Nuit du hack 2011 CTF Forensic

Forensic 100

On a dumpe la RAM d’une machine sur laquelle tournait un serveur VNC.
Le but est de recupere le mot de passe de ce serveur.

* * *

We have dumped the RAM of a Machine on which was running a VNC server.
The goal is to get the password of that VNC server.

Dump.

We need to analyze  dumped memory. I used volatility framework version 1.4_rc1. It’s a great tool for memory forensic. There are Linux and Windows 7 support since version 1.4_rc1.

Let’s dump list of process.

volatility -f dump.raw psscan
Volatile Systems Volatility Framework 1.4_rc1
*** Failed to import volatility.plugins.registry.printkey (SyntaxError: invalid syntax (printkey.py, line 47))
PID    PPID   Time created             Time exited              Offset     PDB        Remarks
—— —— ———————— ———————— ———- ———- —————-
0      0                                                   0x00551b80 0x00ae2000 Idle
1664   1580 2011-03-10 13:02:35               0x01fb0020 0x06f10140 ctfmon.exe
696    632 2011-03-10 13:02:30                 0x01fce938 0x06f100a0 lsass.exe
928    684 2011-03-10 13:02:31                 0x01fd1500 0x06f100e0 svchost.exe
532   1020 2011-03-10 13:02:59                0x01fe8020 0x06f10200 wscntfy.exe
1020    684 2011-03-10 13:02:31               0x01ff4020 0x06f10100 svchost.exe
1472    684 2011-03-10 13:02:34               0x0201d7e8 0x06f10180 spoolsv.exe
500    684 2011-03-10 13:02:58                 0x02192020 0x06f101e0 alg.exe
1696    684 2011-03-10 13:09:47                0x021ea980 0x06f10240 winvnc4.exe
1460    860 2011-03-10 13:28:33                0x021eb558 0x06f10280 wmiprvse.exe
1064    684 2011-03-10 13:02:31                 0x022123c0 0x06f10120 svchost.exe
608    544 2011-03-10 13:02:29                  0x022216e8 0x06f10040 csrss.exe
544      4 2011-03-10 13:02:27                   0x022356d8 0x06f10020 smss.exe
1512   1580 2011-03-10 13:28:14                0x02394da0 0x06f101a0 mmc.exe
1580   1564 2011-03-10 13:02:34                0x023cf620 0x06f101c0 explorer.exe
860    684 2011-03-10 13:02:31                  0x02429720 0x06f100c0 svchost.exe
632    544 2011-03-10 13:02:29                  0x024ac9c0 0x06f10060 winlogon.exe
1300    684 2011-03-10 13:02:33                 0x024df548 0x06f10160 svchost.exe
684    632 2011-03-10 13:02:30                     0x025365b0 0x06f10080 services.exe
4      0                                                   0x025c8830 0x00ae2000 System

There is process with name winvnc4 and pid 1696. Probably  it must store pasword in memory, file or registry.
Dump the list of registry hive.

volatility -f dump.raw hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual     Physical    Name
0x8066e904  0x0066e904  [no name]
0xe1809008  0x08bfd008  \Device\HarddiskVolume1\Documents and Settings\eleve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1986008  0x09f7e008  \Device\HarddiskVolume1\Documents and Settings\eleve\NTUSER.DAT
0xe17a9768  0x08a48768  \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe179b758  0x08a40758  \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1770008  0x085d6008  \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe175fb60  0x08410b60  \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe13ffb60  0x02f2bb60  \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe14ab008  0x07023008  \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe14abb60  0x07023b60  \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe14e4758  0x0369d758  \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe12e8288  0x02d65288  [no name]
0xe1035b60  0x02aafb60  \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008  0x02ab1008  [no name]

Print subkeys of hive software.

volatility -f dump.raw printkey –hive-offset 0xe13ffb60
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Key name: $$$PROTO.HIV (S)
Last updated: 2011-03-10 13:09:47

Subkeys:
(S) C07ft5Y
(S) Classes
(S) Clients
(S) Gemplus
(S) Microsoft
(S) ODBC
(S) Policies
(S) Program Groups
(S) RealVNC
(S) Schlumberger
(S) Secure
(S) Windows 3.1 Migration Status

 

Get the password.

volatility -f dump.raw printkey –hive-offset 0xe13ffb60 –key “RealVNC\\WinVNC4”
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Key name: WinVNC4 (S)
Last updated: 2011-03-10 13:10:51

Subkeys:

Values:
REG_BINARY Password : (S)
0000 DA 6E 31 84 95 77 AD 6B .n1..w.k

REG_SZ SecurityTypes : (S) VncAuth
REG_SZ ReverseSecurityTypes : (S) None
REG_DWORD QueryConnect : (S) 0
REG_DWORD QueryOnlyIfLoggedOn : (S) 0

After looking in source of RealVNC, I found that password was crypted using d3des.  Quick google search give a nice python implementation with VNC key.

