Challenge Overview

This challenge is a memory analysis challenge. After an infection, a memory dump was taken. The goal is to find the flag.

To analyze the memory, we will use Volatility. First, we need to determine the profile that we will need to use.

A big thanks to @Skyf0l who created the profile (https://github.com/skyf0l).

➜ strings output.lime | grep "^BOOT_IMAGE="

BOOT_IMAGE=/vmlinuz-4.2.6-200.fc22.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rhgb quiet LANG=fr_BE.UTF-8

➜ strings output.lime | grep "Linux version"

Linux version 4.2.6-200.fc22.x86_64 (mockbuild@bkernel02.phx2.fedoraproject.org) (gcc version 5.1.1 20150618 (Red Hat 5.1.1-4) (GCC) ) #1 SMP Tue Nov 10 16:45:19 UTC 2015

The information has determined that it is a Fedora 22 x64 distribution with kernel version 4.2.6-200.fc22.x86_64.

We will install Fedora 22 using its official ISO.

  • https://dl.fedoraproject.org/pub/archive/fedora/linux/releases/22/Workstation/x86_64/iso/

The kernel version is not the same as the one in the memory dump. We need to install the correct kernel version.

  • https://koji.fedoraproject.org/koji/buildinfo?buildID=697914
➜ uname -r

4.0.4-301.fc22.x86_64

➜ sudo dnf install kernel-4.2.6-200.fc22.x86_64.rpm \
    kernel-core-4.2.6-200.fc22.x86_64.rpm \
    kernel-devel-4.2.6-200.fc22.x86_64.rpm \
    kernel-headers-4.2.6-200.fc22.x86_64.rpm \
    kernel-modules-4.2.6-200.fc22.x86_64.rpm \
    kernel-modules-extra-4.2.6-200.fc22.x86_64.rpm \
    kernel-tools-4.2.6-200.fc22.x86_64.rpm \
    kernel-tools-libs-4.2.6-200.fc22.x86_64.rpm \
    kernel-tools-libs-devel-4.2.6-200.fc22.x86_64.rpm

➜ sudo reboot
...

➜ uname -r

4.2.6-200.fc22.x86_64

Our version of Fedora kernel is now correct. We can proceed to build the profile.

➜ sudo dnf group install "C Development Tools and Libraries" "Development Tools"
➜ git clone --depth=1 https://github.com/volatilityfoundation/volatility
➜ cd volatility/tools/linux
➜ make
➜ sudo zip Fedora22.zip module.dwarf /boot/System.map-4.2.6-200.fc22.x86_64

We retrieve the Fedora22.zip file from our virtual machine and copy it to our volatility installation folder :

➜ cp Fedora22.zip /opt/tools/volatility/volatility/plugins/overlays/linux

The LinuxFedora22x64 profile can be used to analyze the memory !

➜ vol.py --info | grep Ubuntu

Volatility Foundation Volatility Framework 2.6.1
LinuxFedora22x64      - A Profile for Linux Fedora22 x64

The following command directly dumps the entire filesystem from memory, which will be easier to analyze.

➜ volatility2 -f output.lime --profile=LinuxFedora22x64 linux_recover_filesystem --dump-dir=/tmp/fs

