###### tags: `volatility`
# [MemLabs 01](https://github.com/leonuz/MemLabs/tree/master/Lab%201)
###### by leonuz
## Beginner's Luck
>## Challenge Description
>My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
>
>Note: This challenge is composed of 3 flags.
>Challenge file: [MemLabs_Lab1](https://mega.nz/#!6l4BhKIb!l8ATZoliB_ULlvlkESwkPiXAETJEF7p91Gf9CWuQI70)
We start for identify the operating system, for that we use [`imageinfo`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo) plugin.
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/leonuz/Downloads/MemLabs/Lab 1/MemoryDump_Lab1.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028100a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002811d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-12-11 14:38:00 UTC+0000
Image local date and time : 2019-12-11 20:08:00 +0530
```
Next we check the running processes using [`pslist`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pslist) plugin
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8000ca0040 System 4 0 80 570 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800148f040 smss.exe 248 4 3 37 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800154f740 csrss.exe 320 312 9 457 0 0 2019-12-11 13:41:32 UTC+0000
0xfffffa8000ca81e0 csrss.exe 368 360 7 199 1 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c45060 psxss.exe 376 248 18 786 0 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c5f060 winlogon.exe 416 360 4 118 1 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c5f630 wininit.exe 424 312 3 75 0 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c98530 services.exe 484 424 13 219 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca0580 lsass.exe 492 424 9 764 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca4b30 lsm.exe 500 424 11 185 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001cf4b30 svchost.exe 588 484 11 358 0 0 2019-12-11 13:41:39 UTC+0000
0xfffffa8001d327c0 VBoxService.ex 652 484 13 137 0 0 2019-12-11 13:41:40 UTC+0000
0xfffffa8001d49b30 svchost.exe 720 484 8 279 0 0 2019-12-11 13:41:41 UTC+0000
0xfffffa8001d8c420 svchost.exe 816 484 23 569 0 0 2019-12-11 13:41:42 UTC+0000
0xfffffa8001da5b30 svchost.exe 852 484 28 542 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001da96c0 svchost.exe 876 484 32 941 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001e1bb30 svchost.exe 472 484 19 476 0 0 2019-12-11 13:41:47 UTC+0000
0xfffffa8001e50b30 svchost.exe 1044 484 14 366 0 0 2019-12-11 13:41:48 UTC+0000
0xfffffa8001eba230 spoolsv.exe 1208 484 13 282 0 0 2019-12-11 13:41:51 UTC+0000
0xfffffa8001eda060 svchost.exe 1248 484 19 313 0 0 2019-12-11 13:41:52 UTC+0000
0xfffffa8001f58890 svchost.exe 1372 484 22 295 0 0 2019-12-11 13:41:54 UTC+0000
0xfffffa8001f91b30 TCPSVCS.EXE 1416 484 4 97 0 0 2019-12-11 13:41:55 UTC+0000
0xfffffa8000d3c400 sppsvc.exe 1508 484 4 141 0 0 2019-12-11 14:16:06 UTC+0000
0xfffffa8001c38580 svchost.exe 948 484 13 322 0 0 2019-12-11 14:16:07 UTC+0000
0xfffffa8002170630 wmpnetwk.exe 1856 484 16 451 0 0 2019-12-11 14:16:08 UTC+0000
0xfffffa8001d376f0 SearchIndexer. 480 484 14 701 0 0 2019-12-11 14:16:09 UTC+0000
0xfffffa8001eb47f0 taskhost.exe 296 484 8 151 1 0 2019-12-11 14:32:24 UTC+0000
0xfffffa8001dfa910 dwm.exe 1988 852 5 72 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa8002046960 explorer.exe 604 2016 33 927 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa80021c75d0 VBoxTray.exe 1844 604 11 140 1 0 2019-12-11 14:32:35 UTC+0000
0xfffffa80021da060 audiodg.exe 2064 816 6 131 0 0 2019-12-11 14:32:37 UTC+0000
0xfffffa80022199e0 svchost.exe 2368 484 9 365 0 0 2019-12-11 14:32:51 UTC+0000
0xfffffa8002222780 cmd.exe 1984 604 1 21 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa8002227140 conhost.exe 2692 368 2 50 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa80022bab30 mspaint.exe 2424 604 6 128 1 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8000eac770 svchost.exe 2660 484 6 100 0 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8001e68060 csrss.exe 2760 2680 7 172 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000ecbb30 winlogon.exe 2808 2680 4 119 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000f3aab0 taskhost.exe 2908 484 9 158 2 0 2019-12-11 14:37:13 UTC+0000
0xfffffa8000f4db30 dwm.exe 3004 852 5 72 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f4c670 explorer.exe 2504 3000 34 825 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f9a4e0 VBoxTray.exe 2304 2504 14 144 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000fff630 SearchProtocol 2524 480 7 226 2 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8000ecea60 SearchFilterHo 1720 480 5 90 0 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8001010b30 WinRAR.exe 1512 2504 6 207 2 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001020b30 SearchProtocol 2868 480 8 279 0 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001048060 DumpIt.exe 796 604 2 45 1 1 2019-12-11 14:37:54 UTC+0000
0xfffffa800104a780 conhost.exe 2260 368 2 50 1 0 2019-12-11 14:37:54 UTC+0000
```
There are 3 interesting processes:
- cmd.exe
- mspaint.exe
- WinRAR.exe
## FLAG 1: Analysing CMD
This process indicates that commands were executed on the system.
