TL;DR: Week 12 of the #MagnetWeeklyCTF was a return to the browser that shalt not be named.
Review
Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.
Get the first challenge
The weekly challenge for week 11 was again only two parts. The first was:
What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed!
“Only 1 attempt allowed” made me walk super carefully through this question because I had no desire to drop another question (hello Week 3, my old nemesis) this close to the end of the CTF. Because the question had a section in quotes, I assumed that phrase could be found directly in the image. It isn’t the fastest solution, but man if strings isn’t one of my favorite starting points! In this case, I used strings with the -tx switch to tell it to output the hexadecimal address it found the string at and paired it with a case insensitive grep (grep -i). Finally, because the string it hits on is so long, I opted to use awk to just give me the first field ('{print $1}') which should be the offset.
[notta@cuppa case3]$ strings -tx memdump.mem \
| grep -i "how hackers hack, and how to stop them" \
| awk '{print $1}
580fa58f
8598658f
97f5f48b
11c54e48bWe can see there were four hits and if you dig in, it is all the same video title. Now we just need to turn those physical offsets into virtual ones to know which process they belonged to. Absent any other starting point, I opted to use the memmap Volatility plugin and grep to look for the above four addresses. Because we are generally dealing with pages of size 0x1000, I truncated the last three digits to 0 on each of them. I also included the word “pid” in my search to show me each of the processes. Whichever PID was the last listed before my hit, would be my answer.
[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 memmap \
| grep -i 'pid\|580fa000\|85986000\|97f5f000\|11c54e000'
Volatility Foundation Volatility Framework 2.6.1
System pid: 4
smss.exe pid: 280
csrss.exe pid: 364
wininit.exe pid: 408
csrss.exe pid: 440
services.exe pid: 472
winlogon.exe pid: 508
lsass.exe pid: 536
lsm.exe pid: 544
svchost.exe pid: 660
vmacthlp.exe pid: 728
svchost.exe pid: 772
svchost.exe pid: 860
svchost.exe pid: 936
svchost.exe pid: 980
svchost.exe pid: 112
svchost.exe pid: 1160
spoolsv.exe pid: 1304
svchost.exe pid: 1332
svchost.exe pid: 1444
VGAuthService. pid: 1520
vmtoolsd.exe pid: 1576
wlms.exe pid: 1636
sppsvc.exe pid: 1952
svchost.exe pid: 2032
svchost.exe pid: 1080
WmiPrvSE.exe pid: 2108
dllhost.exe pid: 2216
msdtc.exe pid: 2324
svchost.exe pid: 2944
svchost.exe pid: 360
SearchIndexer. pid: 2580
taskhost.exe pid: 1396
dwm.exe pid: 2852
explorer.exe pid: 2672
WerFault.exe pid: 2164
vmtoolsd.exe pid: 2928
audiodg.exe pid: 1728
slack.exe pid: 2208
slack.exe pid: 2728
slack.exe pid: 1172
slack.exe pid: 2812
slack.exe pid: 2848
WINWORD.EXE pid: 3180
chrome.exe pid: 3384
chrome.exe pid: 3392
wuauclt.exe pid: 3464
chrome.exe pid: 3492
chrome.exe pid: 3596
chrome.exe pid: 3604
chrome.exe pid: 3748
chrome.exe pid: 3756
WmiPrvSE.exe pid: 3440
chrome.exe pid: 4196
chrome.exe pid: 4236
chrome.exe pid: 4404
chrome.exe pid: 4600
iexplore.exe pid: 2984
iexplore.exe pid: 4480
0x000000000b7fb000 0x0000000097f5f000 0x1000 0x2b02000
FTK Imager.exe pid: 4332
WmiApSrv.exe pid: 1092
SearchProtocol pid: 4056
SearchFilterHo pid: 1996
chrome.exe pid: 2188
chrome.exe pid: 4484Is it elegant? No. Do I care when I can tell my computer to figure out the answer while I do other things? Also no. In the above output, it looks like Internet Explorer, PID 4480, has one of those memory locations mapped. That must be our answer.
Get the second challenge
The second challenge was:
What is the product version of the application from Part 1? Format: XX.XX.XXXX.XXXXX
Similarly to week 9’s fifth challenge, we can use pe-tree to read the process executable’s version information. Since we know the process ID, once we dump the process executable, this is a one-shot answer.
[notta@cuppa case3]$ volatility -f memdump.mem --profile=Win7SP1x64 \
procdump --dump-dir=procdump -p 4480 \
&& pe-tree procdump/executable.4480.exeWhen you look at the pe-tree GUI and click on “VS_VERSIONINFO”, the version is listed as 11.00.9600.18858. This fits the format they were looking for and is the product version of the application, so it is our answer.
Conclusion
I enjoyed the careful tiptoe to figure out the right process ID for the first step. You could also figure it out by dumping every process’ memory and then greping your way through it for the same string and seeing which file contained it. Overall, it was an enjoyable problem to solve a few ways.