[MemLabs 04](https://github.com/leonuz/MemLabs/tree/master/Lab%204)

###### tags: `volatility` ![](https://i.imgur.com/b38P9S0.png) # [MemLabs 04](https://github.com/leonuz/MemLabs/tree/master/Lab%204) ###### by leonuz ## Obsession >## Challenge Description >My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me. > >Note: This challenge is composed of only 1 flag. > >The flag format for this lab is: inctf{s0me_l33t_Str1ng} > >Challenge file: [MemLabs_Lab4](https://mega.nz/#!Tx41jC5K!ifdu9DUair0sHncj5QWImJovfxixcAY-gt72mCXmYrE) [`imageinfo`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo) plugin. ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 4] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab4.raw imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/leonuz/Downloads/MemLabs/Lab 4/MemoryDump_Lab4.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027f60a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027f7d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-06-29 07:30:00 UTC+0000 Image local date and time : 2019-06-29 13:00:00 +0530 ``` The challenge description mension something about delete files. We use [`iehistory`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#iehistory) to try to recovers delete entries. ``` (base) ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 4] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 iehistory Volatility Foundation Volatility Framework 2.6.1 ************************************************** REDACTED ************************************************** Process: 3012 explorer.exe Cache type "URL " at 0x20f5000 Record length: 0x100 Location: Visited: SlimShady@file:///C:/Users/SlimShady/Desktop/Important.txt Last modified: 2019-06-29 07:29:43 UTC+0000 Last accessed: 2019-06-29 07:29:43 UTC+0000 File Offset: 0x100, Data Offset: 0x0, Data Length: 0xac ************************************************** Process: 3012 explorer.exe Cache type "URL " at 0x20f5100 Record length: 0x100 Location: Visited: SlimShady@file:///C:/Users/SlimShady/Desktop/Important.txt Last modified: 2019-06-27 13:14:18 UTC+0000 Last accessed: 2019-06-27 13:14:18 UTC+0000 File Offset: 0x100, Data Offset: 0x0, Data Length: 0xac ************************************************** Process: 3012 explorer.exe Cache type "URL " at 0x42f5000 Record length: 0x100 Location: :2019062920190630: SlimShady@file:///C:/Users/SlimShady/Desktop/Important.txt Last modified: 2019-06-29 12:59:43 UTC+0000 Last accessed: 2019-06-29 07:29:43 UTC+0000 File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0 ************************************************** ``` a lot of reference to a file call `Important.txt` let’s scan ([`filescan`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan)) for this file in memory and dump ([`dumpfiles`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles))it out. ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 4] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan | grep Important.txt Volatility Foundation Volatility Framework 2.6.1 0x000000003fc398d0 16 0 R--rw- \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt ``` ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 4] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fc398d0 -D . Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x3fc398d0 None \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt ``` but the file has been erase (no dump show) ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 4] └─$ ls MemLabs-Lab4.7z MemoryDump_Lab4.raw README.md ``` ## Master File Table. >- The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume. All information about a file, including its name, size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. > >- As files are added to an NTFS file system volume, more entries are added to the MFT and the MFT increases in size. When files are deleted from an NTFS file system volume, their MFT entries are marked as free and may be reused. However, disk space that has been allocated for these entries is not reallocated, and the size of the MFT does not decrease. > >- A file whose size is less than or equal to 1024 bytes will be stored directly in the MFT table (named “resident” file), if it exceeds 1024 bytes the table will only contain the information of its location (named “non-resident” file). Volatility has a plugin to search the MFT. [`mftparser`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#mftparser). Copy the result in a file called `mft.txt` ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 4] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mft.txt ``` Searching for `Important.txt` inside `mft.txt` find the flag: ``` --REDACTED--- 2019-06-27 13:14:13 UTC+0000 2019-06-27 13:14:13 UTC+0000 2019-06-27 13:14:13 UTC+0000 2019-06-27 13:14:13 UTC+0000 Users\SlimShady\Desktop\Important.t xt $OBJECT_ID Object ID: 7726a550-d498-e911-9cc1-0800275e72bc Birth Volume ID: 80000000-b800-0000-0000-180000000100 Birth Object ID: 99000000-1800-0000-690d-0a0d0a0d0a6e Birth Domain ID: 0d0a0d0a-0d0a-6374-0d0a-0d0a0d0a0d0a $DATA 0000000000: 69 0d 0a 0d 0a 0d 0a 6e 0d 0a 0d 0a 0d 0a 63 74 i......n......ct 0000000010: 0d 0a 0d 0a 0d 0a 0d 0a 66 7b 31 0d 0a 0d 0a 0d ........f{1..... 0000000020: 0a 5f 69 73 0d 0a 0d 0a 0d 0a 5f 6e 30 74 0d 0a ._is......_n0t.. 0000000030: 0d 0a 0d 0a 0d 0a 5f 45 51 75 34 6c 0d 0a 0d 0a ......_EQu4l.... 0000000040: 0d 0a 0d 0a 5f 37 6f 5f 32 5f 62 55 74 0d 0a 0d ...._7o_2_bUt... 0000000050: 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 5f 74 68 31 73 ..........._th1s 0000000060: 5f 64 30 73 33 6e 74 0d 0a 0d 0a 0d 0a 0d 0a 5f _d0s3nt........_ 0000000070: 6d 34 6b 65 0d 0a 0d 0a 0d 0a 5f 73 33 6e 0d 0a m4ke......_s3n.. 0000000080: 0d 0a 0d 0a 0d 0a 73 33 7d 0d 0a 0d 0a 47 6f 6f ......s3}....Goo 0000000090: 64 20 77 6f 72 6b 20 3a 50 d.work.:P *************************************************************************** ``` The flag is inside *$DATA* #### inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} :::info :information_source: More Info: - [Volatility Oficial CheatSheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) - [Volatility, my own cheatsheet (Part 1): Image Identification](https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/) - [Volatility, my own cheatsheet (Part 2): Processes and DLLs](https://andreafortuna.org/2017/07/03/volatility-my-own-cheatsheet-part-2-processes-and-dlls/) - [Volatility, my own cheatsheet (Part 3): Process Memory](https://andreafortuna.org/2017/07/10/volatility-my-own-cheatsheet-part-3-process-memory/) - [Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects](https://andreafortuna.org/2017/07/17/volatility-my-own-cheatsheet-part-4-kernel-memory-and-objects/) - [AboutDFIR.com|Challenges & CTFs](https://aboutdfir.com/education/challenges-ctfs/) - [Volatility3 Linux ISF Server](https://isf-server.techanarchy.net/) ::: :::success :bulb: **[leonuz](https://leonuz.github.io)** :::