> For the complete documentation index, see [llms.txt](https://ctf.laet4x.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.laet4x.com/ctf-2020/rootcon-recovery-mode/forensics-warm-up.md). # Forensics (Warm Up) Category: Forensics Challenge: Warm Up Points: 100

We are given a *.zip* file that contains ***challenge.raw*** file. Since this is a memory image file, I decided to use ***volatility*** tools for this challenge*.*

It worked! I get a suggested profile and confirmed that this is a memory image file. Now let’s start solving the questions: **Number 1**: ***What is the hostname of the source of this memory image?*** For this one, I dump the hives to get the offset where we will get the hostname:

Then I dump the registry key where the hostname is revealed.

Question number **2, 3, and 4** has the same goal which is to get the password of the users. **What is the password of user Le?** **What is the password of user Li?** **What is the password of user S?** I’m interested in the 2 offsets: SYSTEM (-y) and SAM (-s)

I use crackstation.net, an online password hash cracker to crack the password. I was able to crack the first user and the others.

Now let’s proceed to **Number 5, 6, and 7** which needs the IP Address and port of backdoor listening on. **What is the attacker’s IP address?** **What is the victim’s IP address?** **Which port is the backdoor listening on?** I run `connections` and `connscan` but it seems the profile does not support this command so I look for other solutions and found that we need to run `netscan` command. From there, I get the IP Address of the Attacker and Victim and port which is the backdoor listening on.

Now let’s proceed to questions **Number 8 to 13,** which takes me longer to solve. I won’t discuss the other steps I tried here. I’ll just go straight to the right solution. Since we are looking for malware I run `pslist` and `pstree` command. `pstree` uses the same technique as `pslist` but the result is based on the parent-child relationship between the processes.

For example, here we can see that `nc64.exe` started `cmd.exe` which in turn started the instances of `lsass.exe` and `svchost.exe.` So we search for commands and can be done using the`cmdline`

### Analysis: 1. The attacker run `nc64.exe` 2. Download the `lsass.exe` and the path is located at `C:\Users\samael\lsass.exe` 3. Execute the `lsass.exe` that's running on pid `1952`to download `svchost.exe`located at `C:\Users\samael\svchost.exe` 4. Execute the `svchost.exe` that's running on pid `2972`, the file is mimikatz upon analysis I assume the `lsass.exe`is malware. I dump a process’s executable by using the `procdump` command and uploaded it to the virustotal.com. Few AV detected this as malware.

I use `memdump`, a simple analysis of these files can be done by using the “**strings**”, we are looking for a relation between the piece of information already retrieved from the dump (especially the opened TCP connection towards the `10.163.7.130` IP) `strings 1952.dmp | grep -Fi “10.163.7.130” -C 5` Look what I found, So it seems `lsass.exe`processes is to download a new file `svchost.exe`

I suspected that this file is malware. I run `procdump` again on pid `2972`and uploaded it to virustotal.com and look what I found?! Its **mimikatz!!!**

So now I identify all **process name** of malware running in lower and higher **pid** and the path. *Number 8: **lsass.exe*** *Number 9: **1952*** *Number 10: **svchost.exe*** *Number 11: **2972*** *Number 12:**C:\Users\samael\lsass.exe*** *Number 13:**C:\Users\samael\svchost.exe*** Now we combine all the results and run **md5sum** > printf ‘%s’ “RC-MINIONS\~darklighter\~97sunfire\~poisonthewell\~10.163.7.130\~10.163.7.100\~5900\~lsass.exe\~1952\~svchost.exe\~2972\~C:\Users\samael\lsass.exe\~C:\Users\samael\svchost.exe” | md5sum Voila!!! **rc14{81cd8971d7cdbf45d2cdf4c90fbaa339}** ## Conclusion I would like to thanks my teammates (*Sai and Chris*). Thanks also to **ROOTCON** and **PWN DE MANILA** for the challenge. I hope you guys enjoyed reading this write-up! For references, you may look into these links: 1. Volatility Command Reference — 2.
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.laet4x.com/ctf-2020/rootcon-recovery-mode/forensics-warm-up.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.