Volatility - HackMD

--- title: Volatility tags: CTF --- ### Volatility Challenge: https://51ypsj-my.sharepoint.com/:f:/g/personal/tam_51ypsj_onmicrosoft_com/Ehw3-WOW16dArVIlF-fhVYcBI5wMmi76JcSDGA9QLlQY1Q?e=HeLFPt FOR_1 hints: DO U KNOW cookies sqlite firefox??? ┌──(venv)─(kali㉿kali)-[~/Desktop] └─$ python3 volatility3/vol.py -f FOR_1 windows.info Volatility 3 Framework 2.26.2 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf80409a18000 DTB 0x1aa000 Symbols file:///home/kali/Desktop/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/D9424FC4861E47C10FAD1B35DEC6DCC8-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 Elf64Layer base_layer 2 FileLayer KdVersionBlock 0xf8040a627400 Major/Minor 15.19041 MachineType 34404 KeNumberProcessors 1 SystemTime 2025-03-22 06:08:57+00:00 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Mon Dec 9 11:07:51 2019 then python3 volatility3/vol.py -f FOR_1 windows.cmdline ──(venv)─(kali㉿kali)-[~/Desktop] └─$ python3 volatility3/vol.py -f FOR_1 windows.cmdline Volatility 3 Framework 2.26.2 Progress: 100.00 PDB scanning finished PID Process Args 4 System - 72 Registry - 332 smss.exe \SystemRoot\System32\smss.exe 420 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 488 wininit.exe wininit.exe 496 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 556 winlogon.exe winlogon.exe 580 services.exe C:\Windows\system32\services.exe 588 lsass.exe C:\Windows\system32\lsass.exe 696 fontdrvhost.ex "fontdrvhost.exe" 704 fontdrvhost.ex "fontdrvhost.exe" 720 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p 812 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p 896 dwm.exe "dwm.exe" 988 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p 1008 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p 108 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 364 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p 1048 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p 1168 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p 1296 MemCompression - 1416 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 1492 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 1500 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p 1560 svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p 1612 spoolsv.exe C:\Windows\System32\spoolsv.exe 1644 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p 1900 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc -p 1988 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding 2380 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted 2824 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p 2664 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p 2604 MicrosoftEdgeU "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c 916 SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe 2796 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 2624 svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p 2876 sihost.exe sihost.exe 2688 svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup 868 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} 1576 ctfmon.exe "ctfmon.exe" 1728 userinit.exe - 2800 explorer.exe C:\Windows\Explorer.EXE 3100 svchost.exe C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p 3368 StartMenuExper "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca 3512 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 3624 SearchApp.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca 3744 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 1948 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 4016 SecurityHealth "C:\Windows\System32\SecurityHealthSystray.exe" 3880 SecurityHealth C:\Windows\system32\SecurityHealthService.exe 3064 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start 3472 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\jennie\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\jennie\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=134.0.3124.72 --initial-client-data=0x240,0x244,0x248,0x23c,0x2e8,0x7ffeb5663140,0x7ffeb566314c,0x7ffeb5663158 4292 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --always-read-main-dll --field-trial-handle=2448,i,2809260741207137638,14353528412592545377,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:3 4300 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-pre-read-main-dll --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2448,i,2809260741207137638,14353528412592545377,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:2 4308 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --always-read-main-dll --field-trial-handle=2448,i,2809260741207137638,14353528412592545377,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:8 4812 OneDrive.exe "C:\Users\jennie\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background 5872 TextInputHost. "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca 5596 ApplicationFra C:\Windows\system32\ApplicationFrameHost.exe -Embedding 5516 WinStore.App.e "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca 4792 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 5788 SkypeApp.exe "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca 3480 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 1288 SkypeBackgroun "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe" -ServerName:SkypeBackgroundHost 2888 TrustedInstall C:\Windows\servicing\TrustedInstaller.exe 4836 TiWorker.