Magnet Weekly CTF (Week 10) - Warren's Memory Redux

Posted by

 

Previous (Android): Week 1 | Week 2 | Week 3 | Week 4

Previous (Linux): Week 5 | Week 6 | Week 7 | Week 8

Previous (Memory): Week 9

Using the same image as week 9 we can again dive into Warren's memory banks for more questions, this week supplied by Jamey Tubbs.

Challenge 10 ( Dec 7 - 14) Part 1 (15)

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *

What was the Remote IP address and port number? format: "xxx.xxx.xx.xxx:xxx"

Let's fire up Volatility again and use the 'netscan' plugin with the grep switch for "ESTABLISHED" to see what connections were available at the time of collection.

vol.py -f memdump.mem --profile=Win7SP1x64 netscan | grep  ESTABLISHED

We get four different external IP address connections:


Using a WHOIS IP lookup we can see that 172.253.63.188:443 belongs to Google.


Challenge 10 ( Dec 7 - 14 ) Part 2 (15)

What was the Local IP address and port number? same format as part 1

We already got this answer from the 'netscan' output above, the local IP and port were 192.168.10.146:54282.

Challenge 10 ( Dec 7 - 14 ) Part 3 (10)

What was the URL?

This one posed me some problems from the jump. I didn't know of any way to trace back the IP directly to a URL from Volatility so I chose to run Bulk Extractor and see what URLs could be carved from RAM. This lead to way too many results so I had to rethink my next step. I came across a DataDigitally article on how to carve pcap (packet capture) files from memory, BINGO! We can use the commandline version of Bulk Extractor with the following command to pull out results:

bulkextractor.exe  -x all -e net -o output_folder/ memdump.mem

-x all = remove all scanners
-e net = include the net scanner
-o = output folder path

The resulting PCAP file can be loaded into NetworkMiner to automatically parse host, IP and DNS information. From the Hosts tab we can scroll down to the IP from question 1 and see that it belonged to https://mtalk.google.com.

Challenge 10 ( Dec 7 - 14 ) Part 4 (5)

What user was responsible for this activity based on the profile?

My guess was Warren, which was the answer, as he was the only user on the system. Confirmation can be done by finding the Chrome PID and using the 'getsids' plugin to dump out user info using that process. As we can see Warren is there at the top.


There is probably a better way to doing this but it was the best method at the time.

Challenge 10 ( Dec 7 - 14 ) Part 5 (20)

How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second

The wording through me off multiple times on this question. I first thought of dumping the Chrome history file and other things related to the browser typically found in the Default app folder and then using Hindsight to parse (this actually works very well for future reference). Using MemProcFS you can mount the memory image and just copy the files out of the process and rename so Hindsight knows what to look at. This led to results but nothing of interest in terms of answering the question at hand.

My next thought was something in the registry that may hold the key such as installation info or SRUM. These didn't result in anything useful once again.

After much dismay to the Discord channel, the question was given some hints and the points were doubled. Luckily shortly after I had a lightbulb moment. After thinking about the wording and what the question really was asking I took a quick peak at the Volatility cheat sheet and instantly knew what was needed, USER ASSIST! A quick command let me to results:

vol.py -f memdump.mem --profile=Win7SP1x64 userassist

We can look for the Chrome instance and see the answer plain as day.


The answer needed to truncate a zero but submitting 3:36:47.30100 got me through.

Another week down and I love that I keep adding new ideas and workflows to pull out useful data from RAM.