Notes:
- Make sure you are running a 64-bit Ubuntu 12.04 system with a 3.5.0-23-generic kernel. You will understand why later.
- This machine should also have Volatility 2.3 installed.
- A helpful tool is Sleuthkit: sudo apt-get install sleuthkit
To start, use Sleuthkit's srch_strings
on the memory dump and save it to a txt file to save time for future
greps. (You should also print the locations of each string in
decimal)
$ srch_strings -t d mem.dump > asis_md_grepboot.txt
Next, you want to find what image this
memory dump is for. I saved this to a file so I could reference it in
the future if need be.
$ grep BOOT_ asis_memdump_srchstr.txt > asis_md_grepboot.txt $ cat asis_md_grepboot.txt 30873265 BOOT_IMAGE=/vmlinuz-3.5.0-23-generic 31515756 Command line: BOOT_IMAGE=/vmlinuz-3.5.0-23-generic root=/dev/mapper/ubuntu--server-root ro 31520980 Kernel command line: BOOT_IMAGE=/vmlinuz-3.5.0-23-generic root=/dev/mapper/ubuntu--server-root ro 106342232 NT_STATUS_BAD_MASTER_BOOT_RECORD 129758942 NT_STATUS_BOOT_ALREADY_ACCEPTED = 0x00000434, 157849128 NT_STATUS_BAD_MASTER_BOOT_RECORD = 0xc00000a9, 173586344 NT_STATUS_BOOT_ALREADY_ACCEPTED 268365920 BOOT_IMAGE=/vmlinuz-3.5.0-23-generic 268366048 BOOT_IMAGE=/vmlinuz-3.5.0-23-generic root=/dev/mapper/ubuntu--server-root ro
“BOOT_IMAGE=/vmlinuz-3.5.0-23-generic”
This lets you know you need to set up a
profile for a linux kernal 3.5.0-23-generic
You will have to create a profile manually by using the steps on this page.
Remember you need make the profile on an 64-bit Ubuntu 12.04 system with a 3.5.0-23-generic kernel. Do not try and use the Ubuntu profile provided by volatility, because it is an older version. If it were up to date, you would just place this zip in: Volatility/volatility/plugins/overlays/linux/
You will have to create a profile manually by using the steps on this page.
Remember you need make the profile on an 64-bit Ubuntu 12.04 system with a 3.5.0-23-generic kernel. Do not try and use the Ubuntu profile provided by volatility, because it is an older version. If it were up to date, you would just place this zip in: Volatility/volatility/plugins/overlays/linux/
If you do not want to read the article here are the commands:
$ gdb /bin/bash GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 ... ... (gdb) disassemble history_list Dump of assembler code for function history_list: 0x00000000004a53f0 <+0>: mov 0x2490c9(%rip),%rax # 0x6ee4c0 0x00000000004a53f7 <+7>: retq End of assembler dump.In the output, the hex offset of the history_list is given as a comment (0x6ee4c0)
With this found offset, you can now view the memory dump's command history
$ vol.py -f mem.dump --profile=LinuxUbuntu1204x64 linux_bash -H 0x6ee4c0 Pid Name Command Time Command ----- -------- ------------------------------ ------- ... 967 bash 2013-08-26 11:27:53 UTC+0000 uname -a 967 bash 2013-08-26 11:27:53 UTC+0000 wget 172.16.133.149:8090/asis-ctf -O /tmp/ 967 bash 2013-08-26 11:27:53 UTC+0000 wget 172.16.133.149:8090/asis-ctf 967 bash 2013-08-26 11:27:53 UTC+0000 ls 967 bash 2013-08-26 11:27:53 UTC+0000 du -h asis-ctf 967 bash 2013-08-26 11:27:53 UTC+0000 chmod +x asis-ctf 967 bash 2013-08-26 11:27:53 UTC+0000 ./asis-ctf 967 bash 2013-08-26 11:27:53 UTC+0000 sudo poweroff 967 bash 2013-08-26 11:27:54 UTC+0000 ls 967 bash 2013-08-26 11:30:37 UTC+0000 ./asis-ctf 967 bash 2013-08-26 12:00:04 UTC+0000 sudo apt-get install lynx 967 bash 2013-08-26 12:00:27 UTC+0000 lynx 967 bash 2013-08-26 12:10:44 UTC+0000 sudo apt-get install elinks 967 bash 2013-08-26 12:10:57 UTC+0000 elinks 967 bash 2013-08-26 12:14:58 UTC+0000 clear 967 bash 2013-08-26 12:15:00 UTC+0000 ls 967 bash 2013-08-26 12:15:28 UTC+0000 cp asis-ctf flag1 967 bash 2013-08-26 12:15:32 UTC+0000 ls -l 967 bash 2013-08-26 12:15:42 UTC+0000 md5sum flag1 ...
Looks like an “asis-ctf” program was executed. Is it still running?
It is! So lets look at this process' memory
The rest is unnecessary because they are just shared libraries and stacks involved. Let's look at the first 10 bytes of these files to figure out their file headers contain.
