Skip to main content

HTB - TrueSecrets

· 4 min read
Strider

Intro

Hi, I write again a small WriteUp. Today it's about the CTF "TrueSecrets". This CTF-Challenge can be found at the platform HackTheBox.

The goal here is after some investigation of an APT-group which developed an own C2-Server. the Investigators are able to raid the home of the leader of the APT-Group and could create a memory dump of his computer. The task here is to analyse the memory dump and try to capture the source code of the C2-Server.

Start the analytics

Well, thats sound interesting. I've downloaded the dump and unzipped it. dia1.png

After unzipping the file I see the file TrueSecrets.raw, the notes.txt is for me for taking some notes while solvinge this challenge.

dia2.png

When I run the command file on that dump file I get as information dat the file contains data and nothing more. Well, because that file is an memory dump I try to use the framework volatility to try get some infos about this image.

vol.py -f TrueSecrets.raw imageinfo

Inspect the dump with Volatility

dia3.png

Ok, its an memory dump of an Windows 7 Computer, the first profile which I want to try is Win7SP1x86_23418. What I can do now? I can list all running processes which are stored in the dumped process list of that image. This can be done by this command:

vol.py -f TrueSecrets.raw --profile=Win7SP1x86_23418 pslist

dia4.png

There 3 interesting processes listed. The first one is TrueCrypt.exe, thats sounds for me there is an hidden container which I have to dump and crack. The second process is 7zFM.exe which give me the clue that there is an zip file stored somewhere. The third one is DumpIt.exe which I look for later. The first what I do is listing all processes and commands to find out whats going on here.

dia5.png

The program 7zFM.exe has as argument a path to an zip file. At this point i can use volatility to dump the zip file locally by running:

vol.py -f TrueSecrets.raw --profile=Win7SP1x86_23418 dumpfile -r .zip$ --dump-dir dump

dia6.png

By using the command file I could validate that this dumped files are zip files and renamed these two file to "backup_development.zip" and "backup_development2.zip". The I unzipped each one and got the container files.

dia7.png

Crack the container

Because TrueCrypt stores the password in memory I can extract the password with volatility.

dia8.png

An here it is, the password to open the container file.

X2Hk2XbEJqWYsh8VdbSYg6WpG9g7

dia9.png

To open that container I installed VeraCrypt with TrueCrypt support to open it.

dia10.png

After entering the password, the container is mounted as new volume on /media/veracrypt1

dia11.png

In this container are the code and some weired enc files stored. First what I've done is to analyze the Code, which contains this snipped. Ther is an ecryption method with the hardcoded key AKaPdSgV and initialization vector QeThWmYq. The encryption used for encrypting messages is DES, an old and weak encryption. Then I looked at the enc files at the path malware_agent/sessions.

DES-Decrypting

dia12.png

Well, I wrote a simple DES-Decryptor which uses the key and the initialization vector to decrypt each file line by line.

#!/bin/env/python3
# -*- coding:utf-8 -*-

import base64
import os
from Crypto.Cipher import DES
key = b"AKaPdSgV"
iv = b"QeThWmYq"

def decryptSessionData(ctext):
def pad(text):
n = len(text) % 8
return text + (b' ' * n)

data = pad(base64.b64decode(ctext))
des = DES.new(key, DES.MODE_CBC, iv)

print(des.decrypt(data))

path = 'veracrypt1/malware_agent/sessions/'
for file in os.listdir(path):
f = open(os.path.join(path, file), 'r')
lines = f.readlines()
f.close()

for line in lines:
decryptSessionData(line)

Rootflag

The decryptor decrypts now each file line by line in some where must be the flag. dia13.png

Here is the flag

HTB{570r1ng_53cr37_1n_m3m0ry_15_n07_g00d}

This challenge was fun and I hope you enjoyed it and see you next time 😄