Magnet Weekly CTF (Week 9) - Warren's Memory

Previous (Android): Week 1 | Week 2 | Week 3 | Week 4

Previous (Linux): Week 5 | Week 6 | Week 7 | Week 8

With month 2 in the book, we kick off Memory for the month of December! Aaron Sparling kicks it off with seven (yes, seven!) questions with lots of points up for grabs.

Image File: Link

Challenge 9 ( Nov 30 - Dec 7 ) Part 1 (25)

The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.

Where do we even start you ask? Well, there aren't many tools that can parse memory images. Luckily, Aaron introduced me too a fantastic tool called MemProcFS from Ulf Frisk this summer (check out his Forensic Lunch episode as well as Aaron and Jessica Hyde's SANS Summit talk). It allows you to mount the memory image as a drive on your machine and can traverse it using Windows Explorer.

**Note - Associate .mem files with MemProcFS and you can just double-click it to automount making it much easier than going through the command line.

Once mounted we can traverse to the "name" folder which will list out all running processes with their associated PIDs.


Thinking of what application the user could type and write in one stuck out right away, WINWORD or Microsoft Word. We can look inside the "files > handles" folder to see what was open and being used by Word at the time of collection. One file seemed like a reasonable place to start:

fffffa80326de810-AutoRecovery save of Document1.asd

"An ASD file is a temporary backup created by Microsoft Word, a word processing program used to author documents. It contains a snapshot copy of the currently opened Word document." - FileInfo

Opening up the .asd file inside a text editor, we see plaintext content including the password!


The password is "wow_this_is_an_uncrackable_password".

Challenge 9 ( Nov 30 - Dec 7 ) Part 2 (15)

What is the md5 hash of the file which you recovered the password from?

Originally I tried hashing the file directly out of MemProcFS resulting in the following hash:

92fbbbf96b47abf5e0ab310ca12021d4

But the answer was incorrect (later I believe it was accepted). So I went the route of firing up Volatility v2.6.1 in Remnux. Finding the OS version in MemProcFS (sysinfo > version) I knew that it was 6.1.7601 which was Windows 7 Service Pack 1. Next we'll run the following command:

vol.py -f memdump.mem --profile=Win7SP1x64 filescan | grep 'Document1.asd'

This will get us the offset of the file in question so we can then dump it out using the following command:

vol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013e6de810 -n --dump-dir ~/Downloads

-Q = physical offset in memory of file to dump

-n = add original file name to output file

--dump-dir = directory path for export

We can then use MD5Sum to get the hash of the file:


The hash is "af1c3038dca8c7387e47226b88ea6e23". One thing of note, there was also a file called "~WRD0000.tmp" that had the same hash, more on using this later.

Challenge 9 ( Nov 30 - Dec 7 ) Part 3 (15)

What is the birth object ID for the file which contained the password?

One plugin that was completely new to me is the 'mftparser' one. It recreates an MFT file out of what is in memory so it does take a bit of time to run. Using the following command will dump it out to a text file:

vol.py -f memdump.mem --profile=Win7SP1x64 mftparser --output-file ~/Downloads/mftparser.txt

Opening the resulting file and searching for "Document1.asd" shows the MFT entry for the file along with the Birth Object ID.

The answer being "31013058-7f31-01c8-6b08-210191061101".

Challenge 9 ( Nov 30 - Dec 7 ) Part 4 (20)

What is the name of the user and their unique identifier which you can attribute the creation of the file document to? 

Format: #### (Name)

This one was fairly simple once you figured out the format. We can go back to MemProcFS for this one and open the "name\WINWORD.EXE-3180\user" folder. Inside we can pull out the SID and the user name.

sid.txt = S-1-5-21-4288132831-552422005-3632184702-1000
user.txt = Warren

Since they only want four characters for the SID, the answer is "1000 (Warren)".

Challenge 9 ( Nov 30 - Dec 7 ) Part 5 (25)

What is the version of software used to create the file containing the password?

Format ## (Whole version number, don't worry about decimals)

Another easy one found using MemProcFS. It can process any registry hives found in memory and recreate them as folder structures. So we can navigate down the following folder:

M:\registry\HKLM\SOFTWARE\Microsoft\Office

Having a little prior knowledge of Windows registry hives for Office it keeps version info in subfolders. 


Only one folder contained a folder/hive for Word, which was 15.0, the answer.

Challenge 9 ( Nov 30 - Dec 7 ) Part 6 (20)

What is the virtual memory address offset where the password string is located in the memory image?

Format: 0x########

Another new plugin to me that can be used to pull this information out is 'yarascan'. Since we know the full password string as well as the process PID that it came from we can narrow down the scope fairly quickly using the command:

vol.py -f memdump.mem --profile=Win7SP1x64_24000 yarascan -p 3180 --yara-rules="wow_this_is_an_uncrackable_password"

-p = supplies the PID for the WINWORD process

--yara-rules = string/password to search for


The left side shows the hexidecimal interpretation of the physical offset for the password string, the answer being "0x02180a2d".

Challenge 9 ( Nov 30 - Dec 7 ) Part 7 (20)

What is the physical memory address offset where the password string is located in the memory image?

Format: 0x#######

I knew I had the virtual address already but didn't know how to go about converting it to a physical memory space. I tried looking at Volatility plugins 'memmap', 'vadinfo' and 'vaddump' but nothing jumped out to me on how to make it work. Browsing through the wiki for MemProcFS I found exactly what I wanted.

https://github.com/ufrisk/MemProcFS/wiki/FS_Process_Virt2Phys

There was a plugin that could convert the hexidecimal virtual address to a physical address. All you have to do is edit the "virt" file at the following path mounted path:

M:\name\WINWORD.EXE-3180\virt2phys

I entered "0000000002180a2d" into the "virt" file and the output in the "phys" file resulted in "000000000af12a2d". Since the format needed be in 0x format, the answer is "0xaf12a2d".

While I'm still learning how to analyze memory images, this challenge definitely gave me a few new plugins to use in future cases. It goes without saying that MemProcFS is a great complementary addition to Volatility as a memory analysis tool.