C83 — Nintendo Hunt — Writeup

Summary

Last week I’ve been playing with the memory challenge in Cyberdefenders (https://cyberdefenders.org/blueteam-ctf-challenges/102). The author suggests using “Volatility2” to solve the challenge, but I asked myself if I could use other tool(s) to achieve the same result?
Spoiler alert: After solving the challenge with the support of MemProcFS (https://github.com/ufrisk/MemProcFS), it became clear to me that I could use other tool(s) to complete the challenge, but it was much harder then it already is. My purpose with this writeup was not solely to solve the challenge proposed by the author, but to add another layer to the challenge and keeping things harder so I could push my knowledge curve, looking to the questions with a different perspective.

Scenario

You have been hired as a digital forensics investigator to investigate a potential security breach at a company. The company has recently noticed unusual network activity and suspects that there may be a malicious process running on one of their computers. Your task is identifying the malicious process and gathering information about its activity.

Q1) What is the process ID of the currently running malicious process?

Open powershell and mount the image file with the following command line:

PS C:\Binaries\MemProcFS> .\MemProcFS.exe -forensic 4 -device X:\Cases\Study\c82-NintendoHunt\memdump.mem
Initialized 64-bit Windows 10.0.17134
[PLUGIN] Python initialization failed. Python 3.6 or later not found.
============================== MemProcFS ==============================
 - Author: Ulf Frisk - pcileech@frizk.net
 - Info: https://github.com/ufrisk/MemProcFS
 - License: GNU Affero General Public License v3.0
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 MemProcFS is free open source software. If you find it useful please
 become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 - Version: 5.6.0 (Windows)
 - Mount Point: M:\
 - Tag: 17134_c1bf76a3
 - Operating System: Windows 10.0.17134 (X64)
==========================================================================

Navigate to M:\sys\proc and open proc.txt. Review the process list for the one without exit time. We’ll find svchost PID 8560 as a child process from explorer.exe. That’s unusual.

Question 1

Answer: 8560

Q2) What is the md5 hash hidden in the malicious process memory?

I need to confess, this one was tricky and I could not solve. I went through the process of dumping the strings from M:\name\svchost.exe-8560\minidump\minidump.dmp and grepping for MD5 hashes (strings containing regex [a-fA-F0–9]{32}) with no luck. After reading through author the writeup, the answer was something simple as reading the strings output.

PS C:\> cd M:\name\svchost.exe-8560\minidump
PS M:\name\svchost.exe-8560\minidump> ls
Directory: M:\name\svchost.exe-8560\minidump
Mode LastWriteTime Length Name
 - - - - - - - - - - - - - - 
 - - - 5/5/2023 1:43 PM 390 readme.txt
 - - - 8/1/2018 8:13 PM 172728320 minidump.dmp
PS M:\name\svchost.exe-8560\minidump> C:\Binaries\SysinternalsSuite\strings64.exe -n 20 .\minidump.dmp > X:\Cases\Study\c82-NintendoHunt\svchost-strings.txt

Open the strings output file with your favorite text editor and just read. From line 1457, we extracted the following b64 string: M2ExOTY5N2YyOTA5NWJjMjg5YTk2ZTQ1MDQ2Nzk2ODA=.

Question 2

Let’s decode this base64 with certutil:

PS C:\> certutil.exe -decode X:\Cases\Study\c82-NintendoHunt\flag-q2.txt c:\temp\flag-q2-dec.txt
Input Length = 44
Output Length = 32
CertUtil: -decode command completed successfully.
PS C:\> Get-Content C:\temp\flag-q2-dec.txt
3a19697f29095bc289a96e4504679680

Answer: 3a19697f29095bc289a96e4504679680

Q3) What is the process name of the malicious process parent?

This can be answered with the results from Q1.

Answer: explorer.exe

Q4) What is the MAC address of this machine’s default gateway?

