Scribd Logo
Upload

Welcome to Scribd!

  • MEGO Writeup

    Uploaded by

    Toby Mac
    5 views5 pages
    The document provides steps to analyze a memory dump file to retrieve a flag. It describes using Volatility3 to get image info and find a .zip file location, dumping the file, cracking its password with John the Ripper using a wordlist found via decoded browser history, and revealing the flag inside.

    Original Description:

    Cybertalents write up

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides steps to analyze a memory dump file to retrieve a flag. It describes using Volatility3 to get image info and find a .zip file location, dumping the file, cracking its password with John the Ripper using a wordlist found via decoded browser history, and revealing the flag inside.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    5 views5 pages

    MEGO Writeup

    Uploaded by

    Toby Mac
    The document provides steps to analyze a memory dump file to retrieve a flag. It describes using Volatility3 to get image info and find a .zip file location, dumping the file, cracking its password with John the Ripper using a wordlist found via decoded browser history, and revealing the flag inside.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    MEGO Challenge

    Mego is hiding something on his desktop and he always kept the secrets on the cloud

    Link:https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/memdump123456789.mem.tar.gz

    First, I tried to check the strings inside the mem dump file , and filtering the output to match only the word "flag" using
    the command:

    $ cat file_name | strings | grep "flag"

    I found interesting hint in the result:

    C:\Users\admin\Downloads\flag.txt.zip

    But currently, we can do nothing with it .....

    So, we’ll need a tool to dump info from our file. (Volatility Tool)

    - tutorial Video to install Volatility3:

    https://www.youtube.com/watch?v=HKRZohqJEMM

    Follow the steps to install Volatility (version 3 i.e. compatible with Python3) in Linux based systems.

    I have selected Volatility3 because it is compatible with Python3.

    Note: To run Volatility3 the commands & plugin names for Volatility3 are different that volatility2.

    - Steps are reproduced below for copy pasting:

    -----------------------------------------------
    Installing Volaitity in Kali Linux:

    -----------------------------------------------

    1. Download Volatility3 source code zip file from

    https://www.volatilityfoundation.org/...

    2. Extract it & rename it for simplicity.

    3. Install Python if not available (in my system it is already installed):

    $ sudo apt install python3

    4. Open Terminal and install dependencies for volatililty using below cmd:

    $ sudo apt install python3-pip python-setuptools build-essential

    5. Navigate into the volatility directory and hit the below cmd to install volatility:

    $ sudo python3 setup.py install

    and installation is complete.

    Check using cmd:

    $ python3 vol.py

    - We start by trying to determine image info by using the volatility tool:

    $ python3 vol.py -f /path_to_mem_dump_file windows.info

    from the output we notice that the image belongs to: NTBuildLab 7601.17514.amd64fre.win7sp1_rtm.

    so... windows7sp1

    - Now, we know which profile to use: (win7sp1) and we know which file to scan for (the "flag.txt.zip" file). So, we use it
    with the command:

    $ python3 vol.py -f /path_to_mem_dump_file windows.filescan | grep -i "flag"


    we'll have a result of all the files that matches "falg"

    we choose the one that located in the path (C:\Users\admin\Downloads\flag.txt.zip) to dump it by specifying its physical
    address in the command:

    $ python3 vol.py -f /path_to_mem_dump_file windows.dumpfiles --physaddr 0x50dc4370

    now we'll have a file.flag.txt.zip.dat . we rename to have a .zip file in order to open it ...

    unfortunately, it has a password....

    we can use any password cracking tools (fcrackzip , John the Ripper, ....)

    To use john the Ripper tool, we need to have the hash of the file...

    and in order to do so, we will convert our zip file into a txt file by using the command:

    $ zip2john zip_file_name.zip > zip_file_name.txt

    now, we confirm that we have a hash for the file by using the command:

    # cat zip_file_name.txt

    the result of the previous command would be a hash!

    After that, it's time to crack that hash by the tool "John the Ripper" with the command:

    # john zip_file_name.txt

    (This may take some time depending on your device hardware)


    (The default wordlist of john the ripper did not crack the password......)

    So, based on the challenge intro (the user always keeps his secrets on the cloud), we try to check the browser history.
    However, volatility3 does not support the needed plugin (iehistory) which only works on volatility2...

    (I tried a lot to find a replacement of the "iehistory" plugin for volatility3, but with did not succussed...

    So, we’ll use another Linux machine which has volatility2 to check the browser history)

    the command is:

    $ python2 vol.py -f memdump.mem --profile=Win7SP1x64 iehistory

    from the output, this link was interesting:

    Record length: 0x480

    Location: Visited: admin@https://www.google.com/search?hl=ar-


    AE&source=hp&q=aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZWd5Y29uZG9yL2VlYTQyZWZkY2M4YWZmZjZlY2E3ODllZmFk
    MDkyNGY0&btnG=%D8%A8%D8%AD%D8%AB+Google%E2%80%8F&iflsig=AINFCbYAAAAAYNklB-
    nHZ11BsWPswjKaNT4sXGZcL73d&gbv=1

    Last modified: 2021-06-28 00:25:40 UTC+0000

    So, we’ll try to decode it using base64 with the command:

    echo "aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZWd5Y29uZG9yL2VlYTQyZWZkY2M4YWZmZjZlY2E3ODllZmFkMDkyNGY0"
    | base64 -d

    and the result was a link for a repository of a wordlist:

    https://gist.github.com/egycondor/eea42efdcc8afff6eca789efad0924f4

    I downloaded the new wordlist from that link and used it with john the ripper to crack the .txt file

    when finished, we can see the cracked hash password among the result. However, to make the result (password) clearer

    we can use the command:

    $ john zip_file_name.txt --show


    the password was: g=ax6w{JPtHL./FdE&8ASVbu$rcmG?zZ

    and after using to open the .zip file, I got the flag :)

    the flag is: flag{FF571983C5693A57024858E6529A7408D16791846918}

    Happy Practicing & Learning!

    Recoverable Signature

    X
    M.A.J
    ICT Specialsit
    Signed by: M.A.J

    You might also like