Suninatas Game 30

Posted on Edited on In Views: Disqus:

challenges

Game 30

Challenge summary:

  • Q1: IP address of General Kim’s PC
  • Q2: Secret document read by hacker
  • Q3: Content of that document (contains a key)
  • Final: lowercase(md5(Q1 + Q2 + Q3))

Given artifact:

1
2
$ file 'MemoryDump(SuNiNaTaS)'
MemoryDump(SuNiNaTaS): data

I used Volatility 3 throughout.

Initial triage

Identify OS profile and basic context:

1
2
3
4
5
6
$ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.info
...
Is64Bit   False
NTBuildLab 7601.18044.x86fre.win7sp1_gdr.13
SystemTime 2016-05-24 09:47:40+00:00
...

Q1: IP address of General Kim’s PC

Check active/known network artifacts:

1
2
3
4
5
6
$ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.netscan
...
0x3f270450 TCPv4 192.168.197.138 139   0.0.0.0         0   LISTENING   4 System
0x3f270768 UDPv4 192.168.197.138 137   *               0               4 System
0x3fdd5620 TCPv4 192.168.197.138 49248 113.29.189.142 80  ESTABLISHED  - -
...

Q1 answer:

1
192.168.197.138

Q2: Which secret document was read?

Find interesting user actions from process arguments:

1
2
3
4
$ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.cmdline
...
3728 notepad.exe notepad C:\Users\training\Desktop\SecreetDocumen7.txt
...

Q2 answer:

1
SecreetDocumen7.txt

Q3: Content/key inside the secret document

Locate and dump the file from memory:

1
2
3
4
5
6
7
8
9
10
11
12
$ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.filescan | grep 'SecreetDocumen7.txt'
0x3df2ddd8 100.0\Users\training\Desktop\SecreetDocumen7.txt

$ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.dumpfiles --phy 0x3df2ddd8
...
file.0x3df2ddd8.0x85d7d150.DataSectionObject.SecreetDocumen7.txt.dat

$ xxd file.0x3df2ddd8.0x85d7d150.DataSectionObject.SecreetDocumen7.txt.dat
...
00000050: 7920 6973 2022 3472 6d79 5f34 6972 666f  y is "4rmy_4irfo
00000060: 7263 655f 4e34 7679 2200 0000 0000 0000  rce_N4vy".......
...

Q3 key:

1
4rmy_4irforce_N4vy

Final Auth Key

Concatenate in order:

1
192.168.197.138SecreetDocumen7.txt4rmy_4irforce_N4vy

Compute lowercase MD5:

c152e3fb5a6882563231b00f21a8ed5f