Rootme Malicious Word Macro
Root-me.org
Malicious Word Macro
PAC
We get another memory dump for this one. The statement says that he opened a interesting word file and now he’s favorite website is not working anymore.
It looks like some kind of VBA script modified the hosts file or maybe a redirection ?
Also PAC is a hint, PAC stands for Proxy-auto-Configuration. It uses the function FindProxyForURL
that allows
the reconfigure an address to route via a particular address. So this should be the biggest hint.
Let’s start by finding the OS version.
vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/p0pp3t/CTF/rootme/forensic/ch20/memory.dmp)
PAE type : No PAE
DTB : 0x185000L
KDBG : 0x82953c28L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82954c00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2016-11-11 16:14:49 UTC+0000
Image local date and time : 2016-11-11 17:14:49 +0100
Windows 7 again. We’ll use that as a profile. Let’s see the processes.
vol.py --profile=Win7SP1x86_23418 -f memory.dmp pslist | grep WORD
Volatility Foundation Volatility Framework 2.6
0x84d24490 WINWORD.EXE 3248 816 13 434 1 0 2016-11-11 16:14:05 UTC+0000
Before everything else, let’s see if we can find the function FindProxyForURL
using strings.
strings memory.dmp | grep "FindProxyForURL"
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
We can see it a bunch of times. Let’s see what’s before and after those lines
strings memory.dmp | grep "FindProxyForURL" -B 3 -A 3
function FindProxyForURL(url, host)
if (shExpMatch(url,"*.ashleymadison.com/*"))
return "PROXY 192.168.0.19:8080";
return "DIRECT";
function FindProxyForURL(url, host)
if (shExpMatch(url,"*.ashleymadison.com/*"))
return "PROXY 192.168.0.19:8080";
return "DIRECT";
...
Well that was a little bit underwhelming…