Windows will track network connections in registry hive SOFTWARE\Microsoft\Windows NT\Current Version\NetworkList\Profile. Luckly for us, MemProcFS will mount registry keys within a specific folder. So, navigating to folder key M:\registry\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles we will observe there’s one profile with GUID {596B8D0F-BFBC-4B67–9ED8–237BD3DDABF3} created.

Opening Managed.txt file, we observe the value is set to 0, suggesting this profile is Unmanaged. Proceeding with our analysis, let’s go to M:\registry\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0E3E937A4D0CD0A314266D2986CB7DED5D8B43B828FEEDCEFFD6DE7141DC1D15D. This is the only folder within Unmanaged directory. Upon reviewing ProfileGuid.txt, we can confirm this key is related with the profile we identified previously:

ffffd38985eb3000:008407d8
REG_SZ
{596B8D0F-BFBC-4B67–9ED8–237BD3DDABF3}

The answer for our question is in DefaultGatewayMac.txt file:

ffffd38985eb3000:00840960
REG_BINARY
0000 00 50 56 fe d8 07 .PV…

Answer: 00:50:56:fe:d8:07

Q5) What is the name of the file that is hidden in the alternative data stream?

The best way to check this information should be via powershell command Get-Item -Stream *, but because MemProcFS does not mount the memory file as NTFS, we can’t obtain that information from our M: drive.

PS M:\> Get-Item M:\forensic\ntfs\_\* -Stream *
Get-Item : The parameter is incorrect
At line:1 char:1
+ Get-Item M:\forensic\ntfs\_\* -Stream *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (:) [Get-Item], Win32Exception
 + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.GetItemCommand

The other option would be using Streams from Sysinternals, but that didn’t work either. So I used powershell cmdlet Select-String to:

1. Check all the mftinfo.txt files, recursively, containing Type:.*Resident.*Named and include the previous 5 lines
2. Output the results to a temp file
3. Check for files where the ADS came from $DATA

PS M:\forensic\ntfs\_> Get-ChildItem -Recurse mftinfo.txt | Select-String -Pattern 'Type:.*Resident.*Named' -Context 5,0 -AllMatches | Out-File C:\temp\flag-q5-temp.txt
PS M:\> Select-String '\$DATA' C:\temp\flag-q5-temp.txt
C:\temp\flag-q5-temp.txt:135: $_INFO\$BadClus\mftinfo.txt:58:$DATA
C:\temp\flag-q5-temp.txt:141: $_INFO\$Secure\mftinfo.txt:48:$DATA
C:\temp\flag-q5-temp.txt:183: $_INFO\$UpCase\mftinfo.txt:56:$DATA
C:\temp\flag-q5-temp.txt:126627: $Extend\$_INFO\$UsnJrnl\mftinfo.txt:48:$DATA
C:\temp\flag-q5-temp.txt:126633: $Extend\$_INFO\$UsnJrnl\mftinfo.txt:56:$DATA
C:\temp\flag-q5-temp.txt:126759: $Extend\$RmMetadata\$_INFO\$Repair\mftinfo.txt:56:$DATA
C:\temp\flag-q5-temp.txt:126807: $Extend\$RmMetadata\$_INFO\$Repair-1\mftinfo.txt:56:$DATA
C:\temp\flag-q5-temp.txt:126831: $Extend\$RmMetadata\$TxfLog\$_INFO\$Tops\mftinfo.txt:65:$DATA
C:\temp\flag-q5-temp.txt:127779: Users\CTF\Desktop\$_INFO\test.txt\mftinfo.txt:68:$DATA

If we ignore the system files, (starting with $), we’ll end up with Users\CTF\Desktop\$_INFO\test.txt\mftinfo.txt. Upon the review of the files within this directory, we find mftdata.mem, that according to (https://github.com/ufrisk/MemProcFS/wiki/FS_Forensic_Ntfs):

mftdata.mem — The 1024 byte long MFT record.

