STDiO 2023 Capture The Flag: 25 - Check Mem

1st flag can be found in somewhere that every-windows have it.

File Challenge : https://drive.google.com/file/d/1jb9Cwgqo5nbki90SlIGgOtHCCo07cIpJ/view?usp=sharing

MD5 Checksum : ce6d372454020c34dfe3462063c0d09e

เมื่อพบคำตอบ จะบอกว่า flag เป็นค่าอะไร นำมาตอบด้วย Format ว่า STDIO23_25{flag} ตัวอย่างเช่น ถ้าเจอว่า flag คือ ce6d372454020c34dfe3462063c0d09e ตอบว่า STDIO23_25{ce6d372454020c34dfe3462063c0d09e}

author: Mirthz

เมื่อดาวน์โหลดไฟล์มาแล้วก็แตกไฟล์ออกมา

unrar x -kb STDiO_memdump.rar

จะได้ไฟล์ STDiO_memdump ซึ่งเป็น memmory dump ซึ่ง tools ที่จะใช้ scan หาก็คือ volatility3 https://github.com/volatilityfoundation/volatility3

$ ./vol.py --help
Volatility 3 Framework 2.5.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config]
                  [--save-config SAVE_CONFIG] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]]
                  [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...

An open-source memory forensics framework

options:
  -h, --help            Show this help message and exit, for specific plugin options use 'volatility <pluginname> --help'
  -c CONFIG, --config CONFIG
                        Load the configuration from a json file
  --parallelism [{processes,threads,off}]
                        Enables parallelism (defaults to off if no argument given)
  -e EXTEND, --extend EXTEND
                        Extend the configuration with a new (or changed) setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
                        Semi-colon separated list of paths to find plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
                        Semi-colon separated list of paths to find symbols
  -v, --verbosity       Increase output verbosity
  -l LOG, --log LOG     Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Directory in which to output any generated files
  -q, --quiet           Remove progress feedback
  -r RENDERER, --renderer RENDERER
...
Plugins:
  For plugin specific options, run 'volatility <plugin> --help'

  plugin
    banners.Banners     Attempts to identify potential linux banners in an image
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs configuration in the output directory.
    frameworkinfo.FrameworkInfo
                        Plugin to list the various modular components of Volatility
    isfinfo.IsfInfo     Determines information about the currently available ISF files, or a specific one
    layerwriter.LayerWriter
                        Runs the automagics and writes out the primary layer produced by the stacker.
    linux.bash.Bash     Recovers bash command history from memory.
    linux.capabilities.Capabilities
                        Lists process capabilities
    linux.check_afinfo.Check_afinfo
                        Verifies the operation function pointers of network protocols.
    linux.check_creds.Check_creds
                        Checks if any processes are sharing credential structures
    linux.check_idt.Check_idt
                        Checks if the IDT has been altered
    linux.check_modules.Check_modules
                        Compares module list to sysfs info, if available
    linux.check_syscall.Check_syscall
                        Check system call table for hooks.
    linux.elfs.Elfs     Lists all memory mapped ELF files for all processes.
    linux.envars.Envars
    linux.envvars.Envvars
                        Lists processes with their environment variables
...

เริ่มเลย “1st flag can be found in somewhere that every-windows have it.” โจทย์บอกมา ก็รู้เลยว่าเป็น Windows memory dump เราก็สนใจเฉพาะ Plugin ของ Windows ก็พอ เพราะ volatility3 มัน scan ได้หมด Linux,Mac,Windows :)

จากคำใบ้มันน่าจะเป็น windows.envars.Envars plugin เพราะ Environment Variable มันต้องมีทุกที่อยู่แล้ว

$ ./vol.py -f ~/Downloads/stdio-ctf-2023/25/STDiO_memdump windows.envars.Envars

...
4944    RuntimeBroker.  0x20d67603430   CommonProgramFiles(x86) C:\Program Files (x86)\Common Files
4944    RuntimeBroker.  0x20d67603430   CommonProgramW6432      C:\Program Files\Common Files
4944    RuntimeBroker.  0x20d67603430   COMPUTERNAME    DESKTOP-QPU6OJ5
4944    RuntimeBroker.  0x20d67603430   ComSpec C:\Windows\system32\cmd.exe
4944    RuntimeBroker.  0x20d67603430   DriverData      C:\Windows\System32\Drivers\DriverData
4944    RuntimeBroker.  0x20d67603430   F.1.a.G is d616ad7365a1b99bc7257091356d9514
4944    RuntimeBroker.  0x20d67603430   HOMEDRIVE       C:
4944    RuntimeBroker.  0x20d67603430   HOMEPATH        \Users\Mirth
4944    RuntimeBroker.  0x20d67603430   LOCALAPPDATA    C:\Users\Mirth\AppData\Local
...

เจอแล้ว ทำการปรับให้ตรงตามรูปแบบของ flag

STDIO23_25{d616ad7365a1b99bc7257091356d9514}

/stdio/ /ctf/ /Check Mem/ /Forensics/