Mini Memory CTF Solutions Guide
Mini Memory CTF Solutions Guide
Solutions Guide
Question #1
Find the running rogue (malicious) process. The flag is the MD5 hash of its PID.
The ubiquitous Windows svchost.exe process is a favorite of malware authors. A normal system will
have numerous svchost.exe processes running at any given time; therefore, it is common for
malware to hide amongst these legitimate processes in an effort to blend in and appear normal. The
real svchost.exe process will have a parent of services.exe, will reside on disk in
%SYSTEMROOT%\System32, and will have one or more -k parameters present.
We can use pstree, pslist, or psscan to verify that PID 804 is indeed services.exe, which is
expected (not shown). But, what about PID 4824?
Now, let’s focus on all the svchost.exe processes which have a PPID of 4824.
As you can see from the output above, only one process is still active in memory, and that is PID
8560. The MD5 hash of 8560 is bc05ca60f2f0d67d0525f41d1d8f8717 and is the answer to
Question #1.
As shown in the screen shot above, we’ve used the memdump plugin to accomplish this, and the
resulting process memory has been written to a file entitled 8560.dmp. If we run strings against this
file and look for anything interesting, we’ll come across this:
The string displayed is a Base64-encoded version of the flag. If we decode it, we’ll be left with
3a19697f29095bc289a96e4504679680, which is the answer to Question #2.
You’ll recall from traditional disk-based forensics that such information is available in the NetworkList
key, which is located in the SOFTWARE registry hive.
There is more than one way to find this information. We can use the Volatility printkey plugin to print
the known location of the NetworkList key:
This output would show us the subkey that contains the value we’re after. In this case, it’s
“010103000F0000F0080000000F0000F0E3E937A4D0CD0A314266D2986CB7DED5D8B43B828FE
EDCEFFD6DE7141DC1D15D.” Now, repeat the Volatility command, adding this subkey:
Convert the MAC address to UPPERCASE and add dashes (-) as delimiters. The MD5 hash of this
value (00-50-56-FE-D8-07) is 6496d43b622a2ad241b4d08699320f4e and is the answer to Question
#3.
Alternatively, we can use Volatility’s dumpregistry plugin to extract registry hives from memory and
write them to disk for further processing and analysis, as shown below:
(Output Truncated)
Search for “DefaultGatewayMac” within the output. As in the first method above, you’ll find that the
gateway’s MAC address is 00-50-56-FE-D8-07 (as displayed in UPPERCASE, with dashes as
delimiters). The MD5 hash of this value is 6496d43b622a2ad241b4d08699320f4e and is a second
way to obtain the answer to Question #3.
To answer the final question, we’ll need to utilize an artifact that can provide us with full file paths for
disk-based content. It turns out that Volatility provides a plugin called mftparser, which will scan for
and parse entries in the Windows NTFS Master File Table (MFT).