➜ ls -la
total 96
drwxrwxrwx 1 root root     726 May  8 20:53 .
drwxrwxrwt 1 root root     158 May  8 19:43 ..
dr-xr-xr-x 1 root root      58 May  7 02:00 boot
-rw-r--r-- 1 root root     542 May  2 21:09 DecodeMe.lol
drwxr-xr-x 1 root root    1650 May  7 02:00 dev
drwx------ 1 1000 rvm       12 May  7 02:02 .esd-1000
drwxr-xr-x 1 root root     348 May  7 02:00 etc
-rw------- 1 1000 rvm    12288 May  2 21:04 ffiFQx6eb
-rw------- 1 root root    4096 May  2 21:04 ffireqNG3
-rw------- 1   42 shadow  8192 May  2 21:04 ffitZrGYD
drwxrwxrwx 1 root root       0 May  2 21:03 .font-unix
drwxr-xr-x 1 root root      14 May  7 02:18 home
drwxrwxrwx 1 root root      16 May  7 02:02 .ICE-unix
-rw------- 1   42 shadow 57437 May  2 21:04 mutter-shared-IFHH41
drwxr-xr-x 1 root root      18 May  7 01:56 opt
drwxr-xr-x 1 root root    1084 Apr  9 09:27 proc
drwxr-xr-x 1 root root     894 Apr  9 09:27 run
drwxr-xr-x 1 root root      84 Apr  9 09:27 sys
drwx------ 1 root root       6 May  7 02:02 systemd-private-643740d5b38c45679af7f3b60af4460a-colord.service-DhPw00
drwx------ 1 root root       6 May  7 02:02 systemd-private-643740d5b38c45679af7f3b60af4460a-rtkit-daemon.service-vGpRO8
drwxrwxrwx 1 root root       0 May  2 21:03 .Test-unix
drwxrwxrwx 1 root root       0 Apr  9 09:33 tmp
drwx------ 1 1000 rvm        0 May  2 21:08 tracker-extract-files.1000
drwxr-xr-x 1 root root      64 May  7 02:00 usr
drwxr-xr-x 1 root root      42 May  7 01:59 var
-rw-r--r-- 1 root root    1190 May  2 21:03 vgauthsvclog.txt.0
drwx------ 1 root root       0 May  2 21:03 vmware-root
-r--r--r-- 1   42 shadow    11 May  2 21:04 .X1024-lock
drwxrwxrwx 1 root root      14 May  7 02:02 .X11-unix
drwxrwxrwx 1 root root       0 May  2 21:03 .XIM-unix

The first interesting file is DecodeMe.lol. This file is a password-protected zip archive. Several password cracking techniques have been tested, but the password could not be determined.

➜ file DecodeMe.lol

DecodeMe.lol: Zip archive data, at least v2.0 to extract

The second interesting file is Intelligence.sh located in the user n3m3s1s' home directory. This file contains garbage and is a rabbit hole.

➜ file home/n3m3s1s/Intelligence.sh

home/n3m3s1s/Intelligence.sh: data

If we try to unzip the archive, we see that there is a file confidential.pdf inside.

➜ unzip DecodeMe.lol

Archive:  DecodeMe.lol
[DecodeMe.lol] opt/confidential.pdf password:
   skipping: opt/confidential.pdf    incorrect password

My first idea was to attempt a known plaintext attack on the zip to retrieve the keys and change the archive password (https://github.com/kimci86/bkcrack). Unfortunately, this did not work.

Next, I thought of grep the word confidential.pdf in the memory dump. We find the function that was used to encrypt the archive.

➜ strings output.lime | grep "confidential.pdf"

Generate-Password /opt/confidential.pdf
\n    shaSum=$(dd if=/dev/random bs=32 count=1 2>/dev/null | sha256sum | cut -d \" \" -f 1)\n    aesIV=$(echo -n \"shaSum\" | base64 |head -c 16)\n    easKey=$(echo -n \"shaSum\" |sha256sum | cut -d \" \" -f 1)\n    encrypted=$(echo -n \"hello world\" | openssl enc -aes-256-cbc -K \"$easKey\" -iv \"0123456789012345\" -base64)\n    key=$(echo -n \"$password\" | sha512sum | cut -d \" \" -f 1)\n    zipZeFile \"$key\"\n    shred -fuz $1\n}\nGenerate-Password /opt/confidential.pdf" .
         nie:plainTextContent "#!/bin/bash\nfunction zipZeFile() {\n    password=$(echo \"$1\" | cut -c 1-15)\n    zip -P \"$password\" /tmp/DecodeMe.lol /opt/confidential.pdf\n}\n\nfunction Generate-Password() {\n    confidentialFile=\"$1\"\n    shaSum=$(dd if=/dev/random bs=32 count=1 2>/dev/null | sha256sum | cut -d \" \" -f 1)\n    aesIV=$(echo -n \"shaSum\" | base64 |head -c 16)\n    easKey=$(echo -n \"shaSum\" |sha256sum | cut -d \" \" -f 1)\n    encrypted=$(echo -n \"hello world\" | openssl enc -aes-256-cbc -K \"$easKey\" -iv \"0123456789012345\" -base64)\n    key=$(echo -n \"$password\" | sha512sum | cut -d \" \" -f 1)\n    zipZeFile \"$key\"\n    shred -fuz $1\n}