We can use [`consoles`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#consoles) plugin to see the output
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 2692
Console: 0xff756200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe - St4G3$1
AttachedProcess: cmd.exe Pid: 1984 Handle: 0x60
----
CommandHistory: 0x1fe9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1de3c0: St4G3$1
----
Screen 0x1e0f70 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\SmartNet>St4G3$1
ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=
```
Decode the strings to find the first flag
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ echo ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= | base64 -d
flag{th1s_1s_th3_1st_st4g3!!}
```
#### flag1: flag{th1s_1s_th3_1st_st4g3!!}
## FLAG 2: Analizyng MSPAINT
In the challenge description, we can note that the user was drawing something, mspaint??
We dump the procees firts using [`memdump`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#memdump) plugin.
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D .
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing mspaint.exe [ 2424] to 2424.dmp
```
And them rename 2424.dmp to 2424.data for open it in GIMP
After a while, playing with the width and offset we find the flag.
#### flag2: flag{G00d_BoY_good_girL}
## FLAG 3: Analysing WINRAR
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist | grep WinRAR
Volatility Foundation Volatility Framework 2.6.1
0xfffffa8001010b30 WinRAR.exe 1512 2504 6 207 2 0 2019-12-11 14:37:23 UTC+0000
```
we can use [`cmdline`]() plugin to see the associated command line.
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdline | grep WinRAR
Volatility Foundation Volatility Framework 2.6.1
WinRAR.exe pid: 1512
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Alissa Simpson\Documents\Important.rar"
```
we can use [`filescan`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan) plugin to get the psychical offset of that file in memory.
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan | grep Important.rar
Volatility Foundation Volatility Framework 2.6.1
0x000000003fa3ebc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
0x000000003fac3bc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
0x000000003fb48bc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
```
We can pick any of these offsets, To dump the file we can use [`dumpfiles`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles) plugin.
```
$ volatility -f MemoryDump_Lab1.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fac3bc0 -D ./flag3
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3fac3bc0 None \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
```
Rename the file dumping to original name
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1/flag3]
└─$ mv file.None.0xfffffa8001034450.dat Important.rar
```
See if the file has a valid header
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1/flag3]
└─$ file Important.rar
Important.rar: RAR archive data, v5
```
Try to open the file
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1/flag3]
└─$ 7z x Important.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-3475S CPU @ 2.90GHz (306A9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 45056 bytes (44 KiB)
Extracting archive: Important.rar
WARNINGS:
There are data after the end of archive
--
Path = Important.rar
Type = Rar5
WARNINGS:
There are data after the end of archive
Physical Size = 42191
Tail Size = 2865
Solid = -
Blocks = 1
Encrypted = -
Multivolume = -
Volumes = 1
Comment = Password is NTLM hash(in uppercase) of Alissa's account passwd.
Enter password (will not be echoed):
```
The file is password protected, but we can see a comment that says the password is the NTLM hash of Alissa’s account passwd.
To get the password hash, we can use [`hashdump`](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#hashdump) plugin
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ python2.7 /home/leonuz/Documents/volatility/vol.py -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SmartNet:1001:aad3b435b51404eeaad3b435b51404ee:4943abb39473a6f32c11301f4987e7e0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f0fc3d257814e08fea06e63c5762ebd5:::
Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6:::
```
Convert the hash from Alissa Simpson to Uppercase
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1]
└─$ echo f4ff64c8baac57d22f22edc681055ba6 | tr [:lower:] [:upper:]
F4FF64C8BAAC57D22F22EDC681055BA6
```
Using the hash as password for the .rar
```
┌──(leonuz㉿sniperhack)-[~/Downloads/MemLabs/Lab 1/flag3]
└─$ 7z x Important.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-3475S CPU @ 2.90GHz (306A9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 45056 bytes (44 KiB)
Extracting archive: Important.rar
WARNINGS:
There are data after the end of archive
--
Path = Important.rar
Type = Rar5
WARNINGS:
There are data after the end of archive
Physical Size = 42191
Tail Size = 2865
Solid = -
Blocks = 1
Encrypted = -
Multivolume = -
Volumes = 1
Comment = Password is NTLM hash(in uppercase) of Alissa's account passwd.
Enter password (will not be echoed):
Everything is Ok
Archives with Warnings: 1
Warnings: 1
Size: 46045
Compressed: 45056
```
Get the flag3 in the image
#### flag3: flag{w3ll_3rd_stage_was_easy}
:::info
:information_source: More Info:
- [Volatility Oficial CheatSheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
- [Volatility, my own cheatsheet (Part 1): Image Identification](https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/)
- [Volatility, my own cheatsheet (Part 2): Processes and DLLs](https://andreafortuna.org/2017/07/03/volatility-my-own-cheatsheet-part-2-processes-and-dlls/)
- [Volatility, my own cheatsheet (Part 3): Process Memory](https://andreafortuna.org/2017/07/10/volatility-my-own-cheatsheet-part-3-process-memory/)
- [Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects](https://andreafortuna.org/2017/07/17/volatility-my-own-cheatsheet-part-4-kernel-memory-and-objects/)
- [AboutDFIR.com|Challenges & CTFs](https://aboutdfir.com/education/challenges-ctfs/)
- [Volatility3 Linux ISF Server](https://isf-server.techanarchy.net/)
- [Volatility, my own cheatsheet](https://andreafortuna.org/2017/07/24/volatility-my-own-cheatsheet-part-5-networking/)
- [Finding Advanced Malware Using Volatility](https://eforensicsmag.com/finding-advanced-malware-using-volatility/)
- [Study a live Linux memory dump - Volatility](https://heisenberk.github.io/Study-Linux-Memory-Dump/)
- [Linux Command Reference](https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference#linux_find_file)
:::
:::success
:bulb: **[leonuz](https://leonuz.github.io)**
:::
Sign in with Wallet
Connect another wallet