DumpMe Blue Team Challenge
Last updated
Last updated
Today I will start solving the āDumpMeā room on the cyberdefenders.org platform. To complete this task, knowledge of Volatility will be necessary. But before we proceed to the questions, let me show you how to install Volatility and get it up and running.
To answer the questions in this room, you will need the Volatility framework, which effectively allows you to dump interesting information from RAM memory. If you want to continue and finish this room together with me, you will need this software. But donāt worry, Iāve described the entire installation process in this article ā.
A SOC analyst took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
There are 16 questions in total.
What is the SHA1 hash of Triage-Memory.mem (memory dump)?
To answer this question, you just need to use the ācertutilā command in the Command Prompt (CMD).
What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
This question might be a bit tricky if youāre using Volatility 3. Due to the fact that Volatility 3 doesnāt necessarily require profiles to work, I took some liberties with the rules. First, I used the āwindows.infoā plugin to display information about the memory image.
When the scan was successful, in the āNTBuildLabā row, you can see āwin7sp1,ā which is the equivalent of a profile in Volatility 2. Now, you just need to add the system architecture to get the answer. Ultimately, I found that the plugin you would use with Volatility 3 is āWin7SP1x64.ā
What was the process ID of notepad.exe?
To list processes, you need to use the āwindows.pslistā plugin in the same place where you previously used āwindows.info.ā Now, you just need to locate ānotepad.exe.ā
Name the child process of wscript.exe.
To list the process tree, you should use the āwindows.pstreeā plugin and locate the parent process āwscript.exe.ā Youāll see that directly underneath it, thereās a suspicious process named āUWkpjFjDzM.exe.ā
What was the IP address of the machine at the time the RAM dump was created?
To answer this question, you can use several plugins. I chose the āwindows.netscanā plugin. In the slightly shifted āLocalAddrā column, you can find the IP address associated with this memory dump.
Based on the answer regarding the infected PID, can you determine the IP of the attacker?
In this question, you need to find the outgoing connection from āUWkpjFjDzM.exeā. I used the same plugin as in the previous question, but this time I focused on the āForeignAddrā column.
And thatās how I found the answer to the question: the address is 10.0.0.106.
How many processes are associated with VCRUNTIME140.dll?
Using the command:
I was able to answer the question.
After dumping the infected process, what is its md5 hash?
This question is much more challenging than the others, but with a clever approach, it can be solved. Using the command below, I managed to dump all files with PID 3496, including the process weāre looking for.
Now, all thatās left is to calculate the MD5 hash using Get-FileHash in Powershell. Itās important to remember to temporarily disable Windows Defender for a brief moment, as otherwise, the command may not work correctly.
The md5 hash is 690ea20bc3bdfb328e23005d9a80c290
What is the LM hash of Bobās account?
To answer this question, I used the windows.hashdump.Hashdump plugin.
Bob LM hash is aad3b435b51404eeaad3b435b51404ee
What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
To answer this question, I used the windows.vadinfo plugin. Due to the extensive output, I redirected it to a file named "vad.txt" and then opened it in Notepad. Despite encountering a few errors during the plugin execution, they didn't affect the accuracy of the answer I found.
Then I used CTRL+F to search for the string 0xfffffa800577ba10, and thatās how I found the answer to the question.
What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
In this question, I came across an interesting thing. When attempting to search for 0x00000000033c0000, Notepad showed zero results. However, interestingly enough, to answer the question, you need to search for only 0x33c0000. This happens because Volatility 3 prints output a bit differently than Volatility 2, which was used to create this room. So, after searching for this string of characters, I discovered that the answer is PAGE_NOACCESS.
There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)\
To answer this question, I used the windows.cmdline plugin and redirected the output to Notepad for easier searching.
Then, I simply looked for the āvbsā phrase, which I quickly found using CTRL + F. The answer is the string of characters āvhjReUDEuumrXā.
An application was run at 2019ā03ā07 23:06:58 UTC. What is the name of the program? (Include extension)
To answer this question, I used the timeliner plugin and redirected the output to a file named ātimeline.txtā. This allowed me to open Notepad again and search for the phrases, one of which was a date. Based on that, I found out that the process running at that time was āskype.exeā.
What was written in notepad.exe at the time when the memory dump was captured?
This question was quite complicated, but not impossible. Based on the information from previous questions, I knew that the Notepadās PID was 3032. Using the command provided below, I performed a memory dump.
What is the short name of the file at file record 59045?
To answer this question, I had to use the plugin windows.mftscan.MFTScan and redirect the output to a file.
After completing the operation, I opened the file in Notepad and searched for the phrase ā59045,ā where I found the solution.
As weāve seen earlier, thereās a suspicious file named UWkpjFjDzM.exe present in the system, and we also found its PID to be 3496. Following this trail, it's likely that this file is responsible for the exploit.
Thatās a challenging room that helped me grasp the basics of volatility. An additional challenge was using volatility 3 for questions that required volatility 2ā¦ š
Nevertheless, I had a lot of fun with it.
See you soon!š
Then, using the āstringsā program from the Sysinternals Suite (which can be downloaded from ), I searched for the string āflag<ā which was given as a hint for the answer. The flag is āflag<REDBULL_IS_LIFE>ā.