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\TiWorker.exe -Embedding 6724 svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p 6440 svchost.exe C:\Windows\system32\svchost.exe -k defragsvc 3592 MsMpEng.exe "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.25010.11-0\MsMpEng.exe" 4900 MpDefenderCore "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.25010.11-0\MpDefenderCoreService.exe" 5136 NisSrv.exe "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.25010.11-0\NisSrv.exe" 6560 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} 🔍 Look for Suspicious Activity 📌 Potential Areas of Interest: Edge is active: several msedge.exe processes. User folder in use: C:\Users\jennie\ Active Apps: MicrosoftEdge OneDrive Windows Store Skype Defender (MsMpEng.exe, MpDefenderCoreService.exe) ❌ No Firefox is listed here directly. ┌──(venv)─(kali㉿kali)-[~/Desktop] └─$ python3 volatility3/vol.py -f FOR_1 windows.filescan | grep -i cookies.sqlite 0xe1811368d590.0\Users\jennie\AppData\Roaming\Mozilla\Firefox\Profiles\qxjsnlmd.default-release\cookies.sqlite 0xe18113690790 \Users\jennie\AppData\Roaming\Mozilla\Firefox\Profiles\qxjsnlmd.default-release\cookies.sqlite-shm to extract python3 volatility3/vol.py -f FOR_1 --output-dir ./dumps windows.dumpfiles --virtaddr 0xe1811368d590 sqlite3 file.0xe1811368d590.0xe18113799a10.DataSectionObject.cookies.sqlite.dat ![image](https://hackmd.io/_uploads/SyLBKLCrll.png) ## password ┌──(venv)─(kali㉿kali)-[~/Desktop] └─$ python3 volatility3/vol.py -f 20250312.mem windows.registry.hashdump.Hashdump Volatility 3 Framework 2.26.2 Progress: 100.00 PDB scanning finished User rid lmhash nthash Administrator 500 aad3b435b51404eeaad3b435b51404ee e02bc503339d51f71d913c245d35b50b Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 WDAGUtilityAccount 504 aad3b435b51404eeaad3b435b51404ee 6f1c4ae67632ca364e7d105de442e569 flag_user 1001 aad3b435b51404eeaad3b435b51404ee 3fa7a000465823e4976000ac1ca9f2d1 ### ENVAR challenge: https://drive.google.com/file/d/1gYNWAyodvQ9iL0r_xlbD2aMTiGqhlvPf/view?usp=sharing Des: In my practice environment is infected with some malware, the user has removed it but there are still traces, it seems they intentionally left me some messages. Please search and decode. Maybe u will need to find some key, master key, password,... u knew keypass? + some vol3 plugin.... plz recover right file type...! use plugin: vol -f memory.raw windows.envars.Envars --pid 2820 pid = process keepass https://github.com/nolze/msoffcrypto-tool file = CDFV2 Encrypted (extension = docx) https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)AES_Decrypt(%7B'option':'UTF8','string':'PTIT_CTF2025_KEY'%7D,%7B'option':'UTF8','string':'InitializationVe'%7D,'CBC/NoPadding','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=ck54Qmt1ZzNyaTA3a2h6MnJLcVFZK2J2Nkd5aEhaRC9nYk00eTJsVUFVREVOekdORFlldTFlTkNXbDljVGt5bw ### Ophelia's Truth 1 A detective at Moscow PD, Department 19, receives a message asking him to check the forensic analysis portal for a DNA report. Attached to the message is a file containing a link to the portal. He opens the attachment, but initially, nothing seems to happen, so he overlooks it. Later, he realizes that a crucial file from an ongoing case has gone missing. He has provided the forensic artifacts from his computer to you, his colleague at the cyber forensics department, to figure out what went wrong. Find: The filename of the attachment The ip from where the malware was executed The CVE the attacker exploited Flag format: nite{file_name.ext_XXX.XXX.XXX.XXX_CVE-XXXX-XXXXX} https://drive.google.com/file/d/1iKGiJLPxxWbtIETE7bmEnMXuWdCDDtCt/view?usp=sharing nite{dna_analysis_portal.url_10.72.5.205_CVE-2025-33053} ```bash! vol -f ophelia.raw windows.filescan | grep ".url" 0xc201a0d751f0.0\Windows\System32\urlmon.dll 0xc201a4b51550 \Windows\System32\urlmon.dll 0xc201a4b52360 \Windows\System32\en-US\urlmon.dll.mui 0xc201a4b97490 \Windows\SysWOW64\urlmon.dll 0xc201a4b99240 \Windows\SysWOW64\urlmon.dll 0xc201a703b260 \Users\Igor\Documents\Important Links\dna_analysis_portal.url ``` ```bash! vol -f ophelia.raw windows.dumpfiles --virtaddr=0xc201a703b260 Volatility 3 Framework 2.26.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xc201a703b260 dna_analysis_portal.url Error dumping file ``` This is not a standard web shortcut. Instead of pointing to a website, the URL field points to a local system binary: iediagcmd.exe and the WorkingDirectory is set to a remote UNC path: \\10.72.5.205\webdav\\. This configuration matches the signature of CVE-2025-33053. When the user clicks this link, Windows executes iediagcmd.exe. This legitimate helper program attempts to launch another executable (in our case it happens to be route.exe). Because the WorkingDirectory is hijacked to point to the attacker's WebDAV server, iediagcmd.exe inadvertently loads and executes route.exe hosted on 10.72.5.205 instead of the expected local file.