Wednesday, October 9, 2013

ASIS CTF mem_dump

Notes:

  • Make sure you are running a 64-bit Ubuntu 12.04 system with a 3.5.0-23-generic kernel. You will understand why later.
  • This machine should also have Volatility 2.3 installed.
  • A helpful tool is Sleuthkit: sudo apt-get install sleuthkit


To start, use Sleuthkit's srch_strings on the memory dump and save it to a txt file to save time for future greps. (You should also print the locations of each string in decimal)
$ srch_strings -t d mem.dump > asis_md_grepboot.txt

Next, you want to find what image this memory dump is for. I saved this to a file so I could reference it in the future if need be.
$ grep BOOT_ asis_memdump_srchstr.txt > asis_md_grepboot.txt

$ cat asis_md_grepboot.txt
  30873265 BOOT_IMAGE=/vmlinuz-3.5.0-23-generic
  31515756 Command line: BOOT_IMAGE=/vmlinuz-3.5.0-23-generic root=/dev/mapper/ubuntu--server-root ro
  31520980 Kernel command line: BOOT_IMAGE=/vmlinuz-3.5.0-23-generic root=/dev/mapper/ubuntu--server-root ro
 106342232 NT_STATUS_BAD_MASTER_BOOT_RECORD
 129758942 NT_STATUS_BOOT_ALREADY_ACCEPTED = 0x00000434,
 157849128 NT_STATUS_BAD_MASTER_BOOT_RECORD = 0xc00000a9,
 173586344 NT_STATUS_BOOT_ALREADY_ACCEPTED
 268365920 BOOT_IMAGE=/vmlinuz-3.5.0-23-generic
 268366048 BOOT_IMAGE=/vmlinuz-3.5.0-23-generic root=/dev/mapper/ubuntu--server-root ro
“BOOT_IMAGE=/vmlinuz-3.5.0-23-generic

This lets you know you need to set up a profile for a linux kernal 3.5.0-23-generic

You will have to create a profile manually by using the steps on this page.

Remember you need make the profile on an 64-bit Ubuntu 12.04 system with a 3.5.0-23-generic kernel. Do not try and use the Ubuntu profile provided by volatility, because it is an older version. If it were up to date, you would just place this zip in: Volatility/volatility/plugins/overlays/linux/


A good route to take now is to look at whats sitting in the command history. To do this, you have to locate the /bin/bash offset used by your computer. This site walks you through this quite nicely.

If you do not want to read the article here are the commands:
$ gdb /bin/bash 
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
...
...

(gdb) disassemble history_list
Dump of assembler code for function history_list:
   0x00000000004a53f0 <+0>: mov    0x2490c9(%rip),%rax        # 0x6ee4c0
   0x00000000004a53f7 <+7>: retq   
End of assembler dump.
In the output, the hex offset of the history_list is given as a comment (0x6ee4c0)


With this found offset, you can now view the memory dump's command history
$ vol.py -f mem.dump --profile=LinuxUbuntu1204x64 linux_bash -H 0x6ee4c0

Pid   Name     Command Time                   Command
----- -------- ------------------------------ -------
...
967   bash     2013-08-26 11:27:53 UTC+0000   uname -a
967   bash     2013-08-26 11:27:53 UTC+0000   wget 172.16.133.149:8090/asis-ctf -O /tmp/
967   bash     2013-08-26 11:27:53 UTC+0000   wget 172.16.133.149:8090/asis-ctf
967   bash     2013-08-26 11:27:53 UTC+0000   ls
967   bash     2013-08-26 11:27:53 UTC+0000   du -h asis-ctf 
967   bash     2013-08-26 11:27:53 UTC+0000   chmod +x asis-ctf 
967   bash     2013-08-26 11:27:53 UTC+0000   ./asis-ctf 
967   bash     2013-08-26 11:27:53 UTC+0000   sudo poweroff 
967   bash     2013-08-26 11:27:54 UTC+0000   ls
967   bash     2013-08-26 11:30:37 UTC+0000   ./asis-ctf 
967   bash     2013-08-26 12:00:04 UTC+0000   sudo apt-get install lynx
967   bash     2013-08-26 12:00:27 UTC+0000   lynx 
967   bash     2013-08-26 12:10:44 UTC+0000   sudo apt-get install elinks
967   bash     2013-08-26 12:10:57 UTC+0000   elinks 
967   bash     2013-08-26 12:14:58 UTC+0000   clear
967   bash     2013-08-26 12:15:00 UTC+0000   ls
967   bash     2013-08-26 12:15:28 UTC+0000   cp asis-ctf flag1
967   bash     2013-08-26 12:15:32 UTC+0000   ls -l
967   bash     2013-08-26 12:15:42 UTC+0000   md5sum flag1
...
Looks like an “asis-ctf” program was executed. Is it still running?
$ vol.py -f mem.dump --profile=LinuxUbuntu1204x64 linux_pstree 

Name          Pid      Uid       
------------  -------  ----
...       
.cron         819      0 
.atd          820      0 
.login        837      0 
..bash        967      1000
...asis-ctf   9425     1000
...nano       15584    1000
.apache2      16346    0 
..apache2     16349    33
..apache2     16350    33
..apache2     16351    33
...

