Introduction

Last time, I posted a solution that shows how I approached the first lab of MemLabs challenges. This post continues to show how I got the flags for the second lab of MemLabs, called “A New World”.

Extracting the clues from description

The following is the challenge description that contains the needed clues to solve this lab.

One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular “environmental” activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us.

I managed to extract the following two clues:

  1. “He is supposedly a very popular “environmental” activist”, using the word “environmental” is a hint to check environment variables.
  2. “He told us that his go-to applications are browsers, his password managers, etc.”, this sentence is a hint to get his important data from the browser and password manager.

Finding the image profile

First of all, we need to find the profile of the memory image using imageinfo plugin as in the following command.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw imageinfo

Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/oviche/Desktop/memlabs/MemoryDump_Lab2.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800027f20a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800027f3d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-12-14 10:38:46 UTC+0000
     Image local date and time : 2019-12-14 16:08:46 +0530

The first suggested profile “Win7SP1x64” worked in my case.

Checking the environment variables

I used envars plugin to check the environment variables as in the following command.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars

By scrolling around the results of the executed command, I noticed an environment variable “NEW_TMP” get repeated and its value looks like holding a base64 encoded string.

img(The results of envars plugin)

When I tried to decode that possible base64 encoded string, the flag for the first stage was printed, as appears in the below command.

CommandLine

$ echo "ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9" | base64 -d
flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}

Investigating the password manager

Firstly, we need to identify the password manager name that is used in the memory image. This is done by listing the running applications using pslist as appears in the following command.

img(The list of running processes)

As you notice in the above screenshot, there are two important processes. The first one is “KeePass”, which represents the used password manager. The second one is “Chrome”, which is the used browser. However, let’s ignore the browser part for now and focus on finding the important data associated with the password manager.

I thought to find out more about that process by looking for the command line argument used by the KeePass program using the cmdline plugin.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 cmdline -p 3008

Volatility Foundation Volatility Framework 2.6
************************************************************************
KeePass.exe pid:   3008
Command line : "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" "C:\Users\SmartNet\Secrets\Hidden.kdbx"

In the above result, KeePass is executed with a command line argument that contains the path of file “Hidden.kdbx”, which is an encrypted database of passwords that can be viewed only using a master password.

So let’s find the physical address for “Hidden.kdbx” file to dump it from the memory using the following commands.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep -i "Hidden.kdbx"
Volatility Foundation Volatility Framework 2.6
0x000000003fb112a0     16      0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Secrets\Hidden.kdbx

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 -Q 0x000000003fb112a0 dumpfiles -D DumpedFiles
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fb112a0   None   \Device\HarddiskVolume2\Users\SmartNet\Secrets\Hidden.kdbx

Finally, we need to find the master password to decrypt this database. After being desperate for long time, I decided to look for any file with word “pass” in its name using as appear in the following screenshot.

img(Finding the password image file)

As appears above, an image file named “Password.png” is found and to check its content, we need to dump it from memory with the following command.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 -Q 0x000000003fce1c70 dumpfiles -D DumpedFiles
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fce1c70   None   \Device\HarddiskVolume2\Users\Alissa Simpson\Pictures\Password.png

At the lower right side of the below image, I find the password for the database, which is “P4SSw0rd_123”.

img(The image containing the password)

After that I used this password to decrypt the Hidden.kdbx, then I copied the password of a user named “Flag”, which contains the second stage flag flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}.

img(Enter master password)

img(The flag user)

Investigating the Chrome browser

Now, let’s find the important data related to the Chrome browser. My first thought is to find the SQLite database that contains the Chrome browser’s history, named “History”.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep -i "chrome" | grep -E "*History$"
Volatility Foundation Volatility Framework 2.6
0x000000003fcfb1d0     18      1 RW-rw- \Device\HarddiskVolume2\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History

Then, I am going to dump the file from the memory with the following command.

CommandLine

$ ./vol -f MemoryDump_Lab2.raw --profile=Win7SP1x64 -Q 0x000000003fce1c70 dumpfiles -D DumpedFiles
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fcfb1d0   None   \Device\HarddiskVolume2\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x3fcfb1d0   None   \Device\HarddiskVolume2\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History

I used DB Browser for SQLite to open the dumped history file of the Chrome browser. I found there a MEGA URL that holds the Important.zip file.

img(Chrome history)
img(The found zip file)

The downloaded zip file has another one that is password-protected. When I managed to unzip it, the following hint was shown that states that the password is the SHA1 of the stage3 flag of lab1.

CommandLine

$ 7z x Important.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz (40651),ASM,AES-NI)

Scanning the drive for archives:
1 file, 57457 bytes (57 KiB)

Extracting archive: Important.zip
--
Path = Important.zip
Type = zip
Physical Size = 57457
Comment = Password is SHA1(stage-3-FLAG) from Lab-1. Password is in lowercase.

Enter password (will not be echoed):

As the following, I performed the SHA1 hashing for the flag from the previous lab.

CommandLine

$ echo -n "flag{w3ll_3rd_stage_was_easy}" | sha1sum
6045dd90029719a039fd2d2ebcca718439dd100a  -

After successfully unzipping that file, the following image file that contains the flag for the third stage is found.

img(Stage3 flag)

Conclusion

The final solution is the concatenation of flags as below.

flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2} flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!} flag{oK_So_Now_St4g3_3_is_DoNE!!}