Magnet Weekly CTF (Week 12) - Warren's Final Memory

Previous (Android): Week 1 | Week 2 | Week 3 | Week 4

Previous (Linux): Week 5 | Week 6 | Week 7 | Week 8

Previous (Memory): Week 9 | Week 10 | Week 11

The time has come, the final week of the Magnet CTF and the last week of examining Warren's memory file.

Challenge 12 (Dec. 21-28) (30)

What is the PID of the application where you might learn "how hackers hack, and how to stop them"?

Format: #### Warning: Only 1 attempt allowed!

While examining one of the prior weeks for internet artifacts I actually found a lead for this question already. So I fired up the trusty MemProcFS and opened up the Internet Explorer process 4480. We want to open up the HTM file found in the handle folder:

M:\name\iexplore.exe-4480\files\handles\fffffa803214ce60-search[1].htm

It was a cached Bing search that Warren did for "how to stop getting hacked over and over". If we scroll down a little bit there is a YouTube video with the exact phrase given in the question:


So knowing it was found in this process, we can enter and confirm that the PID was 4480.

Challenge 12 (Dec. 21-28) Part 2 (20)

What is the product version of the application from Part 1?

XX.XX.XXXX.XXXXX

When I thought of looking for version information of Internet Explorer the first thing I mentally jumped to was the SOFTWARE registry key. Since we already have MemProcFS running and the memory dump loaded we can navigate to the path: 

M:\registry\HKLM\SOFTWARE\Microsoft\Internet Explorer

There are multiple version text files which replicate the registry hive info. With a little research from I thought to look at Version.txt and svcVersion.txt (info from ArcLab). Version was 9.11.9600.18860 so I tried that padding with a zero at the front but it didn't work. SvcVersion was 11.0.9600.18860 so I padded with an extra zero in the second group but it didn't take either.

My next thought was to resort to strings searching. Using Volatility and the "procdump" plugin we can export the process to a file.

volatility.exe --filename="E:\memdump.mem" --profile=Win7SP1x64 procdump --dump-dir="E:\output" --pid=4480

Knowing the format they were looking for, I used a regex expression to search for any hits of the format from the process dump with Eric Zimmerman's bstrings tool:

bstrings.exe -f "E:\output\executable.4480.exe" --lr \d{2}\.\d{2}\.\d{4}\.\d{5} --off --sa

--lr = feeds the regex "\d{2}\.\d{2}\.\d{4}\.\d{5}"
The regex looks for 2 digits then a period, then 2 digits and a period, then 4 digits and a period, and then 5 digits. A tester always comes in handy.
--off = adds the offset of the string hit
--sa = sorts results alphabetically



Results were quick and dirty but ended but getting me to the answer 11.00.9600.18858. An alternative way to get the answer was right there from the "procdump" output, just highlight the executable and voila!

What an incredible 12 week journey it has been. Competing in this CTF has not only filled my void of competitiveness but has also lead me down more rabbit holes for research purposes. It has also allowed me to connect with the other players and spur more collaborative projects for the future!