I opened this file with HxD to see it’s contents, and check at this beauty:

Question 5 — Part1

I wonder what happens if we parse this file with mftecmd (https://ericzimmerman.github.io/#!index.md), a MFT parser:

PS M:\forensic\ntfs\_> C:\Binaries\EZTools\MFTECmd.exe -f '.\Users\CTF\Desktop\$_INFO\test.txt\mftdata.mem' - csv C:\temp\
MFTECmd version 1.2.2.1
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
Command line: -f .\Users\CTF\Desktop\$_INFO\test.txt\mftdata.mem - csv C:\temp\
Warning: Administrator privileges not found!
File type: Mft
Offset: 0x0 Entry/seq: 0x0/0x0 Fixup values do not match at 0x1FE. Expected: 0x06, actual: 0x00
Offset: 0x0 Entry/seq: 0x0/0x0 Fixup values do not match at 0x3FE. Expected: 0x06, actual: 0x00
Processed .\Users\CTF\Desktop\$_INFO\test.txt\mftdata.mem in 0.0174 seconds
.\Users\CTF\Desktop\$_INFO\test.txt\mftdata.mem: FILE records found: 1 (Free records: 0) File size: 1KB
 CSV output will be saved to C:\temp\20230506013940_MFTECmd_$MFT_Output.csv

Checking the content of our CSV file 20230506013940_MFTECmd_$MFT_Output.csv with TimelineExplorer, we can see the ADS embedded within test.txt (yes.txt):

Question 5 — Part 2

Answer: yes.txt

Q6) What is the full path of the browser cache created when the user visited “www.13cubed.com" ?

The trick with this question is that the author asks for DOS 8.3 format (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/18e63b13-ba43-4f5f-a5b7-11e871b71f14), also called short file path, instead of the true path, or long file path. By looking into the output from ntfs files, checking files with name contains ‘13cubed.com’, we will have the following:

PS M:\forensic\csv> Select-String '13cubed' .\timeline_ntfs.csv
timeline_ntfs.csv:32904:"2018–08–01
19:37:05",NTFS,CRE,0,0x0,0x6826ac00,\.\Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IQDBNKYD\13Cubed[1].png,
timeline_ntfs.csv:33995:"2018–08–01
19:29:28",NTFS,MOD,0,0x0,0x378bd000,\.\Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AHF2COV9\13cubed[1].htm,
timeline_ntfs.csv:33996:"2018–08–01
19:29:27",NTFS,CRE,0,0x0,0x378bd000,\.\Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AHF2COV9\13cubed[1].htm,

Our flag is almost there. If we check the flag mask, the file name we have will not match. To convert the string to a DOS 8.3, the only solution I came up was to recreate the path and file in my DOS 8.3 enabled partition and collecting the information:

PS C:\> New-Item -ItemType Directory 'Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AHF2COV9\'
Directory: C:\Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache
Mode LastWriteTime Length Name
 - - - - - - - - - - - - - - 
d - - - 5/7/2023 2:12 AM AHF2COV9
PS C:\> New-Item -ItemType File 'Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AHF2COV9\13cubed[1].htm'
Directory:
 C:\Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AHF2COV9
Mode LastWriteTime Length Name
 - - - - - - - - - - - - - - 
-a - - 5/7/2023 2:12 AM 0 13cubed[1].htm

And one more step.

PS C:\> $fso = New-Object -com scripting.filesystemobject
PS C:\> $fso.GetFile("C:\Users\CTF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AHF2COV9\13cubed[1].htm").ShortPath()
C:\Users\CTF\AppData\Local\Packages\MICROS~1.MIC\AC\#!001\MICROS~1\Cache\AHF2COV9\13CUBE~1.HTM

Answer: C:\Users\CTF\AppData\Local\Packages\MICROS~1.MIC\AC\#!001\MICROS~1\Cache\AHF2COV9\13cubed[1].htm

Final Thoughts

Solving this challenge with MemProcFS, HxD, mftecmd, Timeline Explorer, PowerShell and certutil imposed a new level to the challenge, and I was able to learn a lot with this new approach. In a real world case, I would probably use Volatility 2 and 3 too. The lesson here for me is that now I have other avenues to find the answer for questions during an investigation.