Magnet CTF Week 12 - Registry update analysis

Updated: 5 minute read

Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!

CTF Posts

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Week 11

Getting Started

New image for December! It can be found here. This is a memory image, and this week has multiple questions. Note: I may jump between Volatility 2.6 and 3 as I’m playing around.

Q1: What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed!

First I did a strings search over memory for “hacked” with a few lines of context. This returned some BING searches. From past weeks I don’t remember any Bing searches in Chrome. Double check Chrome history shows no Bing. So most likely we are dealing with Internet Explorer.

$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 pslist | grep iexplore
Volatility Foundation Volatility Framework 2.6
0xfffffa8032c66060 iexplore.exe           2984   2672     14      514      1      0 2020-04-20 23:18:35 UTC+0000                                 
0xfffffa8031d34a40 iexplore.exe           4480   2984     18      566      1      1 2020-04-20 23:18:35 UTC+0000

Two PIDs exist for iexplore. Let’s search both PIDs for strings related to hacking.

$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 yarascan -Y "hack" -p 2984
Volatility Foundation Volatility Framework 2.6
[SNIP - nothing interesting]
$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 yarascan -Y "hack" -p 4480
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process iexplore.exe Pid 4480
0x002fc813  68 61 63 6b 65 64 2b 6f 76 65 72 2b 61 6e 64 2b   hacked+over+and+
0x002fc823  6f 76 65 72 26 73 72 63 3d 49 45 2d 54 6f 70 52   over&src=IE-TopR
0x002fc833  65 73 75 6c 74 26 46 4f 52 4d 3d 49 45 54 52 30   esult&FORM=IETR0
0x002fc843  32 26 63 6f 6e 76 65 72 73 61 74 69 6f 6e 69 64   2&conversationid
0x002fc853  3d 00 00 00 00 fc 37 aa 10 00 00 00 80 77 02 6f   =.....7......w.o
0x002fc863  6b 69 65 3a 20 53 52 43 48 44 3d 41 46 3d 4e 4f   kie:.SRCHD=AF=NO
0x002fc873  46 4f 52 4d 3b 20 53 52 43 48 55 49 44 3d 56 3d   FORM;.SRCHUID=V=
0x002fc883  32 26 47 55 49 44 3d 33 32 41 41 33 42 35 31 37   2&GUID=32AA3B517
0x002fc893  36 30 42 34 41 39 44 38 42 37 36 42 36 36 41 44   60B4A9D8B76B66AD
0x002fc8a3  42 39 41 42 34 37 35 26 64 6d 6e 63 68 67 3d 31   B9AB475&dmnchg=1
0x002fc8b3  3b 20 53 52 43 48 55 53 52 3d 44 4f 42 3d 32 30   ;.SRCHUSR=DOB=20
0x002fc8c3  32 30 30 34 32 30 26 54 3d 31 35 38 37 34 32 34   200420&T=1587424
0x002fc8d3  37 32 35 30 30 30 00 00 00 00 00 00 00 eb 37 aa   725000........7.
0x002fc8e3  10 00 00 00 88 6e 00 00 00 68 00 74 00 74 00 70   .....n...h.t.t.p
0x002fc8f3  00 73 00 3a 00 2f 00 2f 00 77 00 77 00 77 00 2e   .s.:././.w.w.w..
0x002fc903  00 62 00 69 00 6e 00 67 00 2e 00 63 00 6f 00 6d   .b.i.n.g...c.o.m
[SNIP]

PID 4480 returned a lot of hits for hacking. Trying PID 4480 and BING! Success.

Q2: What is the product version of the application from Part 1? Format: XX.XX.XXXX.XXXXX

Checking the Windows Registry…

$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 printkey -K "Microsoft\Internet Explorer"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \SystemRoot\System32\Config\SOFTWARE
Key name: Internet Explorer (S)
Last updated: 2020-04-20 20:25:57 UTC+0000
[SNIP]

Values:
REG_SZ        MkEnabled       : (S) Yes
REG_SZ        Version         : (S) 9.11.9600.18860
REG_SZ        Build           : (S) 99600
REG_SZ        W2kVersion      : (S) 9.11.9600.18860
REG_DWORD     IntegratedBrowser : (S) 1
REG_SZ        svcKBFWLink     : (S) https://go.microsoft.com/fwlink/?linkid=862372
REG_SZ        svcVersion      : (S) 11.0.9600.18860
REG_SZ        svcUpdateVersion : (S) 11.0.49
REG_SZ        svcKBNumber     : (S) KB4052978

The Version and svcVersion are almost the right format, but both are missing one digit. Trying both… fail.

I figured the Registry would be correct, but maybe the executable was updated after execution? So we need to dump the executable from memory. We already have the PID, so we are halfway home.

$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 procdump -D dump/ -p 4480
Volatility Foundation Volatility Framework 2.6
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa8031d34a40 0x00000000013d0000 iexplore.exe         OK: executable.4480.exe

Now we could use fancy tools to reverse the executable, but I’ll stick with xxd.

$ xxd executable.4480.exe | more
[SNIP]
000c2d20: 5800 4500 0000 0000 4400 1200 0100 5000  X.E.....D.....P.
000c2d30: 7200 6f00 6400 7500 6300 7400 4e00 6100  r.o.d.u.c.t.N.a.
000c2d40: 6d00 6500 0000 0000 4900 6e00 7400 6500  m.e.....I.n.t.e.
000c2d50: 7200 6e00 6500 7400 2000 4500 7800 7000  r.n.e.t. .E.x.p.
000c2d60: 6c00 6f00 7200 6500 7200 0000 4600 1100  l.o.r.e.r...F...
000c2d70: 0100 5000 7200 6f00 6400 7500 6300 7400  ..P.r.o.d.u.c.t.
000c2d80: 5600 6500 7200 7300 6900 6f00 6e00 0000  V.e.r.s.i.o.n...
000c2d90: 3100 3100 2e00 3000 3000 2e00 3900 3600  1.1...0.0...9.6.
000c2da0: 3000 3000 2e00 3100 3800 3800 3500 3800  0.0...1.8.8.5.8.
000c2db0: 0000 0000 4400 0000 0100 5600 6100 7200  ....D.....V.a.r.
000c2dc0: 4600 6900 6c00 6500 4900 6e00 6600 6f00  F.i.l.e.I.n.f.o.
000c2dd0: 0000 0000 2400 0400 0000 5400 7200 6100  ....$.....T.r.a.
000c2de0: 6e00 7300 6c00 6100 7400 6900 6f00 6e00  n.s.l.a.t.i.o.n.
[SNIP]

Near the end of the binary we can see the product version in the correct format. The minor version is 18858 so it was updated after execution. Trying 11.00.9600.18858 and BING! Success!

Lessons Learned

I wanted to dump the executable first, but I felt too lazy to try to reverse it. Instead I thought “oh everything is recorded in the Registry anyway.” Well, the Registry is close, but actually slightly higer version than the loaded executable. Lesson learned - always dump the executable.

This was the final week for the Magnet Weekly CTF. It was SO FUN! I like the slow pace and hard problems each week. I learned so much through this. Thanks so much to Magnet Forensics for hosting this!