Password : secretpq

Forensic 200

On a dumpe le fichier ntdis.dit d une machine executant un Active Directory
Il faut recuperer le mot de passe du compte john.

* * *

We have dumped the ntdis.dit file of a machine running Active Directory.
You must get the password associated with john’s account.

forensic200

Using program like “Reset Windows Password” it possible to dump LT/NTLM hashes:

Administrateur:500:NO PASSWORD*********************:726a36acb62f51ecee698e66fc118683:Compte d’utilisateur d’administration:
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:NO PASSWORD*********************:LM history hash:
Administrateur:500:NO PASSWORD*********************:726a36acb62f51ecee698e66fc118683:NT history hash:
Administrateur:500:NO PASSWORD*********************:fbbf55d0ef0e34d39593f55c5f2ca5f2:NT history hash:
Invit�:501:NO PASSWORD*********************:NO PASSWORD*********************:Compte d’utilisateur invit:
SUPPORT_388945a0:1001:NO PASSWORD*********************:30d4a2ef16deff366bd4b9f010b1bd26:Ceci est le compte d’un fournisseur pour les service Aide et support:
SYSDREAM-TTXW4P$:1005:NO PASSWORD*********************:6580b1de7daec96c9d98dbcd2f63f527::
krbtgt:502:NO PASSWORD*********************:b316ba9fe983951bfae8262757aa6f18:Compte de service du centre de distribution de cls:
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:NO PASSWORD*********************:LM history hash:
krbtgt:502:NO PASSWORD*********************:b316ba9fe983951bfae8262757aa6f18:NT history hash:
john:1108:615a367ca6280c40b4c08420b3143e50:3fb89706895e92798aeda7a399a6c417::
john:1108:615a367ca6280c40b4c08420b3143e50:NO PASSWORD*********************:LM history hash:
john:1108:NO PASSWORD*********************:3fb89706895e92798aeda7a399a6c417:NT history hash:

Then I just used john-the-ripper to brutforce john password

Forensic 300

forensic300

In this challenge we have memory dump of hacked laptop and need to find some evidence.
As in forensic 100 I used volatility and dump process list in firts place.  Option –profile=Win7SP0x86 using to specify OS version.

volatility -f  DumpRAM_CTF.vmem pslist  –profile=Win7SP0x86
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     70    434 2011-03-31 14:38:10
smss.exe                216      4      2     29 2011-03-31 14:38:10
csrss.exe               304    296      8    310 2011-03-31 14:38:18
wininit.exe             340    296      3     79 2011-03-31 14:38:19
csrss.exe               352    332      7    169 2011-03-31 14:38:19
winlogon.exe            392    332      4    112 2011-03-31 14:38:20
services.exe            416    340      9    185 2011-03-31 14:38:20
lsass.exe               424    340      8    462 2011-03-31 14:38:21
lsm.exe                 432    340     10    141 2011-03-31 14:38:21
svchost.exe             556    416     13    354 2011-03-31 14:38:23
svchost.exe             632    416      7    218 2011-03-31 14:38:24
svchost.exe             676    416     20    408 2011-03-31 14:38:25
svchost.exe             800    416     19    401 2011-03-31 14:38:28
svchost.exe             832    416     34    902 2011-03-31 14:38:28
svchost.exe             944    416     13    265 2011-03-31 14:38:29
dwm.exe                1080    800      4     70 2011-03-31 14:38:31
svchost.exe            1140    416     16    365 2011-03-31 14:38:32
spoolsv.exe            1276    416     14    281 2011-03-31 14:38:34
svchost.exe            1312    416     22    311 2011-03-31 14:38:34
taskhost.exe           1324    416     11    166 2011-03-31 14:38:34
sppsvc.exe             1664    416      4    146 2011-03-31 14:38:39
explorer.exe           2004   1992     24    591 2011-03-31 14:38:55
rundll32.exe            356    300      4     66 2011-03-31 14:38:57
rundll32.exe            500    332      4     66 2011-03-31 14:38:57
rundll32.exe            496    504      4     67 2011-03-31 14:38:58
SearchIndexer.         1528    416     14    605 2011-03-31 14:39:05
cmd.exe                1392   2004      1     23 2011-03-31 14:39:39
conhost.exe            1380    352      3     57 2011-03-31 14:39:40
mscorsvw.exe            188    416      6     77 2011-03-31 14:40:38
svchost.exe             668    416     13    315 2011-03-31 14:40:40
nc.exe                 1720   1392      2     72 2011-03-31 14:40:41

