categories writeups articles whoami

Contents

Hackvens 2022 - A strange dump

ZarKyo included in writeups hackvens-2022
   1104 words   6 minutes 
/hackvens-2022/hackvens-banniere.jpg
Contents

A strange dump

Énoncé

Vous avez récupéré un dump mémoire d’un ordinateur qui trainait lors d’une mission CSIRT. Celui-ci semble avoir réalisé des activités plus que douteuses. A vous de trouver des potentiels fichiers qui pourraient confirmer ou non vos soupçons.

Solve

We have a memory dump to analyze, we will start by determining the profile with Volatility2 :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

./vol2 -f JEAN-PC-20220928-121426.raw imageinfo           
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/zarkyo/info/cyber/advens/forensic/JEAN-PC-20220928-121426.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800027f20a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800027f3d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2022-09-28 12:14:29 UTC+0000
     Image local date and time : 2022-09-28 14:14:29 +0200

Note the confidential.7z file opened with WinRAR :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
[...]
************************************************************************
WinRAR.exe pid:    180
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Jean\Desktop\Mes documents à moi\confidential.7z"
************************************************************************
cmd.exe pid:   2040
Command line : "cmd.exe" /s /k pushd "C:\Users\Jean\Desktop\Projets"
************************************************************************
conhost.exe pid:   1968
Command line : \??\C:\Windows\system32\conhost.exe
************************************************************************
mspaint.exe pid:   1944
Command line : "C:\Windows\system32\mspaint.exe" 
************************************************************************
[...]

Note the execution of an encryption script cipher.py :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6

**************************************************
CommandProcess: conhost.exe Pid: 1968
CommandHistory: 0x2344e0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x2319e0: dir
Cmd #1 @ 0x2304a0: python cipher.py
Cmd #15 @ 0x1f0158: #
Cmd #16 @ 0x2337e0: #
**************************************************
CommandProcess: conhost.exe Pid: 404
CommandHistory: 0xe44e0 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #15 @ 0xa0158: 
Cmd #16 @ 0xe37e0:

We retrieve the password used to encrypt AZERTYUIO :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6

**************************************************
ConsoleProcess: conhost.exe Pid: 1968
Console: 0xff3a6200 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 2040 Handle: 0x5c
----
CommandHistory: 0x23e430 Application: python.exe Flags: Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
Cmd #0 at 0x233040: AZERTYUIO
----
CommandHistory: 0x2344e0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 at 0x2319e0: dir
Cmd #1 at 0x2304a0: python cipher.py
----
Screen 0x210f70 X:80 Y:300
Dump:
                                                                                
C:\Users\Jean\Desktop\Projets>dir                                               
 Le volume dans le lecteur C n a pas de nom.                                    
 Le num?ro de s?rie du volume est 6074-0897                                     
                                                                                
 R?pertoire de C:\Users\Jean\Desktop\Projets                                    
                                                                                
19/09/2022  17:25    <REP>          .                                           
19/09/2022  17:25    <REP>          ..                                          
19/09/2022  17:09               539 cipher.py                                   
19/09/2022  17:26               163 Roadmap.txt                                 
               2 fichier(s)              702 octets                             
               2 R?p(s)  20?056?727?552 octets libres                           
                                                                                
C:\Users\Jean\Desktop\Projets>python cipher.py                                  
Enter the password to complexify :AZERTYUIO                                     
                                                                                
C:\Users\Jean\Desktop\Projets>                                                  
[...]

We are going to recover the files that we have noticed previously :

1

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 filescan > file.txt

1
2
3

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 dumpfiles --dump-dir=./ -Q 0x1ec64590
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1ec64590   None   \Device\HarddiskVolume2\Users\Jean\Desktop\Mes documents à moi\confidential.7z

1
2
3

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 dumpfiles --dump-dir=./ -Q 0x000000001ec71b30                  
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1ec71b30   None   \Device\HarddiskVolume2\Users\Jean\Desktop\Projets\cipher.py

By browsing the result of the filescan, we notice the database.txt file that we will also dump :

1
2
3

./vol2 -f JEAN-PC-20220928-121426.raw --profile=Win7SP1x64 dumpfiles --dump-dir=./ -Q 0x1ec789b0
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1ec789b0   None   \Device\HarddiskVolume2\Users\Jean\Documents\database.txt

The file confidential.7z is protected by a password, you cannot open the files it contains.

If we are interested in the python script, we can see that it is used to encrypt the passwords contained in the database.txt file :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

cat cipher.py              
import hashlib, base64
"""
J'utilise ce programme pour stocker mes mots de passes de manière très sécurisé 
"""
password = input("Enter the password to complexify :")

key = "C31klétr3l0ngUe"

def xor(password, key):
    cipher = ""
    for i in range(0, len(password)):
        j = i % len(key)
        xor = ord(password[i]) ^ ord(key[j])
        cipher = cipher + chr(xor)
    return cipher

file = open("C:\\Users\\Jean\\Documents\\database.txt", "a").write(base64.b64encode(str.encode(xor(password,key))).decode("utf-8")+"\n")

The objective will be to decipher these passwords and hope to find a valid password for the confidential.7z.

We take the initial script, we modify it a little and we run it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

import hashlib, base64

password = "AZERTYUIO"
key = "C31klétr3l0ngUe"


def xor(password, key):
    cipher = ""
    for i in range(0, len(password)):
        j = i % len(key)
        xor = ord(password[i]) ^ ord(key[j])
        cipher = cipher + chr(xor)
    return cipher

a_file = open("./database.txt")

lines = a_file.readlines()
for line in lines:
    a = base64.b64decode(line).decode("utf-8")
    print(a+"\n")
    a = xor(a, key)
    print(a+"\n")

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

python decipher.py

[...]

Ma fonction de sécuritation de mot de passe fonctionne parfaitement ;) 

[...]

Password

[...]

Supermotdepassecompliqueavecdescaracteresspeci@x
[...]

pass : Supermotdepassecompliqueavecdescaracteresspeci@x

We decompress the archive with the password :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

7z e confidential.7z 

7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=fr_FR.UTF-8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)

Scanning the drive for archives:
1 file, 12288 bytes (12 KiB)

Extracting archive: confidential.7z

WARNINGS:
There are data after the end of archive

--
Path = confidential.7z
Type = 7z
WARNINGS:
There are data after the end of archive
Physical Size = 8369
Tail Size = 3919
Headers Size = 209
Method = LZMA2:24k 7zAES
Solid = +
Blocks = 1

    
Enter password (will not be echoed): Supermotdepassecompliqueavecdescaracteresspeci@x
Everything is Ok

Archives with Warnings: 1

Warnings: 1
Files: 2
Size:       18575
Compressed: 12288

1
2
3
4
5

cat note.txt    
Pseudo du contact :
HACKVENS{Vol1tility_4_th3_b35t}
Mot de passe admin du dom récupéré :
@Dm1n4lw45g3TStr@nGP@55w0rd

Flag : HACKVENS{Vol1tility_4_th3_b35t}

Updated on Oct 29, 2022
Read Markdown
 HACKVENSFORENSIC
Back | Home