CTF

Magnet CTF Week 10: Time To Focus

 · 6 mins read

TL;DR: Week 10 of the #MagnetWeeklyCTF was a healthy dose of humility towards the end of the questions.

Review

Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.

Get the first challenge

The weekly challenge for week 10 was split into five parts, down from an all-time high of seven last week! The first was:

At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

Similar to last week, this week is all about remembering Volatility plugins. In the case of network connections for a Windows 7 image, the relevant plugin is netscan.

[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 netscan

Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x13d518710        UDPv4    0.0.0.0:5355                   *:*                                   1160     svchost.exe    2020-04-20 23:23:00 UTC+0000
0x13d518710        UDPv6    :::5355                        *:*                                   1160     svchost.exe    2020-04-20 23:23:00 UTC+0000
0x13d640800        UDPv4    0.0.0.0:0                      *:*                                   2032     svchost.exe    2020-04-20 22:44:40 UTC+0000
0x13d640800        UDPv6    :::0                           *:*                                   2032     svchost.exe    2020-04-20 22:44:40 UTC+0000
0x13d640ec0        UDPv4    0.0.0.0:0                      *:*                                   2032     svchost.exe    2020-04-20 22:44:40 UTC+0000
[snip]
0x13ec87cd0        TCPv4    192.168.10.146:54282           172.253.63.188:443   ESTABLISHED      -1
0x13ece73b0        TCPv4    192.168.10.146:54281           13.35.82.31:443      ESTABLISHED      -1
0x13ece76f0        TCPv4    192.168.10.146:54277           172.253.63.188:5228  FIN_WAIT2        -1
0x13ecf8010        TCPv4    192.168.10.146:54280           13.35.82.102:443     ESTABLISHED      -1
0x13f2e5010        TCPv4    192.168.10.146:54284           13.107.21.200:443    CLOSED           -1
0x13f304280        TCPv4    192.168.10.146:54283           13.107.21.200:443    CLOSED           -1
0x13f645cb0        UDPv4    0.0.0.0:57900                  *:*                                   3604     chrome.exe     2020-04-20 23:23:03 UTC+0000
0x13fa55dc0        UDPv6    ::1:57480                      *:*                                   2944     svchost.exe    2020-04-20 23:22:58 UTC+0000
0x13fe91c70        UDPv4    192.168.10.146:138             *:*                                   4        System         2020-04-20 23:23:00 UTC+0000
0x13fc27ad0        TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System
0x13fc27ad0        TCPv6    :::445                         :::0                 LISTENING        4        System

Looking through the results, the IP address which matched the format given in the question and still established was 172.253.63.188:443.

Get the second challenge

The second challenge was:

What was the Local IP address and port number? same format as part 1

From the same output as the first question, the “Local Address” for the row which had the first answer is 192.168.10.146:54282.

Get the third challenge

The third challenge was:

What was the URL?

I solved this question outside of Volatility, by looking at Chrome’s History file, whose most recent entry is https://www.google.com/. That is the right answer, you just have to make sure you dump the files first using Volatility’s dumpfiles plugin on Chrome’s process ID (-p 3384).

[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 dumpfiles \
-p 3384 --dump-dir chrome_files/ \
&& cd chrome_files/

[notta@cuppa chrome_files]$ sqlitebrowser file.3384.0xfffffa80311c7eb0.History.dat

Get the fourth challenge

The fourth challenge was:

What user was responsible for this activity based on the profile?

Similar to last week’s investigation into the user’s unique ID, we can use Volatility’s getsids plugin to see who was actually using the browser.

[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 getsids -p 3384

Volatility Foundation Volatility Framework 2.6.1
chrome.exe (3384): S-1-5-21-4288132831-552422005-3632184702-1000 (Warren)
chrome.exe (3384): S-1-5-21-4288132831-552422005-3632184702-513 (Domain Users)
chrome.exe (3384): S-1-1-0 (Everyone)
chrome.exe (3384): S-1-5-114 (Local Account (Member of Administrators))
chrome.exe (3384): S-1-5-32-544 (Administrators)
chrome.exe (3384): S-1-5-32-545 (Users)
chrome.exe (3384): S-1-5-4 (Interactive)
chrome.exe (3384): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
chrome.exe (3384): S-1-5-11 (Authenticated Users)
chrome.exe (3384): S-1-5-15 (This Organization)
chrome.exe (3384): S-1-5-113 (Local Account)
chrome.exe (3384): S-1-5-5-0-691206 (Logon Session)
chrome.exe (3384): S-1-2-0 (Local (Users with the ability to log in locally))
chrome.exe (3384): S-1-5-64-10 (NTLM Authentication)
chrome.exe (3384): S-1-16-12288 (High Mandatory Level)

In this case, we see the browser user was the same as the Word user from last week: Warren.

Get the fifth challenge

The fifth challenge was:

How long was this user looking at this browser with this version of Chrome? format: X:XX:XX.XXXXX Hint: down to the last second

I’ll admit up front, I went way down the wrong hole on this question. I spent a lot of time trying to make the Chrome History file’s visit_duration work, which was not what they were looking for. I knew there was something about “looking at” that Chrome’s History file couldn’t actually answer, but the nagging feeling in the back of my mind didn’t stop me from trying almost 30 wrong answers.

Eventually, I bought the hint, since I would rather pay some points and get the right answer than die on a hill of pride. The hint was “Solving this challenge takes some FOCUS & time :slight_smile:”. This immediately brought to mind that Windows tracks user focus (that nagging feeling in the back of my head for the rest of the week). In this case, Volatility’s userassist plugin will give you the answer.

[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 userassist

[snip]

REG_BINARY    Chrome          :
Count:          9
Focus Count:    106
Time Focused:   3:36:47.301000
Last updated:   2020-04-20 23:17:07 UTC+0000
Raw Data:
0x00000000  00 00 00 00 09 00 00 00 6a 00 00 00 d1 77 c6 00   ........j....w..
0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 10 0d ba cf   ................
0x00000040  69 17 d6 01 00 00 00 00                           i.......

From this output, we can see that the user was focused on the window for 3:36:47.301000. Now, there is a bit of discomfort with the fact that this doesn’t match the format that was asked, but it is easy enough to put it in the right format.

Conclusion

I really enjoyed this week (save the maddening chase of question 5 due to my own forgetfulness) as it did a lot to renew my comfort with Volatility.