CSCG 2020: win_eXPerience 1

Memory dump is given.

Before starting the challenge I read this writeup again, which was really helpful.

First we have to get the profile of the memory dump. This is important for further investigation. The profile can be identified with imageinfo.

$ volatility imageinfo -f memory.dmp

Volatility Foundation Volatility Framework 2.6
 INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/simon/git/CTF/CSCG_2020/misc/win_eXPerience/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x39000L
                          KDBG : 0x8054c760L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2020-03-22 18:30:56 UTC+0000
     Image local date and time : 2020-03-22 10:30:56 -0800

Two profiles were given, so we can just try the first one WinXPSP2x86. With volatility --info a list of available modules is shown. Because of the challenge description, I first thought of a TrueCrypt container, so I tried the TrueCrypt modules of volatility.

$ volatility -f memory.dmp --profile WinXPSP2x86 truecryptmaster

Container: \??\C:\Program Files\TrueCrypt\true.dmp
Hidden Volume: No
Removable: No
Read Only: No
Disk Length: 20709376 (bytes)
Host Length: 20971520 (bytes)
Encryption Algorithm: AES
Mode: XTS
Master Key
0x816fe1a8  85 05 5f 66 83 36 e4 f1 c3 8a b0 55 ae a2 67 f4   .._f.6.....U..g.
0x816fe1b8  db bc 52 97 6d 9f dd 65 80 b0 85 cd 23 68 48 e6   ..R.m..e....#hH.
0x816fe1c8  d3 18 3d 23 01 d7 61 6f c4 05 66 7c 92 0c 52 4b   ..=#..ao..f|..RK
0x816fe1d8  b0 8c 79 d7 68 1f 43 9b 55 be 19 9a a3 35 3a aa   ..y.h.C.U....5:.

Indeed I could find a container and the masterkey, but that did not bring me any further. While searching for the container I came up with an other approach, because I found a file called flag.zip in the filescan.

$ volatility -f memory.dmp --profile WinXPSP2x86 filescan

[...]
0x0000000001a3c7e8      1      0 R--rwd \Device\TrueCryptVolumeE\flag.zip
[...]

We dump the zip file with dumpfiles and the given offset.

$ volatility -f memory.dmp --profile WinXPSP2x86 dumpfiles -Q 0x0000000001a3c7e8 -D tmp -u -n

Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x01a3c7e8   None   \Device\TrueCryptVolumeE\flag.zip

The dumped zip file is encrypted. In the clipboard we can find the string BorlandDelphiIsReallyCool.

$ volatility -f memory.dmp --profile WinXPSP2x86 clipboard

Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                 Handle Object     Data                                              
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
         0 WinSta0       CF_UNICODETEXT        0x500b5 0xe1d523d8 BorlandDelphiIsReallyCool                         
         0 WinSta0       CF_LOCALE            0x1401b7 0xe10cb418                                                   
         0 WinSta0       CF_TEXT                   0x1 ----------                                                   
         0 WinSta0       CF_OEMTEXT                0x1 ----------                                                   

This is the password for the zip file and gives us the flag CSCG{c4ch3d_p455w0rd_fr0m_0p3n_tru3_cryp1_c0nt41n3r5}.

The writeup for part 2 can be found here. There we already got the profile of the memorydump.