!!!!!!!!
the last file is a libreoffice file. It looks like the manual of keepass. Let’s search for keepass in the dump.
strings dump | grep keepass
There’s A LOT of reference to keepass. I think that we need to find the database file.
After spending a ridiculous time trying to find it in the dump, i found on it inside the ODT file.
strings readme.odt | grep data
data/PK
data/my_safety_box
data/
data/my_safety_box
We can see that it contains a weird file name my_safety_box.
If we extract everything we binwalk and use file on it.
binwalk -e readme.odt
file _readme.odt.extracted/data/my_safety_box
_readme.odt.extracted/data/my_safety_box: Keepass password database 2.x KDBX
We got the database file.
We need a master password to be able to decrypt to database. First thing we should try is the password that we found at the beginning. The password of info being #1Godfather
I’ll use kpcli to open the database.
kpcli
KeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> open my_safety_box
Please provide the master password: ***********
And we’re in.
kpcli:/> ls
=== Groups ===
my_safety_box/
kpcli:/> cd my_safety_box/
kpcli:/my_safety_box> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
=== Entries ===
0. Sample Entry keepass.info
1. Sample Entry #2 keepass.info/help/kb/testform.
kpcli:/my_safety_box>
After checking all folders, the only one that has password is Internet.
kpcli:/my_safety_box> cd Internet/
kpcli:/my_safety_box/Internet> ls
...
4239. Root-me root-me.org
4240. Root-me root-me.org
4241. Root-me root-me.org
kpcli:/my_safety_box/Internet>
Well that’s a problem. There’s 4241 password entries. We’ll export all password in a cvs format. This will be easier for us to spot any weird password or pattern between the passwords. Sadly, i couldn’t find a way to export it using pkcli, so i had to export it using keepass2 for linux.
Once that is done, we end up with a cvs file that contains 4242 lines. One anomaly stands up. Line 2017 contains a WAYYY longer password than the other ones. They also all have the same user name ‘makhno’. Makhno seems to be the username of the user that created the challenge.
The string looks like base64. The alphabet matches and the fact that the strings end with a ‘=’ is a dead giveaway. I tried decoding then pass the result as the password but it didn’t work.
After trying way to many different things, i skiped the most obvious one.
Why not try to decode it again and again and again? I’ll put the string in the file pass and decode it.
cat pass | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
After a couple of base64 decode we’ll get our answer.