[MemLabs 02](https://github.com/leonuz/MemLabs/tree/master/Lab%202)

###### tags: `volatility` ![](https://i.imgur.com/b38P9S0.png) # [MemLabs 02](https://github.com/leonuz/MemLabs/tree/master/Lab%202) ###### by leonuz ## A New World >## Challenge description >One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular "environmental" activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us. > >Note: This challenge is composed of 3 flags. > >Challenge file: [MemLabs_Lab2](https://mega.nz/#!ChoDHaja!1XvuQd49c7-7kgJvPXIEAst-NXi8L3ggwienE1uoZTk) From the pslist we find 2 proccessess to investigate - KeePass - Chrome KeePass also has a hint in the challenge description (password managers) ## FLAG 1 for the hint in the challenge we evaluate [`envars`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#envars) plugin first. ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars | grep NEW_TMP Volatility Foundation Volatility Framework 2.6.1 320 csrss.exe 0x0000000000481320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 ``` a strage chain looks like base64, try to decode ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ echo ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 | base64 -d flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2} ``` ### flag1: flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2} ## FLAG 2 Find the keepass using [`filescan`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan) (hit for the challenge) ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep ".kdbx" Volatility Foundation Volatility Framework 2.6.1 0x000000003fb112a0 16 0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Secrets\Hidden.kdbx ``` Dump the file `Hidden.kdbx` using [`dumpfiles`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles) ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 -D . Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x3fb112a0 None \Device\HarddiskVolume2\Users\SmartNet\Secrets\Hidden.kdbx ``` Find the password for Keepass. [`filescan`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan) ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep -i password Volatility Foundation Volatility Framework 2.6.1 0x000000003e868370 16 0 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePass.exe.config 0x000000003e873070 8 0 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePass.exe 0x000000003e8ef2d0 13 0 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePass.exe 0x000000003e8f0360 4 0 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePass.XmlSerializers.dll 0x000000003eaf7880 15 1 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePass.XmlSerializers.dll 0x000000003fb0abc0 10 0 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePassLibC64.dll 0x000000003fce1c70 1 0 R--r-d \Device\HarddiskVolume2\Users\Alissa Simpson\Pictures\Password.png 0x000000003fd62f20 2 0 R--r-- \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\KeePass.config.xml 0x000000003fecf820 15 0 R--r-d \Device\HarddiskVolume2\Program Files (x86)\KeePass Password Safe 2\unins000.exe ``` Dump the file. [`dumpfiles`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles) ``` (base) ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fce1c70 -D . Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x3fce1c70 None \Device\HarddiskVolume2\Users\Alissa Simpson\Pictures\Password.png ``` open the file and see the password ![](https://i.imgur.com/SJyNph9.png) Import `Hidden.kdbx` to windows Keepass and open it with the password find in the right down corner of the `Password.png` the flag its in the recycled.bin store ![](https://i.imgur.com/kQFhjMT.png) ### flag2: flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!} ## FLAG3 Analyzing Chrome services whit the plugin [`chromehistory`](https://github.com/superponible/volatility-plugins) and copy the exit to a file calle chromehistory.txt ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 chromehistory > chromehistory.txt Volatility Foundation Volatility Framework 2.6.1 ``` Searching something interesting in that file ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ cat chromehistory.txt Index URL Title Visits Typed Last Visit Time Hidden Favicon ID ------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ---------- 34 https://bi0s.in/ Amrita Bios 1 1 2019-12-14 10:37:11.596681 N/A 33 http://bi0s.in/ Amrita Bios 1 0 2019-12-14 10:37:11.596681 N/A 32 https://mega.nz/#F!TrgSQQTS!H0ZrUzF0B-ZKNM3y9E76lg MEGA 2 0 2019-12-14 10:21:39.602970 N/A ``` We find a MEGA link. After download the file named `MemLabs_Lab2_Stage3.zip`, decompress and find that has another zip but cipher with this note ``"Password is SHA1(stage-3-FLAG) from Lab-1. Password is in lowercase."`` ``` ┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 2] └─$ echo -n flag{w3ll_3rd_stage_was_easy} | sha1sum 6045dd90029719a039fd2d2ebcca718439dd100a - ``` the password is `6045dd90029719a039fd2d2ebcca718439dd100a` and then open the file to see the flag in a .png file. ![flag3](https://i.imgur.com/zCHvZfJ.png) ### flag3: flag{oK_So_Now_St4g3_3_is_DONE!!} :::info :information_source: More Info: - [Volatility Oficial CheatSheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) - [Volatility, my own cheatsheet (Part 1): Image Identification](https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/) - [Volatility, my own cheatsheet (Part 2): Processes and DLLs](https://andreafortuna.org/2017/07/03/volatility-my-own-cheatsheet-part-2-processes-and-dlls/) - [Volatility, my own cheatsheet (Part 3): Process Memory](https://andreafortuna.org/2017/07/10/volatility-my-own-cheatsheet-part-3-process-memory/) - [Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects](https://andreafortuna.org/2017/07/17/volatility-my-own-cheatsheet-part-4-kernel-memory-and-objects/) - [AboutDFIR.com|Challenges & CTFs](https://aboutdfir.com/education/challenges-ctfs/) - [Volatility3 Linux ISF Server](https://isf-server.techanarchy.net/) ::: :::success :bulb: **[leonuz](https://leonuz.github.io)** :::