CyberTalents Forensics Eagle Eye Writeup
Eagle Eye
- Eagle eye is a memory forensics challenge rated between hard and insane, as of writing this writeup the challenge has 15 solves in 4 months
TL:DR
Windows memory forensics using volatility2
using mftdump vol2 plugin
Challenge Description
When you deal with an attacker, don’t always trust what you see.
Solution
- Inorder to solve this challenge successfully we are to first determine a suitable profile to use.
using the syntax
1volatility -f chall.raw imageinfo
running the command above we get a list of viable profiles, for this writeup i will use the first one Win7SP1x86_23418
my initial analysis included checking for low hanging fruits, this included checking for rogue processes, files on the machine,browser histories,recent commands on the machine to no success.
but going back to the challenge description there’s a hint ...don't always trust what you see
for this i thought of MTFdump plugin for further analysis.
syntax for the command
1volatility -f chall.raw --profile Win7SP1x86_23418 mftdump > mftdump
after running for a while we get our mftdump data
which we start grepping and searching for strings that can and probably will match our flag format in this case flag{.*} since manual analysis would have been impossible as there were around 38054 lines of data to look at
searching for the string flag we get a hit
1$FILE_NAME
2Creation Modified MFT Altered Access Date Name/Path
3------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
42021-02-15 14:09:51 UTC+0000 2021-02-15 14:19:44 UTC+0000 2021-02-15 14:19:44 UTC+0000 2021-02-15 14:09:51 UTC+0000 $Recycle.Bin\S-1-5-21-4163927476-1738762144-3755410103-1000\$R1ZVDL9.cpp
5
6$OBJECT_ID
7Object ID: f0aa160a-956f-eb11-be46-0800273856bc
8Birth Volume ID: 80000000-1802-0000-0000-180000000600
9Birth Object ID: fb010000-1800-0000-2369-6e636c756465
10Birth Domain ID: 203c696f-7374-7265-616d-3e0d0a766f69
11
12$DATA
130000000000: 23 69 6e 63 6c 75 64 65 20 3c 69 6f 73 74 72 65 #include.<iostre
140000000010: 61 6d 3e 0d 0a 76 6f 69 64 20 66 6c 61 67 28 29 am>..void.flag()
150000000020: 3b 0d 0a 75 73 69 6e 67 20 6e 61 6d 65 73 70 61 ;..using.namespa
160000000030: 63 65 20 73 74 64 3b 0d 0a 69 6e 74 20 6d 61 69 ce.std;..int.mai
170000000040: 6e 28 29 7b 0d 0a 0d 0a 66 6c 61 67 28 29 3b 0d n(){....flag();.
180000000050: 0a 77 68 69 6c 65 28 74 72 75 65 29 7b 0d 0a 7d .while(true){..}
190000000060: 0d 0a 72 65 74 75 72 6e 20 30 3b 0d 0a 7d 0d 0a ..return.0;..}..
200000000070: 0d 0a 76 6f 69 64 20 66 6c 61 67 28 29 7b 0d 0a ..void.flag(){..
210000000080: 63 68 61 72 20 78 5b 32 36 5d 3b 0d 0a 69 6e 74 char.x[26];..int
220000000090: 20 6e 3d 30 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 66 .n=0;..x[n++]='f
2300000000a0: 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 6c 27 3b 0d ';..x[n++]='l';.
2400000000b0: 0a 78 5b 6e 2b 2b 5d 3d 27 61 27 3b 0d 0a 78 5b .x[n++]='a';..x[
2500000000c0: 6e 2b 2b 5d 3d 27 67 27 3b 0d 0a 78 5b 6e 2b 2b n++]='g';..x[n++
2600000000d0: 5d 3d 27 32 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 ]='2';..x[n++]='
2700000000e0: 3a 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 5f 27 3b :';..x[n++]='_';
2800000000f0: 0d 0a 78 5b 6e 2b 2b 5d 3d 27 53 27 3b 0d 0a 78 ..x[n++]='S';..x
290000000100: 5b 6e 2b 2b 5d 3d 27 59 27 3b 0d 0a 78 5b 6e 2b [n++]='Y';..x[n+
300000000110: 2b 5d 3d 27 53 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d +]='S';..x[n++]=
310000000120: 27 5f 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 50 27 '_';..x[n++]='P'
320000000130: 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 72 27 3b 0d 0a ;..x[n++]='r';..
330000000140: 78 5b 6e 2b 2b 5d 3d 27 63 27 3b 0d 0a 78 5b 6e x[n++]='c';..x[n
340000000150: 2b 2b 5d 3d 27 65 27 3b 0d 0a 78 5b 6e 2b 2b 5d ++]='e';..x[n++]
350000000160: 3d 27 33 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 33 ='3';..x[n++]='3
360000000170: 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 5f 27 3b 0d ';..x[n++]='_';.
