MemLabs - Pt.1 | Caramella

MemLabs: First 3 challenges

[Write-up]

You can find the challenges here.

Challenge #1 — Beginner's Luck

Description

My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.

Volatility Profile

C:\Users\mohammed\Desktop\MemLabs\Lab01
λ C:\Tools\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone.exe -f MemoryDump_Lab1.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\mohammed\Desktop\MemLabs\Lab01\MemoryDump_Lab1.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028100a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002811d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-12-11 14:38:00 UTC+0000
     Image local date and time : 2019-12-11 20:08:00 +0530

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

Highlights

1 - Black popup tells me that I need to look into cmd.

2 - “Draw something” tells me that I should look into paint.

Flag 1

I ran the consoles plugin on the image. It dumped the commands that was executed by cmd. Then, I found something unusual.

I decoded it and had the first flag.

flag{th1s_xxxxxxxxxxxx}

Flag 2

This one is a bit tricky because we are trying to open some paint that was opened during the acquisition of the memory dump.

So, after searching a bit, it turns out that we can open a memory dump using photo editors. I used Gimp.

I dumped the process using the memdump plugin. Then, we need to rename 2424.dmp to ANY_NAME.data to allow Gimp to read it without any problem.

Loading the image to Gimp, then choosing RGB Alpha profile and playing with offset, width, height, and reversing the image, we are able to see the flag.

I wrote the flag down.

flag{G00d_BoY_xxxxxx}

Flag 3

I actually found the 3rd flag when exploring the cmd.

I ran cmdline plugin and found something interesting.