# DumpMe Hi, welcome to my first CTF write-up. In this write-up, I will describe my procedure to solve the above mentioned challenge on cyberdefenders.org (Link: ) *** ## **Question 1: What is the SHA1 hash of Triage-Memory.mem (memory dump)?** To compute the SHA1 hash of the provided memory dump, I used to command *sha1sum \* on my SIFT machine.

## **Question 2: What volatility profile is the most appropriate for this machine? (ex: Win10x86\_14393)** To get the answer for this question, I used the well-known tool *Volatility* for memory forensics. > With the plugin ***imageinfo*** I get various high level information about the memory dump (see: The Art of Memory Forensics, p. 62).

The answer for this question can be extracted from the *suggested profile* line. ## **Question 3: What was the process ID of notepad.exe?** To list all processes within a memory dump, I used the *pstree* plugin and saved the output to a file (called *pstree*), because it happens from time to time that you have to look more often in the output of the command. > The ***pstree*** plugin uses the output of the ***pslist*** plugin and formats it as a tree. The tree allows us, to identify child-parent-relationships between the processes. In general, the processes are linked with each other via a doubly linked list. This doubly linked list stores two pointers; one pointer for the predecessor and one for the successor for each element. The information about this lies in the \_EPROCESS structure of each process. The ***pslist*** plugin walks this doubly linked list and prints the corresponding output. (see: The Art of Memory Forensics).

## **Question 4: Name the child process of wscript.exe.** *pstree* for the win! Here we go….

## **Question 5: What was the IP address of the machine at the time the RAM dump was created?** To solve this question, I used the *netscan* plugin. > This plugin locates the \_TCP\_ENDPOINT, \_TCP\_LISTENER and \_UDP\_ENDPOINT\ > structures in memory (see: The Art of Memory Forensics).

The above screenshot just shows the usage of the plugin and is truncated, for reasons of clarity. Because we are dealing with a local machine, I was searching for private IP addresses (10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16). ## **Question 6: Based on the answer regarding the infected PID, can you determine the IP of the attacker?** Again, I used the above mentioned *netscan* plugin. The infected PID is 3496 (see question 4). This information is very useful, to filter the output of the *netscan* plugin.

It seems, that the infected process started a communication to the attackers IP address on port 4444. It might be a reverse shell. ## **Question 7: How many processes are associated with VCRUNTIME140.dll?** For this question, I used the plugin *dlllist* and greped for the provided dll-name. > This plugin shows each dll loaded by a process. To reach the goal, this plugin walks through a special doubly linked list like mentioned above. DLLs are automatically added to this list. (see: The Art of Memory Forensics and )

## **Question 8: After dumping the infected process, what is its md5 hash?** We already know, that the process with PID 3496 is the infected one. To dump the executable, I used the plugin *procdump*. > This plugin dumps the process’ executable. To identify the correct process, you have to use the parameter *-p* and the PID (here: 3496) or *— offset \* of the corresponding \_EPROCESS structure. The physical offset can be found with the ***psscan*** plugin (see: The Art of Memory Forensics). The -D switch is used to specify the directory for the output.

Feel free to search the hash-value on virustotal.

## **Question 9: What is the LM hash of Bob’s account?** The LM hash can be gathered with a plugin called *hashdump*. > This plugin dumps hashes from the *SAM* and the *SECURITY* hive of the registry.

## **Question 10: What memory protection constants does the VAD node at 0xfffffa800577ba10 have?** To solve this question, I used the *vadinfo* plugin with a grep to filter for the given node. But what does it mean?! > VAD, the Virtual Address Descriptors for **each** process, describes the layout of the memory segments, owned by the specific process. The structure for the VAD is a self-balancing binary tree. Each node of the tree holds specific information about a specific memory range. The information can be names of files, the specific range of the memory segment or the protection (e.g. read, write, execute). The protection field describes which type of access is allowed to the specific memory region. The PAGE\_EXECUTE permission for example means, that the memory can only be executed, but not written (see: The Art of Memory Forensics).

## **Question 11: What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?** Some procedure as above, but with a different grep-command.

## **Question 12: There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)** From the above questions we already know, that the process *wscript.exe* has something to do with the incident. With the plugin *cmdline* we can see, which commands specific processes have executed.

## **Question 13: An application was run at 2019–03–07 23:06:58 UTC. What is the name of the program? (Include extension)** To answer this question, I used the *shimcache* plugin. > Shimcache is a special registry key. This key contains binary data. Shimcache is a part of the Application Compatibility Database, which is used to identify compatibility issues for applications. So, if an application has been executed, there could be information about this application and relevant timestamps in the shimcache (see: The Art of Memory Forensics).

## **Question 14: What was written in notepad.exe at the time when the memory dump was captured?** To solve this question, I dumped the whole process with the *memdump* plugin. > Unlike the **procdump** plugin, **memdump** dumps all pages of the corresponding process into a single file. To find the correct string for this question, I greped for *flag<.* I’m not happy with this approach because in a real investigation you don’t always know what to look for. Here, this approach worked fine.

The strings-parameters *-e l* set the encoding for the strings found: *l* stands for 16-bit little endian ## **Question 15: What is the short name of the file at file record 59045?** I used the *mftparser* plugin of volatility to extract entries from the Master File Table. > This plugin scans the physical address for the signatures FILE and BAAD. With the entries found, mftparser parses the attributes and builds a table with various information (e.g. file path, timestamps).

I have searched the output for the given record and found the answer for the question easily. ## **Question 16: This box was exploited and is running meterpreter. What was the infected PID?** see Question 8 *** **Conclusion: This was an interesting challenge to take first steps in Memory Forensic and learn basic tools as well as functionalities.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://txc.gitbook.io/documentation/writeups/cyberdefenders/dumpme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.