SharifCTF 2018 - hidden


Another challenge from SharifCTF called hidden.

  • Category: Forensics
  • Points: 100
Find the hidden process.

The flag is SharifCTF{MD5(Process id)}.

Solution

First inspections using the file command does not reveal a lot, but we seem to get what’s the content of the dump with the strings tool.

main:~/projects/sharictf > file dump
dump: data
main:~/projects/sharictf > strings dump
...
Microsoft DH SChannel Cryptographic Provider
dhTl
vPrivateKeyInfoEncode
IPSec Policy agent endpoint
IPSec Policy agent endpoint
IPSec Policy agent endpoint
IPSec Policy agent endpoint
IPSec Policy agent endpoint
\PIPE\lsass
\\SECURE-CBE6C864
...

As we know that’s it’s the memory dump, I decided to run this awesome linux tool for memory dump analysis called Volatility. Firstly I’ll run it with imageinfo option that will show us basic information about the dump.

main:~/projects/sharictf > volatility imageinfo -f dump
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/w3ndige/projects/sharictf/dump)
                      PAE type : PAE
                           DTB : 0x359000L
                          KDBG : 0x80545c60L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2018-01-28 17:35:20 UTC+0000
     Image local date and time : 2018-01-28 21:05:20 +0330

From that information, the most essential one is the suggested profile WinXPSP2x86, we’ll use it in later analysis. As we have to get the PID of the hidden process, I decided to look into the documentation of this tool and here it is - psxview.

This plugin helps you detect hidden processes by comparing what PsActiveProcessHead contains with what is reported by various other sources of process listings. It compares the following:

Let’s run the analysis.

main:~/projects/sharictf > volatility --profile=WinXPSP2x86 psxview -f dump
Volatility Foundation Volatility Framework 2.6
Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x010eb4c0 rundll32.exe            396 True   True   False    True   True  True    True     
0x01c279c0 svchost.exe             900 True   True   False    True   True  True    True     
0x01e64350 vmtoolsd.exe            404 False  True   False    True   True  True    True     
0x025b7020 explorer.exe           1576 True   True   False    True   True  True    True     
0x01e6d608 winlogon.exe            644 True   True   False    True   True  True    True     
0x01ecd378 svchost.exe             988 True   True   False    True   True  True    True     
0x031b1cf0 spoolsv.exe            1508 True   True   False    True   True  True    True     
0x01fbe410 lsass.exe               700 True   True   False    True   True  True    True     
0x0096c0e8 wscntfy.exe             920 True   True   False    True   True  True    True     
0x039347a8 svchost.exe            1188 True   True   False    True   True  True    True     
0x0308d9f0 svchost.exe            1604 True   True   False    True   True  True    True     
0x01c58798 vmacthlp.exe            856 True   True   False    True   True  True    True     
0x01de4878 svchost.exe            1236 True   True   False    True   True  True    True     
0x01bbd488 services.exe            688 True   True   False    True   True  True    True     
0x01fbd6e0 svchost.exe            1024 True   True   False    True   True  True    True     
0x02e7eb20 svchost.exe            1692 True   True   False    True   True  True    True     
0x01209a00 System                    4 True   True   False    True   False False   False    
0x01bbd900 smss.exe                548 True   True   False    True   False False   False    
0x021a7da0 csrss.exe               620 True   True   False    True   False True    True     
0x02dbb448 wmiprvse.exe            908 False  True   False    False  False False   False    2018-01-28 17:34:22 UTC+0000
0x01ebe168 cmd.exe                1704 False  True   False    False  False False   False    2018-01-28 17:34:00 UTC+0000

Now we can see that the only process with false value is vmtoolsd.exe with PID 404. The last step is to calculate MD5 hash out of that PID and submit the flag.

SharifCTF{4f4adcbf8c6f66dcfc8a3282ac2bf10a}

Tools

Volatility

References

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview

https://www.youtube.com/watch?v=ceXT9fBGJaI

Keep learning and stay safe! ~ W3ndige