Process nc.exe looks suspicious, let’s look at open connection

volatility -f DumpRAM_CTF.vmem netscan  –profile=Win7SP0x86
Volatile Systems Volatility Framework 1.4_rc1
Offset     Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x1e4f5930 TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        416      services.exe
0x1e4f5930 TCPv6    :::49156                       :::0                 LISTENING        416      services.exe
0x1e757008 TCPv4    192.168.163.216:139            0.0.0.0:0            LISTENING        4        System
0x1e764b88 TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        632      svchost.exe
0x1e764b88 TCPv6    :::135                         :::0                 LISTENING        632      svchost.exe
0x1e76ca58 TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        632      svchost.exe
0x1e76ebc8 TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        340      wininit.exe
0x1e76ebc8 TCPv6    :::49152                       :::0                 LISTENING        340      wininit.exe
0x1e7872f0 TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        340      wininit.exe
0x1e7ca9b0 TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        676      svchost.exe
0x1e7ca9b0 TCPv6    :::49153                       :::0                 LISTENING        676      svchost.exe
0x1e7caf60 TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        676      svchost.exe
0x1eea5f60 TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        832      svchost.exe
0x1eea5f60 TCPv6    :::49155                       :::0                 LISTENING        832      svchost.exe
0x1eea6f60 TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        832      svchost.exe
0x1f07fcc0 TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        424      lsass.exe
0x1f080f60 TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        424      lsass.exe
0x1f080f60 TCPv6    :::49154                       :::0                 LISTENING        424      lsass.exe
0x1fc482d0 TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        416      services.exe
0x1fc49560 TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System
0x1fc49560 TCPv6    :::445                         :::0                 LISTENING        4        System
0x1f086df8 TCPv4    192.168.163.216:49158          88.190.230.12:48625  ESTABLISHED      1720     nc.exe
0x1e608d30 UDPv4    0.0.0.0:5355                   *:*                                   1140     svchost.exe    2011-03-31 14:38:55
0x1e60d378 UDPv4    0.0.0.0:0                      *:*                                   1140     svchost.exe    2011-03-31 14:38:55
0x1e60d378 UDPv6    :::0                           *:*                                   1140     svchost.exe    2011-03-31 14:38:55
0x1e633198 UDPv4    192.168.163.216:137            *:*                                   4        System         2011-03-31 14:38:46
0x1e75a178 UDPv4    192.168.163.216:138            *:*                                   4        System         2011-03-31 14:38:46
0x1e7c6198 UDPv4    0.0.0.0:5355                   *:*                                   1140     svchost.exe    2011-03-31 14:38:55
0x1e7c6198 UDPv6    :::5355                        *:*                                   1140     svchost.exe    2011-03-31 14:38:55

We have established connection with 88.190.230.12:48625. Next step I tried to see what data was sent by dumping the process memory  and search for suspicious ip address.

volatility -f  DumpRAM_CTF.vmem memdump  –profile=Win7SP0x86 –dump-dir  mem

 

strings mem/1720.dmp | grep  -C 5 88.190.230.12
%SystemRoot%\system32\mswsock.dll
mvvI
,{M%
mvvI
,{M%
w CKM88.190.230.12
t:$Bf
euLSeu
`ahu
ahu@
`huh

windir=C:\Windows
Secret pass is H4x0r
Nice job !
The hash is ***************
secte.server_of_dark_hamster.com
88.190.230.12

After  sending the string “Secret pass is H4x0r” to 88.190.230.12 48625 is H4x0r. We got the flag.

echo ‘Secret pass is H4x0r’ | nc 88.190.230.12 48625
Nice job!

The hash is 9vjgH368$hgHGjh

 

1 comment

    • zyx2145 on May 30, 2011 at 01:16
    • Reply

    In Forensic 100, zip archive from link is corrupted :(

Leave a Reply

Your email address will not be published.