370000000180: 0a 78 5b 6e 2b 2b 5d 3d 27 34 27 3b 0d 0a 78 5b .x[n++]='4';..x[
380000000190: 6e 2b 2b 5d 3d 27 74 27 3b 0d 0a 78 5b 6e 2b 2b n++]='t';..x[n++
3900000001a0: 5d 3d 27 34 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 ]='4';..x[n++]='
4000000001b0: 4c 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 4c 27 3b L';..x[n++]='L';
4100000001c0: 0d 0a 78 5b 6e 2b 2b 5d 3d 27 7d 27 3b 0d 0a 66 ..x[n++]='}';..f
4200000001d0: 6f 72 20 28 69 6e 74 20 69 20 3d 30 3b 20 69 3c or.(int.i.=0;.i<
4300000001e0: 6e 3b 69 2b 2b 29 7b 0d 0a 09 28 78 5b 6e 5d 29 n;i++){...(x[n])
4400000001f0: 3b 0d 0a 7d 0d 0a 7d 0d 0a 0d 0a ;..}..}....
45
46***************************************************************************
47***************************************************************************
48MFT entry found at offset 0x8051c00
49Attribute: File
50Record Number: 47867
51Link count: 2
which looks like a hexdump of a cpp code …
i simply copied it and converted the data back to a readable code
10000000000: 23 69 6e 63 6c 75 64 65 20 3c 69 6f 73 74 72 65 #include.<iostre
20000000010: 61 6d 3e 0d 0a 76 6f 69 64 20 66 6c 61 67 28 29 am>..void.flag()
30000000020: 3b 0d 0a 75 73 69 6e 67 20 6e 61 6d 65 73 70 61 ;..using.namespa
40000000030: 63 65 20 73 74 64 3b 0d 0a 69 6e 74 20 6d 61 69 ce.std;..int.mai
50000000040: 6e 28 29 7b 0d 0a 0d 0a 66 6c 61 67 28 29 3b 0d n(){....flag();.
60000000050: 0a 77 68 69 6c 65 28 74 72 75 65 29 7b 0d 0a 7d .while(true){..}
70000000060: 0d 0a 72 65 74 75 72 6e 20 30 3b 0d 0a 7d 0d 0a ..return.0;..}..
80000000070: 0d 0a 76 6f 69 64 20 66 6c 61 67 28 29 7b 0d 0a ..void.flag(){..
90000000080: 63 68 61 72 20 78 5b 32 36 5d 3b 0d 0a 69 6e 74 char.x[26];..int
100000000090: 20 6e 3d 30 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 66 .n=0;..x[n++]='f
1100000000a0: 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 6c 27 3b 0d ';..x[n++]='l';.
1200000000b0: 0a 78 5b 6e 2b 2b 5d 3d 27 61 27 3b 0d 0a 78 5b .x[n++]='a';..x[
1300000000c0: 6e 2b 2b 5d 3d 27 67 27 3b 0d 0a 78 5b 6e 2b 2b n++]='g';..x[n++
1400000000d0: 5d 3d 27 32 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 ]='2';..x[n++]='
1500000000e0: 3a 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 5f 27 3b :';..x[n++]='_';
1600000000f0: 0d 0a 78 5b 6e 2b 2b 5d 3d 27 53 27 3b 0d 0a 78 ..x[n++]='S';..x
170000000100: 5b 6e 2b 2b 5d 3d 27 59 27 3b 0d 0a 78 5b 6e 2b [n++]='Y';..x[n+
180000000110: 2b 5d 3d 27 53 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d +]='S';..x[n++]=
190000000120: 27 5f 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 50 27 '_';..x[n++]='P'
200000000130: 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 72 27 3b 0d 0a ;..x[n++]='r';..
210000000140: 78 5b 6e 2b 2b 5d 3d 27 63 27 3b 0d 0a 78 5b 6e x[n++]='c';..x[n
220000000150: 2b 2b 5d 3d 27 65 27 3b 0d 0a 78 5b 6e 2b 2b 5d ++]='e';..x[n++]
230000000160: 3d 27 33 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 33 ='X;..x[n++]='3
240000000170: 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 5f 27 3b 0d ';..x[n++]='_';.
250000000180: 0a 78 5b 6e 2b 2b 5d 3d 27 34 27 3b 0d 0a 78 5b .x[n++]='X;..x[
260000000190: 6e 2b 2b 5d 3d 27 74 27 3b 0d 0a 78 5b 6e 2b 2b n++]='X;..x[n++
2700000001a0: 5d 3d 27 34 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 ]='X;..x[n++]='
2800000001b0: 4c 27 3b 0d 0a 78 5b 6e 2b 2b 5d 3d 27 4c 27 3b L';..x[n++]='L';
2900000001c0: 0d 0a 78 5b 6e 2b 2b 5d 3d 27 7d 27 3b 0d 0a 66 ..x[n++]='}';..f
3000000001d0: 6f 72 20 28 69 6e 74 20 69 20 3d 30 3b 20 69 3c or.(int.i.=0;.i<
3100000001e0: 6e 3b 69 2b 2b 29 7b 0d 0a 09 28 78 5b 6e 5d 29 n;i++){...(x[n])
3200000001f0: 3b 0d 0a 7d 0d 0a 7d 0d 0a 0d 0a ;..}..}....
