HackingWeek 2015 - Forensic

Write-ups for the four Hacking Week 2015 Forensic challenges with volatility and rekall.

Introduction

In this article we will summarize the different methods that were used to complete the four forensic challenges during the HackingWeek 2015.

We recommend to use a Linux distribution and install a memory forensic framework such as Volatility or Rekall.

L'image mémoire fournie a été capturée sur une machine compromise à vous de l'analyser pour répondre aux questions (il s'agit de la même image pour les quatre épreuves de forensic, inutile de la télécharger plusieurs fois).

First we extract the memory sample with gunzip dump.gz. Then we get informations about the sample with the command vol.py -f dump imageinfo.

Forensic 1

Pour obtenir la clef de validation de cette épreuve est donnée par le PID, le PPID et le nombre de threads du programme Solitaire. Mettez-le au format suivant PID:PPID:nThreads.

We need to find 3 numbers, the Process ID of Solitaire.exe, its Parent Process ID and its number of Threads.

$ vol.py -f dump --profile=Win7SP0x86 pslist

Offset(V)  Name                    PID   PPID   Thds
---------- -------------------- ------ ------ ------
0x84729030 Solitaire.exe          2992   1312      8

Forensic 2

L'un des utilisateurs de la machine venait de consulter plusieurs sites Web à propos d'un incident qui impliquait une personnalité de showbiz. La clef de validation est le PrenomNom de cette personnalité.

We need to find the name of a celebrity in the memory dump. I tried to grep my own first name and last name but it couldn't find anything.
After some grep and multiple keywords we found several occurrences of Harrison Ford.

$ strings dump | grep http | less
$ strings dump | grep harrison | less

Forensic 3

Trouvez le mot de passe de l'utilisateur admin qui se trouve quelque part en mémoire.

We have to find the password of the user "admin", after dumping the passwords we can find the hash.

$ vol.py -f dump --profile=Win7SP0x86 cachedump
p.dumont:b2992223764dde5403684a2da3620774:underground:underground.fr
admin:1bbeb11362554add15eba84d545f38f5:underground:underground.fr
c.prevost:1251fe313fec6bc0d878625a4bca2168:underground:underground.fr
j.navarro:8902907b5dedcae211adecaf9192183b:underground:underground.fr
f.lefevre:3c953d0c2c700fd09c4fc98381ea8409:underground:underground.fr

Unfortunately we were unable to crack the hash so we had to find another way around.
$ strings dump | grep --color=always -B4 -A20 "mimikatz" | less -R

HackingWeek 2015 mimikatz

Finally after some more guessing we found a corrupted mimikatz dump containing the plaintext password.

Forensic 4

Lors de la compromission de la machine, l'attaquant a installé un logiciel de Command & Control qui est inactif pour le moment mais qui doit contacter un serveur pour recevoir ses ordres. Trouvez le nom du serveur et le port sur lequel le malware doit se connecter. La clef de validation sera servername:portnumber.

For the last challenge we have to find the suspicious process, dump it to a file and do some reverse engineering to find the hostname and the port used by the Command & Control server.

Finding a suspicious process

We can see that there is something wrong in the process tree below, how could iexplore.exe have notepad.exe as a parent. We are going to dump the process with the id 3468 into a file and analyze it.

$ vol.py -f dump --profile=Win7SP0x86 pstree

Name                                      Pid   PPid
-------------------------------------- ------ ------
. 0x84033030:iexplore.exe                1088   1312
.. 0x841dba88:iexplore.exe               2456   1088
.. 0x84126340:iexplore.exe               3916   1088
... 0x83e4ed40:notepad.exe               4088   3916
.... 0x83e6dac8:iexplore.exe             3468   4088

$ vol.py -f dump --profile=Win7SP0x86 procdump -D dump/ -p 3468

Finding the hostname and port

After opening the process with your favourites disassembler you can realize it's not internet explorer but definitely a malware.
The hostname is obfuscated but after some debugging you can grab it in the memory.