An Elf File! The next file (601000) has a program offset of 1000, so we know that this was a part of that executable. We will want to cat the two files together to make the executable.
Just to double check the file to see if it's an executable, we can run file on it.
$ vol.py -f mem.dump --profile=LinuxUbuntu1204x64 linux_pstree Name Pid Uid ------------ ------- ---- ... .cron 819 0 .atd 820 0 .login 837 0 ..bash 967 1000 ...asis-ctf 9425 1000 ...nano 15584 1000 .apache2 16346 0 ..apache2 16349 33 ..apache2 16350 33 ..apache2 16351 33 ...
It is! So lets look at this process' memory
$ vol.py -f mem.dump --profile=LinuxUbuntu1204x64 linux_proc_maps -p 9425 Pid Start End Flg Pgoff ... Inode File Path ---- ------------------ ------------------ --- ----- --- ---- ----------------- 9425 0x0000000000400000 0x0000000000401000 r-x 0x0 393333 /home/netadmin/asis-ctf 9425 0x0000000000600000 0x0000000000601000 r-- 0x0 393333 /home/netadmin/asis-ctf 9425 0x0000000000601000 0x0000000000602000 rw- 0x1000 393333 /home/netadmin/asis-ctf ---
The rest is unnecessary because they are just shared libraries and stacks involved. Let's look at the first 10 bytes of these files to figure out their file headers contain.
$ hexdump -C -n 10 task.9425.0x400000.vma 00000000 00 00 00 00 00 00 00 00 00 00 |..........| $ hexdump -C -n 10 task.9425.0x600000.vma 00000000 7f 45 4c 46 02 01 01 00 00 00 |.ELF......|
An Elf File! The next file (601000) has a program offset of 1000, so we know that this was a part of that executable. We will want to cat the two files together to make the executable.
$ cat task.9425.0x600000.vma task.9425.0x601000.vma > asis-ctf
Just to double check the file to see if it's an executable, we can run file on it.
$ file asis-ctf asis-ctf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
Check.
Time to load it into IDA and do some reversing on it.
Below was the section of code that was found to be adding an pseudo encrypted version of the key.
Victory!
-hackarali
Time to load it into IDA and do some reversing on it.
Below was the section of code that was found to be adding an pseudo encrypted version of the key.
LOAD:0000000000400683 mov byte ptr [rbp+var_A0], 42h LOAD:000000000040068A mov byte ptr [rbp+var_A0+1], 49h LOAD:0000000000400691 mov byte ptr [rbp+var_A0+2], 55h LOAD:0000000000400698 mov byte ptr [rbp+var_A0+3], 52h LOAD:000000000040069F mov byte ptr [rbp+var_A0+4], 4Ch LOAD:00000000004006A6 mov byte ptr [rbp+var_A0+5], 41h LOAD:00000000004006AD mov byte ptr [rbp+var_A0+6], 57h LOAD:00000000004006B4 mov byte ptr [rbp+var_A0+7], 4Eh LOAD:00000000004006BB mov [rbp+var_98], 64h LOAD:00000000004006C2 mov [rbp+var_97], 5Fh LOAD:00000000004006C9 mov [rbp+var_96], 69h LOAD:00000000004006D0 mov [rbp+var_95], 37h ...And this was the section found to be doing the decoding and printing.
LOAD:0000000000400867 loc_400867: ; CODE XREF: sub_400644+25B j LOAD:0000000000400867 mov eax, [rbp+var_A4] LOAD:000000000040086D add eax, eax LOAD:000000000040086F cdqe LOAD:0000000000400871 movzx eax, byte ptr [rbp+rax+var_A0] LOAD:0000000000400879 movsx eax, al LOAD:000000000040087C sub eax, [rbp+var_A4] LOAD:0000000000400882 sub eax, 1 LOAD:0000000000400885 mov edi, eax LOAD:0000000000400887 call sub_400500 LOAD:000000000040088C add [rbp+var_A4], 1 LOAD:0000000000400893Since the executable was not runnable, we had to create a python code that would take these inputs, convert them to decimal and do the decoding method.
hex_input = "42 49 55 52 4c 41 57 4e 64 5f 69 37 69 31 3e 63 6b 65 6c 33 3b 34 3d 65 3f 65 6f 63 47 31 75 36 72 66 42 62 4a 65 75 39 49 66 48 34 4d 32 4a 34 4e 37 4e 32 4d 35 55 65 50 37 82 32 84 61 52 35 83 39 85 61 53 34 89 39 8b 64 26"
dec_input = []
for h in hex_input.split(" "): #using space as a delimeter
dec_input.append(int('0x' + h, 16)) #add a 0x to each hex input and decode it to an int
flag = ""
for i in range(0, 37):
flag += chr(dec_input[2 * i] - i - 1) #from print method in recovered executable.
print flag
>>>ASIS_cb6bb012a8ea07a426254293de2bc0ef
Victory!
-hackarali
No comments:
Post a Comment