Magnet Weekly CTF Challenge Week #9
Windows Memory Forensics
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
I started off by running kdbgscan over the image to get the profile:
When reading the question for part 1, I had a deja vue moment. Back in the MVS 2020 CTF (which used the same image) I had come across a password that was wrong answer at the time. This is an excerpt from my writeup back then:
Funnily enough, that it is the answer for Part 1 :)
What is the md5 hash of the file which you recovered the password from?
First, I listed all file handles for the process WINWORD.exe (with PID 3180).
vol.py -f memdump.mem --profile=Win7SP1x64 handles -p 3180 -t File
The only one of note from this output was an Autorecovery document but I was not sure if this was right because I was looking for extensions like
I ran the filescan plugin to get a list of all files still in memory and ran some greps over it.
cat filescan.txt | grep .doc
cat filescan.txt | grep .txt
cat filescan.txt | grep Document
I again saw the AutoRecovery doc so I decided to dump this file and check if the password from Part 1 was in it.
Using the offset from the filescan, I used dumpfiles to extract the file from memory.
vol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013e6de810 -D .
If we do a quick strings over the output, we can see the file contains our conversation that includes the password!
What is the birth object ID for the file which contained the password?
The $OBJECT_ID is an attribute of an NTFS file which contains:
- Object ID (used as a key in the index)
- Birth Volume Object ID
- Birth Object ID
- Domain Object ID
I ran the mftparser plugin to get the the MFT infomation from the image.
vol.py -f memdump.mem --profile=Win7SP1x64 mftparser --output-file=mft.txt
I grepped for my file and viewed the $OBJECT_ID data to find the answer.
What is the name of the user and their unique identifier which you can attribute the creation of the file document to?
Format: #### (Name)
Running getsids for the WINWORD.exe process returned Warren’s SID which has the RID (1000) at the end
Took me a couple of tries to understand the format.
What is the version of software used to create the file containing the password?
Format ## (Whole version number, don’t worry about decimals)
Using the filescan output from the previous questions, I grepped for Office to see what I could find. The major version is normally in the path of the main Office executables.
We can see here a number of the files are in the Office15 directory indicating the major version is 15. A more precise answer would be found in the registry but this was enough for the question.
What is the virtual memory address offset where the password string is located in the memory image?
I ran strings over the image with the
-o flag enabled to print the offset of where the string was found in decimal.
strings -o memdump.mem > strings.txt
We now have the physical offset for the string in the memory dump but the question is asking for the virtual offset.
I ran the volatility plugin strings and supplied it the file
passwordphysicaloffset.txt which contained:
The output (format is [<PID>:<VirtualOffset>]) provided 0x10fb119f which was wrong.
I decided to run strings again using the SysInternals binary as it suggests in the Volatility documentation for the strings plugin.
I added the new offsets to the passwordphysicaloffset.txt file and ran the strings plugin again. Because we know the PID of WINWORD.exe (3180), we can use it to filter the results to find the right answer.
I tried the first one on the list, and it was right!
What is the physical memory address offset where the password string is located in the memory image?
Because of the way I had solved the last question, all I needed to do was convert the decimal output (183577133) to hex.