This Blue Team challenge was released on February 19, 2023 from CyberDefenders.org. You can access the room at https://cyberdefenders.org/blueteam-ctf-challenges/99#nav-questions. Shoutout to @HouseOfStark for creating the challenge and also for being so responsive and kind in entertaining questions and inquiries about the challenge on Discord. I’ve had interactions with other creators where they just shrugged their shoulders like they were saying “not my problem anymore, you figure it out.”
I rated this challenge to be Medium in difficulty. I was going to rate it as difficult because I was stuck on the last question for days. I will write more about it later in this post. The only tool you will need to complete this challenge is Volatility.
- Which volatility profile would be best for this machine?
- Run the command: volatility -f file_to_investigate imageinfo
- -f – is the option to use to specify the filename to use when opening an image
- imageinfo – is the plugin command to identify information for the image like the operating system, service pack, hardware architecture, and other useful information
- How many processes were running when the image was acquired?
- Run the command: volatility -f file_to_investigate –profile=WinXPSP2x86 pslist
- I just realized, I didn’t have to blur the answer to Q1, just because I will have to enter the profile of the image in every command that we will be using from now and onwards. lol
- pslist – is the plugin command to print all running processes
- When you look at the image above there are 25 processes listed. The question was asking for the running processes when image was acquired. That means we don’t include the processes with entries under the exit column
- What is the process ID of cmd.exe?
- We can use the command we ran for Q2, look for the cmd.exe process and you will see the process ID on the third column from the left
- What is the name of the most suspicious process?
- We can continue to leverage the command we ran for Q2. The name of the process is a giveaway
- Which process shows the highest likelihood of code injection?
- We can continue to leverage the command we ran for Q2
- There is an odd file referenced in the recent process. Provide the full path of that file?
- Run: volatility -f file_to_investigate –profile=WinXPSP2x86 -p 880 handles -t file
- -p – is the option to specify the process ID. In this example, we are using the PID 880
- handles – is the plugin command to print a list of open handles for each process
- -t – is an option to specify which object type you want the results to show. In this example, we want the results to only show “file” type.
- What is the name of the injected dll file loaded from the recent process?
- Run: volatility -f file_to_investigate –profile=WinXPSP2x86 ldrmodules -p 880 | grep -i false
- ldrmodules – is the plugin command to detect unlinked DLLs
- grep -i false – this is to filter to only show the results with the word “false” in it
- As you can see from our screenshot, there are only 2 results with the word “false” in them. And we can safely guess that the answer to the question is the one with all three false entries. It means that the DLL is not linked to all three ldr modules. Hiding the DLL this way makes the file suspicious
- What is the base address of the injected dll?
- Run: volatility -f file_to_investigate –profile=WinXPSP2x86 malfind -p 880
- malfind – is the plugin command to find hidden and injected code
The question above was the revised one. The original question was asking for the MD5 hash of the injected DLL. The original question was the reason that I wanted to rate this challenge as hard. So, here’s what I did to answer the original question:
- I used the malfind plugin so I can retrieve the base address
- I ran the command: volatility -f file_to_investigate –profile=WinXPSP2x86 dlldump -p 880 –base=0x9***** –dump-dir=.
- dlldump – is the plugin command to dump DLLs from a process address space
- –base – is the option to specify the base address of the process. I masked the rest of the base address so the for Q8 is not given away
- –dump-dir – is to specify the location where to dump all the DLLs
- Now that I dumped the dll, I need to calculate the MD5 hash of the file. I ran: md5sum file_name_here
- I was confident that I got the DLL’s md5 hash, but when I entered the answer to the Q8 answer field, I got the invalid flag message.
- Now, I started to doubt and question my knowledge and abilities. For the next 3 days, I dumped all DLLs that I can think of. I dumped and listed all DLLs related to PID 880 calculated all their MD5 hashes and entered them one-by-one in the answer field. I even did a procdump of PID 880, opened it using WinDbg, looked at all the DLLs there and compared them against the list when I did dlldump, and again calculated all MD5 hashes and entered them as the answer, and still no luck.
- Finally, I gave up and so I reached out to the challenge creator, @HouseOfStark for some assistance. When I explained to him what I did he said that my steps should work. This was his reply:
- Now you know the reason why Q8 was revised. It appears that plugins carve the data differently thus resulting in different hash values when calculated. So, to make it easier for future cyberdefenders like me wanting to complete this challenge, Q8 was revised.
I hope you enjoyed reading my post and I hope you find this helpful.
If you haven’t subscribe to my blog, please do so. Thank you!
Wow! The amount of time it seems that you put into these worries write-ups is awesome. Thank you!
LikeLiked by 1 person
Ha, thanks as always!
Leave a comment