It is! So lets look at this process' memory

$ vol.py -f mem.dump --profile=LinuxUbuntu1204x64 linux_proc_maps -p 9425

Pid  Start              End                Flg Pgoff ... Inode  File Path
---- ------------------ ------------------ --- ----- --- ----   -----------------
9425 0x0000000000400000 0x0000000000401000 r-x 0x0       393333 /home/netadmin/asis-ctf
9425 0x0000000000600000 0x0000000000601000 r-- 0x0       393333 /home/netadmin/asis-ctf
9425 0x0000000000601000 0x0000000000602000 rw- 0x1000    393333 /home/netadmin/asis-ctf
---

The rest is unnecessary because they are just shared libraries and stacks involved. Let's look at the first 10 bytes of these files to figure out their file headers contain.

$ hexdump -C -n 10 task.9425.0x400000.vma
00000000  00 00 00 00 00 00 00 00  00 00                    |..........|
$ hexdump -C -n 10 task.9425.0x600000.vma
00000000  7f 45 4c 46 02 01 01 00  00 00                    |.ELF......|

An Elf File! The next file (601000) has a program offset of 1000, so we know that this was a part of that executable. We will want to cat the two files together to make the executable.

$ cat task.9425.0x600000.vma task.9425.0x601000.vma > asis-ctf

Just to double check the file to see if it's an executable, we can run file on it.

$ file asis-ctf
asis-ctf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped

Check.

Time to load it into IDA and do some reversing on it.
Below was the section of code that was found to be adding an pseudo encrypted version of the key.
LOAD:0000000000400683                 mov     byte ptr [rbp+var_A0], 42h
LOAD:000000000040068A                 mov     byte ptr [rbp+var_A0+1], 49h
LOAD:0000000000400691                 mov     byte ptr [rbp+var_A0+2], 55h
LOAD:0000000000400698                 mov     byte ptr [rbp+var_A0+3], 52h
LOAD:000000000040069F                 mov     byte ptr [rbp+var_A0+4], 4Ch
LOAD:00000000004006A6                 mov     byte ptr [rbp+var_A0+5], 41h
LOAD:00000000004006AD                 mov     byte ptr [rbp+var_A0+6], 57h
LOAD:00000000004006B4                 mov     byte ptr [rbp+var_A0+7], 4Eh
LOAD:00000000004006BB                 mov     [rbp+var_98], 64h
LOAD:00000000004006C2                 mov     [rbp+var_97], 5Fh
LOAD:00000000004006C9                 mov     [rbp+var_96], 69h
LOAD:00000000004006D0                 mov     [rbp+var_95], 37h
...
And this was the section found to be doing the decoding and printing.
LOAD:0000000000400867 loc_400867:                             ; CODE XREF: sub_400644+25B j
LOAD:0000000000400867                 mov     eax, [rbp+var_A4]
LOAD:000000000040086D                 add     eax, eax
LOAD:000000000040086F                 cdqe
LOAD:0000000000400871                 movzx   eax, byte ptr [rbp+rax+var_A0]
LOAD:0000000000400879                 movsx   eax, al
LOAD:000000000040087C                 sub     eax, [rbp+var_A4]
LOAD:0000000000400882                 sub     eax, 1
LOAD:0000000000400885                 mov     edi, eax
LOAD:0000000000400887                 call    sub_400500
LOAD:000000000040088C                 add     [rbp+var_A4], 1
LOAD:0000000000400893
Since the executable was not runnable, we had to create a python code that would take these inputs, convert them to decimal and do the decoding method.
hex_input = "42 49 55 52 4c 41 57 4e 64 5f 69 37 69 31 3e 63 6b 65 6c 33 3b 34 3d 65 3f 65 6f 63 47 31 75 36 72 66 42 62 4a 65 75 39 49 66 48 34 4d 32 4a 34 4e 37 4e 32 4d 35 55 65 50 37 82 32 84 61 52 35 83 39 85 61 53 34 89 39 8b 64 26"
dec_input = []
for h in hex_input.split(" "): #using space as a delimeter
    dec_input.append(int('0x' + h, 16)) #add a 0x to each hex input and decode it to an int

flag = ""
for i in range(0, 37):
    flag += chr(dec_input[2 * i] - i - 1) #from print method in recovered executable.
print flag

>>>ASIS_cb6bb012a8ea07a426254293de2bc0ef

Victory!

-hackarali

No comments:

Post a Comment