TL;DR: Week 10 of the #MagnetWeeklyCTF was a healthy dose of humility towards the end of the questions.
Review
Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.
Get the first challenge
The weekly challenge for week 10 was split into five parts, down from an all-time high of seven last week! The first was:
At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
Similar to last week, this week is all about remembering Volatility plugins. In the case of network connections for a Windows 7 image, the relevant plugin is netscan
.
[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x13d518710 UDPv4 0.0.0.0:5355 *:* 1160 svchost.exe 2020-04-20 23:23:00 UTC+0000
0x13d518710 UDPv6 :::5355 *:* 1160 svchost.exe 2020-04-20 23:23:00 UTC+0000
0x13d640800 UDPv4 0.0.0.0:0 *:* 2032 svchost.exe 2020-04-20 22:44:40 UTC+0000
0x13d640800 UDPv6 :::0 *:* 2032 svchost.exe 2020-04-20 22:44:40 UTC+0000
0x13d640ec0 UDPv4 0.0.0.0:0 *:* 2032 svchost.exe 2020-04-20 22:44:40 UTC+0000
[snip]
0x13ec87cd0 TCPv4 192.168.10.146:54282 172.253.63.188:443 ESTABLISHED -1
0x13ece73b0 TCPv4 192.168.10.146:54281 13.35.82.31:443 ESTABLISHED -1
0x13ece76f0 TCPv4 192.168.10.146:54277 172.253.63.188:5228 FIN_WAIT2 -1
0x13ecf8010 TCPv4 192.168.10.146:54280 13.35.82.102:443 ESTABLISHED -1
0x13f2e5010 TCPv4 192.168.10.146:54284 13.107.21.200:443 CLOSED -1
0x13f304280 TCPv4 192.168.10.146:54283 13.107.21.200:443 CLOSED -1
0x13f645cb0 UDPv4 0.0.0.0:57900 *:* 3604 chrome.exe 2020-04-20 23:23:03 UTC+0000
0x13fa55dc0 UDPv6 ::1:57480 *:* 2944 svchost.exe 2020-04-20 23:22:58 UTC+0000
0x13fe91c70 UDPv4 192.168.10.146:138 *:* 4 System 2020-04-20 23:23:00 UTC+0000
0x13fc27ad0 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x13fc27ad0 TCPv6 :::445 :::0 LISTENING 4 System
Looking through the results, the IP address which matched the format given in the question and still established was 172.253.63.188:443
.
Get the second challenge
The second challenge was:
What was the Local IP address and port number? same format as part 1
From the same output as the first question, the “Local Address” for the row which had the first answer is 192.168.10.146:54282
.
Get the third challenge
The third challenge was:
What was the URL?
I solved this question outside of Volatility, by looking at Chrome’s History file, whose most recent entry is https://www.google.com/
. That is the right answer, you just have to make sure you dump the files first using Volatility’s dumpfiles
plugin on Chrome’s process ID (-p 3384
).
[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 dumpfiles \
-p 3384 --dump-dir chrome_files/ \
&& cd chrome_files/
[notta@cuppa chrome_files]$ sqlitebrowser file.3384.0xfffffa80311c7eb0.History.dat
Get the fourth challenge
The fourth challenge was:
What user was responsible for this activity based on the profile?
Similar to last week’s investigation into the user’s unique ID, we can use Volatility’s getsids
plugin to see who was actually using the browser.
[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 getsids -p 3384
Volatility Foundation Volatility Framework 2.6.1
chrome.exe (3384): S-1-5-21-4288132831-552422005-3632184702-1000 (Warren)
chrome.exe (3384): S-1-5-21-4288132831-552422005-3632184702-513 (Domain Users)
chrome.exe (3384): S-1-1-0 (Everyone)
chrome.exe (3384): S-1-5-114 (Local Account (Member of Administrators))
chrome.exe (3384): S-1-5-32-544 (Administrators)
chrome.exe (3384): S-1-5-32-545 (Users)
chrome.exe (3384): S-1-5-4 (Interactive)
chrome.exe (3384): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
chrome.exe (3384): S-1-5-11 (Authenticated Users)
chrome.exe (3384): S-1-5-15 (This Organization)
chrome.exe (3384): S-1-5-113 (Local Account)
chrome.exe (3384): S-1-5-5-0-691206 (Logon Session)
chrome.exe (3384): S-1-2-0 (Local (Users with the ability to log in locally))
chrome.exe (3384): S-1-5-64-10 (NTLM Authentication)
chrome.exe (3384): S-1-16-12288 (High Mandatory Level)
In this case, we see the browser user was the same as the Word user from last week: Warren
.
Get the fifth challenge
The fifth challenge was:
How long was this user looking at this browser with this version of Chrome? format: X:XX:XX.XXXXX Hint: down to the last second
I’ll admit up front, I went way down the wrong hole on this question. I spent a lot of time trying to make the Chrome History file’s visit_duration
work, which was not what they were looking for. I knew there was something about “looking at” that Chrome’s History file couldn’t actually answer, but the nagging feeling in the back of my mind didn’t stop me from trying almost 30 wrong answers.
Eventually, I bought the hint, since I would rather pay some points and get the right answer than die on a hill of pride. The hint was “Solving this challenge takes some FOCUS & time :slight_smile:”. This immediately brought to mind that Windows tracks user focus (that nagging feeling in the back of my head for the rest of the week). In this case, Volatility’s userassist
plugin will give you the answer.
[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 userassist
[snip]
REG_BINARY Chrome :
Count: 9
Focus Count: 106
Time Focused: 3:36:47.301000
Last updated: 2020-04-20 23:17:07 UTC+0000
Raw Data:
0x00000000 00 00 00 00 09 00 00 00 6a 00 00 00 d1 77 c6 00 ........j....w..
0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 10 0d ba cf ................
0x00000040 69 17 d6 01 00 00 00 00 i.......
From this output, we can see that the user was focused on the window for 3:36:47.301000
. Now, there is a bit of discomfort with the fact that this doesn’t match the format that was asked, but it is easy enough to put it in the right format.
Conclusion
I really enjoyed this week (save the maddening chase of question 5 due to my own forgetfulness) as it did a lot to renew my comfort with Volatility.