then
cat hexdump | xxd -r > code.cpp
after beautifying the code we get the second part of the Flag
1#include <iostream>
2
3void flag();
4using namespace std;
5int main() {
6 flag();
7 while (true) {
8
9 }
10 return 0;
11}
12
13void flag() {
14 char x[26];
15 int n = 0;
16 x[n++] = 'f';
17 x[n++] = 'l';
18 x[n++] = 'a';
19 x[n++] = 'g';
20 x[n++] = '2';
21 x[n++] = ':';
22 x[n++] = '_';
23 x[n++] = 'S';
24 x[n++] = 'Y';
25 x[n++] = 'S';
26 x[n++] = '_';
27 x[n++] = 'P';
28 x[n++] = 'r';
29 x[n++] = 'c';
30 x[n++] = 'e';
31 x[n++] = '3';
32 x[n++] = '3';
33 x[n++] = '_';
34 x[n++] = '4';
35 x[n++] = 't';
36 x[n++] = 'X;
37 x[n++] = 'X;
38 x[n++] = 'X;
39 x[n++] = '}';
40 for (int i = 0; i < n; i++) {
41 cout << x << "\n";
42 }
43}
redacted some chars off the flag to curb laziness XD
it was just a basic C++ code that loops through the Flag characters
compiling it and running it gives us
1$./code
2flag2:_SYS_Prce33_4txx}
3flag2:_SYS_Prce33_4t4xx}
4flag2:_SYS_Prce33_4t4xx}
5flag2:_SYS_Prce33_4t4xx}
6flag2:_SYS_Prce33_4t4xx}
7flag2:_SYS_Prce33_4t4xx}
8flag2:_SYS_Prce33_4t4xx}
9flag2:_SYS_Prce33_4t4xx}
10flag2:_SYS_Prce33_4t4xx}
11flag2:_SYS_Prce33_4t4xx}
12flag2:_SYS_Prce33_4t4xx}
13flag2:_SYS_Prce33_4t4xx}
14flag2:_SYS_Prce33_4t4xx}
15flag2:_SYS_Prce33_4t4xx}
16flag2:_SYS_Prce33_4t4xx}
17flag2:_SYS_Prce33_4t4xx}
18flag2:_SYS_Prce33_4t4xx}
19flag2:_SYS_Prce33_4t4xx}
20flag2:_SYS_Prce33_4t4xx}
21flag2:_SYS_Prce33_4t4xx}
22flag2:_SYS_Prce33_4t4xx}
23flag2:_SYS_Prce33_4t4xx}
24flag2:_SYS_Prce33_4t4xx}
25flag2:_SYS_Prce33_4t4xx}
Armed with the second part of the flag, we go back hunting for the first part inorder to get the full flag
searching for string part in the mftdump we are gifted with the first part
1$FILE_NAME
2Creation Modified MFT Altered Access Date Name/Path
3------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
42021-02-15 13:31:58 UTC+0000 2021-02-15 14:35:19 UTC+0000 2021-02-15 14:35:19 UTC+0000 2021-02-15 13:31:58 UTC+0000 Users\MM0X\Desktop\1st.txt
5
6$OBJECT_ID
7Object ID: 60948d0e-926f-eb11-8c93-0800273856bc
8Birth Volume ID: 80000000-8000-0000-0000-180000000100
9Birth Object ID: 61000000-1800-0000-596f-7520476f7420
10Birth Domain ID: 4d652062-7574-2074-6861-742773206f6e
11
12$DATA
130000000000: 59 6f 75 20 47 6f 74 20 4d 65 20 62 75 74 20 74 You.Got.Me.but.t
140000000010: 68 61 74 27 73 20 6f 6e 6c 79 20 74 68 65 20 66 hat's.only.the.f
150000000020: 69 72 73 74 20 48 61 6c 66 20 66 69 6e 64 20 74 irst.Half.find.t
160000000030: 68 65 20 54 68 65 20 72 65 73 74 20 4f 46 20 69 he.The.rest.OF.i
170000000040: 74 20 0d 0a 0d 0a 31 73 74 70 61 72 74 3a 7b 44 t.....1stpart:{D
180000000050: 6f 6e 30 74 5f 61 6c 77 34 79 73 5f 54 52 75 73 on0t_xxxxxx_Txxx
190000000060: 74 x
20
21***************************************************************************
22***************************************************************************
23MFT entry found at offset 0x28eb000
24Attribute: In Use & File
25Record Number: 33636
26Link count: 1
converting the hexdump back to readable format we can read off the First part of the flag as
1cat 1st.txt
2You Got Me but that's only the first Half find the The rest OF it
3
41stpart:{Don0t_xxxxxx_TRxxx
combining both parts we get the flag as
Flag : flag{Don0t_xxxxxx_TRxxx_SYS_Prce33_4t4xx}
hoping that was the intended solution :)
for any clarification or suggestions including more writeups kindly reach me on twitter