Here is the well-indented code.

function zipZeFile() {
    password=$(echo "$1" | cut -c 1-15)
    zip -P "$password" /tmp/DecodeMe.lol /opt/confidential.pdf
}

function Generate-Password() {
    confidentialFile=\"$1\"
    shaSum=$(dd if=/dev/random bs=32 count=1 2>/dev/null | sha256sum | cut -d \" \" -f 1)
    aesIV=$(echo -n "shaSum" | base64 |head -c 16)
    easKey=$(echo -n "shaSum" |sha256sum | cut -d \" \" -f 1)
    encrypted=$(echo -n "hello world" | openssl enc -aes-256-cbc -K "$easKey" -iv "0123456789012345" -base64)
    key=$(echo -n "$password" | sha512sum | cut -d " " -f 1)
    zipZeFile "$key"
    shred -fuz $1
}

Generate-Password sample.pdf .

We notice that the developer forgot the $ character in front of the word shaSum, and is not using the variable but the string !

Let’s analyze the code :

  • shaSum will generate a random string and calculate its sha256.
  • aesIV will base64 the string "shaSum" and keep the first 16 characters -> InNoYVN1bSI=. The variable is never called.
  • easKey will calculate the sha256 of the string "shaSum".
  • encrypted will encrypt the string "hello world" using AES-256-CBC with the previous key and IV "0123456789012345".
  • key will perform sha512 on the variable $password, a variable that is not defined and is therefore a null string.

The password for the archive is the first 15 characters of the key variable.

echo -n "" | sha512sum | cut -d " " -f 1 | cut -c 1-15

cf83e1357eefb8b

We can extract the file.

➜ unzip DecodeMe.lol

Archive:  DecodeMe.lol
[DecodeMe.lol] opt/confidential.pdf password: cf83e1357eefb8b
  inflating: opt/confidential.pdf

It is ASCII art that displays the flag !

➜ cat opt/confidential.pdf
______  _    _  _   _ ___  ___ _____   __ _   _  _____  __         _____        _____  _   _ ______  _____    ___  _____        _   _              _____  _____     __
| ___ \| |  | || \ | ||  \/  ||  ___| / /| \ | ||  _  |/  |       |____ |      |_   _|| | | || ___ \|____ |  /   ||_   _|      | | | |            |_   _||____ |    \ \
| |_/ /| |  | ||  \| || .  . || |__  | | |  \| || |/' |`| |   ___     / / ______ | |  | |_| || |_/ /    / / / /| |  | | ______ | |_| | _   _  _ __  | |      / / _ __| |
|  __/ | |/\| || . ` || |\/| ||  __|/ /  | . ` ||  /| | | |  / __|    \ \|______|| |  |  _  ||    /     \ \/ /_| |  | ||______||  _  || | | || '_ \ | |      \ \| '__|\ \
| |    \  /\  /| |\  || |  | || |___\ \  | |\  |\ |_/ /_| |_| (__ .___/ /        | |  | | | || |\ \ .___/ /\___  |  | |        | | | || |_| || | | || |  .___/ /| |   / /
\_|     \/  \/ \_| \_/\_|  |_/\____/ | | \_| \_/ \___/ \___/ \___|\____/         \_/  \_| |_/\_| \_|\____/     |_/  \_/        \_| |_/ \__,_||_| |_|\_/  \____/ |_|  | |
                                      \_\                                                                                                                           /_/
  • PWNME{N01c3-THR34T-HUnT3r}