# Command & Control - level 2  [Challenge](https://static.root-me.org/forensic/ch2/ch2.tbz2) [Volatility cheatsheet v2.4 (Forensic)](https://repository.root-me.org/Forensic/EN%20-%20Volatility%20cheatsheet%20v2.4.pdf?_gl=1*1ocdz73*_ga*NzUwMDMxNzUyLjE3Mzk4OTQ3NzM.*_ga_SRYSKX09J7*MTc0MjQ2NTI5NC4zNC4xLjE3NDI0NjUzNTMuMC4wLjA.) Some definition: - System32 is a core folder in the Windows operating system containing essential files, DLLs, and executables required for Windows to run and function properly. It houses drivers, configuration files, and system components that manage tasks like hardware communication and background services. Modifying or deleting files from the System32 folder can lead to serious system instability, frequent crashes, and a non-bootable computer, requiring a complete reinstallation of Windows to fix. - [Command](https://medium.com/@cyberengage.org/step-by-step-guide-to-uncovering-threats-with-volatility-a-beginners-memory-forensics-0213072b2bd8) - The computer name is stored here in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName => ComputerName - The SYSTEM registry hive is stored here, if you need to access the registry without booting Windows : C:\Windows\System32\config\SYSTEM - HKEY_LOCAL_MACHINE (HKLM) is a registry hive in the Windows operating system. It contains configuration information regarding the hardware and software installed on the computer. The registry is a database that stores settings and options for the operating system, applications, and user preferences. 2 ways to solve this: First way: COMPUTERNAME is a variable so we can find it through ``` python3 ~/Downloads/volatility3/vol.py -f ch2.dmp windows.envars | grep COMPUTERNAME ```  or ` strings ch2.dmp | grep COMPUTERNAME `  Second way: Use `python3 ~/Downloads/volatility3/vol.py -f ch2.dmp windows.registry.hivelist` to print the hive list  Pay attention to offset 0x8b21c008 which is the folder that COMPUTERNAME located, \REGISTRY\MACHINE\SYSTEM Next, we have to print the key of that folder to see COMPUTERNAME variable ``` python3 ~/Downloads/volatility3/vol.py -f ch2.dmp windows.registry.printkey.PrintKey --offset 0x8b21c008 --key 'ControlSet001\Control\ComputerName\ComputerName' ```  CurrentControlSet is a symbolic link — you have to resolve it to the actual ControlSet00X. More in4: [CM + CT](https://medium.com/tradahacking/memory-forensic-l%E1%BB%9Bp-m%E1%BA%A7m-709a694f8b19) # Command & Control - level 3  [Challenge](https://www.root-me.org/en/Challenges/Forensic/Command-Control-level-3) Some definition: - TPAutoConnSvc.exe is a print mapping application by Cortado AG and is published by VMWare, which is used in the VMWorkstation software - spoolsv.exe runs the Windows OS print spooler service. Any time you print something with Windows this important service caches the print job into memory so your printer can understand what to print. - svchost.exe, or "Service Host," is a legitimate and essential Windows system process that loads and runs various Windows operating system services, such as network management, security updates, and internet connectivity, using dynamic-link libraries (DLLs). It serves as a shared process, grouping related services into logical units to reduce resource consumption and improve efficiency, preventing the need for separate processes for each service. - vmtoolsd.exe is an executable file associated with VMware Tools Core Services, a software application developed by VMware - AvastSvc.exe is a core background process for Avast Antivirus software, responsible for real-time protection against malware and other online threats by scanning files, emails, and websites - AvastUI.exe is a legitimate process for the Avast Antivirus user interface, responsible for launching the program's graphical interface, including the tray icon and accessing security features Check pstree  We can see `cmd.exe` is below `iexplore.exe`, which looks sus Check its path  It should be in `C:\Program Files\Internet Explorer\iexplore.exe` but the `iexplore.exe` is launched by John, not the program Furthurmore, look at `cmdline`  Both of them use different cmd with the same software process -> `iexplore.exe` is malware cause normally people try to change the name of the malware and make it looks normal  => 49979149632639432397b3a1df8cb43d # Command & Control - level 4  - tcprelay is a lightweight application that can be used for relaying TCP connections between a server and a client and log the generated traffic. - tcprelay runs in the command console, enabling you to log traffic either as binary data or by assuming telnet-style data exchange. # Command & Control - level 5  Read the hint, I immeadiately think about `john` to crack this, to use `john`, we have to have the hash of the file Use this command ``` ~/Downloads/volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone -f ~/bigcat/rootme/ch2.dmp --profile=Win7SP1x86_23418 hashdump > hash.txt ```  Use this command to crack `john --show --format=NT hash.txt giair thich cau lenh`  => passw0rd # Command & Control - level 6  Use pstree, we have known that `cmd.exe` is the child of `iexplore.exe `  `iexplore.exe` is the malware, dump it ``` ~/Downloads/volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone -f ~/bigcat/rootme/ch2.dmp --profile=Win7SP1x86_23418 procdump --pid 2772 -D . ```  Use hybrid-analasis to check Network  => `th1sis.l1k3aK3y.org `