MemLabs
===
## Table of Contents
[TOC]
## MemLabs Lab 1 - Beginner's Luck
---
First analysing the image type we use `imageinfo` to do that
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw imageinfo
Now we want to analyse the active proccess that are running, for this we may use `pslist` or `pstree` plugins
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
We can find that command prompt, MS Paint, Internet Explorer, WinRAR are active processes.
---
So to explore command prompt, We use `consoles` plugin.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
Here, we can observe a string in base64.. decoding it from [base64](https://www.base64decode.org/) gives us the 1st flag.
:::info
**flag{th1s_1s_th3_1st_st4g3!!}**
:::
---
Now we have MS Paint, Internet Explorer, WinRAR to be analysed.
For analysis of Internet Explorer, we have `iehistory` plugin.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 iehistory
But here we didn't get anything.. so this might be a loop-hole.
---
Now to analyse WinRAR, We need to try to get a RAR file. so for that we will use filescan to find a *.rar* file.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan | grep .rar
Dumping the *.rar* file will give us the RAR.. So we will use `dumpfiles` plugin to dump these files.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./ -n
We got a RAR which was password protected.. And the password is NTLM hash of Alissa's password
So to get her password we will use `mimikatz` plugin
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 mimikatz
Converting the password into [NTLM hash](https://codebeautify.org/ntlm-hash-generator) gives us the password to RAR
Extracting the RAR, gives an image of flag.
:::info
**flag{w3ll_3rd_stage_was_easy}**
:::
---
Now we are left with stage 2 and only active process is MS Paint.. So looking for that doesnt give any thing initially
`clipboard` is a plugin that gives us the list that are in clipboard
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 clipboard
But nothing will be displayed.
So let us dump the Paint file using `memdump` plugin.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
So to analyse this *.dmp* file we will use [Gimp](https://www.gimp.org/) tool.
We can see flag in inverse after adjusting height, width.
By inversing this image using an [online tool](https://www.img2go.com/rotate-image) gives us the flag
:::info
**flag{G00d_Boy_good_girl}**
:::
[Reference](https://www.rootusers.com/google-ctf-2016-forensic-for1-write-up/).
---
---
## MemLabs Lab 2 - A New World
---
First we need to analyse the type of the image.. `imageinfo`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw imageinfo
So now we will check for the active proccess using `pslist`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 pslist
Here, we have Internet Explorer, Command Prompt, Google Chrome, KeePass, Notepad as active
So, let us analyze them one by one
---
Let us begin with command prompt.. Using the plugin `consoles`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 consoles
we can find this *Nothing here kids :)*.. But from the question we can find that environmental is highlighted.
So let us look into environment vairables using the plugin `envar`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars
Here, we will find a base64 encoded string.. By [decoding](https://www.base64decode.org/) it we will get the first flag.
:::info
**flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}**
:::
---
Now looking into Internet Explorer using `iehistory`, gives us nothing.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 iehistory
So let us go through Google Chrome with `chromehistory`.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 chromehistory
We got a Mega link, which has a zip file.
Password of zip is SHA1 of flag3 in Lab1. So by extracting the zip we will get flag3.
:::info
**flag{oK_So_Now_St4g3_3_is_DoNE!!}**
:::
---
We are left with Notepad and KeyPass.
For notepad, I tried with clipboard so that I can retrieve some thing.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 clipboard
Nothing useful was found here.
So finally, we are left with KeyPass.. KeyPass stores passwords of our files in a database in [.kdbx](https://www.reviversoft.com/file-extensions/kdbx) extension and secures this with a master password.
So let us find *.kdbx* files.
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep .kdbx
We got a *.kdbx* file.. so let us dump it using `dumpfiles`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 -D ./ -n
By this we will get a kdbx file which can be opened using KeyPass. But we need to find the master password now.
So I look into files for Password..
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep -i password
I got a *PNG* file.. So let us dump it with `dumpfiles`.
We got an image that has a password..
Using this password we can login to the kdbx file and we will have our flag as a password in recyclebin
:::info
**flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}**
:::
---
---
MemLabs Lab 3 - The Evil's Den
---
As usual finding profile using `imageinfo`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw imageinfo
Finding active process using `pslist`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 pslist
We can find that some of the active processes to be considered are internet explorer, notepad
So, Let us find Internet Explorer history using `iehistory` plugin
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 iehistory
We can find some python script file (*.py*) and a *.txt* file
So, looking for those files in specified location(Desktop) using `filescan`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 filescan | grep Desktop
We can find one more *.jpeg* which is suspicious(because we were asked to use **steghide** - steganographic tool for images)
Dumping the files using `dumpfiles`
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003de1b5f0 -D ./ -n
We can see the python script now. Here the text inside *vip.txt* was used
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003e727e50 -D ./ -n
So after getting the text, by reversing the python script, we can get the 1st half of the flag
Dumping the jpeg
>volatility --plugins=volatility-plugins/ -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x0000000004f34148 -D ./ -n
Applying steghide on the jpeg with key as the first part of flag gives the other part of flag
:::info
**inctf{0n3_h4lf_1s_n0t_3n0ugh}**
:::
---
---
MemLabs Lab 4 - Obsession
---
###### tags: `MemLabs`, `Memory Forensics`, `DFIR`
Sign in with Wallet
Connect another wallet