From a621ab5293863e0f8947eb6c00aa2835328df9d2 Mon Sep 17 00:00:00 2001 From: bl4ck4non <67879936+BlackAnon22@users.noreply.github.com> Date: Sat, 25 May 2024 17:29:10 +0100 Subject: [PATCH] Update africa_cyberfest.md --- posts/CTF Competitions/africa_cyberfest.md | 56 +++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/posts/CTF Competitions/africa_cyberfest.md b/posts/CTF Competitions/africa_cyberfest.md index 3c05291..85aa6b6 100644 --- a/posts/CTF Competitions/africa_cyberfest.md +++ b/posts/CTF Competitions/africa_cyberfest.md @@ -639,10 +639,64 @@ Now this is more detailed, the first time we checked the proccess running we fou One thing we can do here is try to dump the process, to do this I actually didn't use volatility3, I used volatility2 and this is because of the ```memdump``` plugin. You can get volatility2 [here](https://github.com/volatilityfoundation/volatility) -command:```python3 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem windows.dumpfiles.DumpFiles --pid 3044``` +To use volatility2 we'll need the memory profile, we can get this using the ```imageinfo``` plugin +command:```python2 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem imageinfo``` +``` +INFO : volatility.debug : Determining profile based on KDBG search... + Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 + AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) + AS Layer2 : FileAddressSpace (/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme?/challenge.vmem) + PAE type : No PAE + DTB : 0x187000L + KDBG : 0xf80002a510a0L + Number of Processors : 2 + Image Type (Service Pack) : 1 + KPCR for CPU 0 : 0xfffff80002a52d00L + KPCR for CPU 1 : 0xfffff880009ef000L + KUSER_SHARED_DATA : 0xfffff78000000000L + Image date and time : 2024-04-25 07:59:23 UTC+0000 + Image local date and time : 2024-04-25 08:59:23 +0100 +``` +You should get that output, we have different profiles here, lets go with this profile ```Win7SP1x64``` + +Now that we've goten the profile lets use the memdump plugin to help us dump the ```notepad.exe``` process + +command:```python2 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem --profile=Win7SP1x64 memdump --dump-dir=/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/ -p 3044``` + +```--dump-dir``` specifies the directory where the dumped memory will be saved, in this case, a directory named "/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/" +```-p``` specifies the PID of the process for which to extract the memory dump + +``` +βββ(bl4ck4nonπ½bl4ck4non-sec)-[~/Documents/Tools/forensics/volatility] +ββ$ python2 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem --profile=Win7SP1x64 memdump --dump-dir=/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\? -p 3044 +Volatility Foundation Volatility Framework 2.6.1 +************************************************************************ +Writing notepad.exe [ 3044] to 3044.dmp +``` +Nice, now lets get our flag + +``` +βββ(bl4ck4nonπ½bl4ck4non-sec)-[~/β¦/CTF/africa_cyberfest/forensics/mem_mem_meme?] +ββ$ ls -la 3044.dmp +-rw-r--r-- 1 bl4ck4non bl4ck4non 209444864 May 25 17:18 3044.dmp + +βββ(bl4ck4nonπ½bl4ck4non-sec)-[~/β¦/CTF/africa_cyberfest/forensics/mem_mem_meme?] +ββ$ file 3044.dmp +3044.dmp: Windows Event Trace Log +``` +All that's left is to grep the flag out + +command:```strings 3044.dmp | grep -i "actf"``` + +![image](https://github.com/BlackAnon22/BlackAnon22.github.io/assets/67879936/ca1cc2df-3f29-4bd3-8bd6-da2d61c26805) + +Yup, that's our flag + +FLAG:-```ACTF{Sh4d0w_1nc1d3nt_C0mp1ic4t10n}``` +### Intended Method ---------------------------------------------