Intro
Hi, I write again a small WriteUp. Today it's about the CTF "TrueSecrets". This CTF-Challenge can be found at the platform HackTheBox.
The goal here is after some investigation of an APT-group which developed an own C2-Server. the Investigators are able to raid the home of the leader of the APT-Group and could create a memory dump of his computer. The task here is to analyse the memory dump and try to capture the source code of the C2-Server.
Start the analytics
Well, thats sound interesting. I've downloaded the dump and unzipped it.
After unzipping the file I see the file TrueSecrets.raw, the notes.txt is for me for taking some notes while solvinge this challenge.
When I run the command file on that dump file I get as information dat the file contains data and nothing more. Well, because that file is an memory dump I try to use the framework volatility to try get some infos about this image.
vol.py -f TrueSecrets.raw imageinfo
Inspect the dump with Volatility
Ok, its an memory dump of an Windows 7 Computer, the first profile which I want to try is Win7SP1x86_23418
.
What I can do now? I can list all running processes which are stored in the dumped process list of that image. This can be done by this command:
vol.py -f TrueSecrets.raw --profile=Win7SP1x86_23418 pslist
There 3 interesting processes listed. The first one is TrueCrypt.exe, thats sounds for me there is an hidden container which I have to dump and crack. The second process is 7zFM.exe which give me the clue that there is an zip file stored somewhere. The third one is DumpIt.exe which I look for later. The first what I do is listing all processes and commands to find out whats going on here.
The program 7zFM.exe has as argument a path to an zip file. At this point i can use volatility to dump the zip file locally by running:
vol.py -f TrueSecrets.raw --profile=Win7SP1x86_23418 dumpfile -r .zip$ --dump-dir dump
By using the command file I could validate that this dumped files are zip files and renamed these two file to "backup_development.zip" and "backup_development2.zip". The I unzipped each one and got the container files.
Crack the container
Because TrueCrypt stores the password in memory I can extract the password with volatility.
An here it is, the password to open the container file.
X2Hk2XbEJqWYsh8VdbSYg6WpG9g7
To open that container I installed VeraCrypt with TrueCrypt support to open it.
After entering the password, the container is mounted as new volume on /media/veracrypt1
In this container are the code and some weired enc files stored. First what I've done is to analyze the Code, which contains this snipped. Ther is an ecryption method with the hardcoded key AKaPdSgV
and initialization vector QeThWmYq
.
The encryption used for encrypting messages is DES, an old and weak encryption. Then I looked at the enc files at the path malware_agent/sessions.
DES-Decrypting
Well, I wrote a simple DES-Decryptor which uses the key and the initialization vector to decrypt each file line by line.
#!/bin/env/python3
# -*- coding:utf-8 -*-
import base64
import os
from Crypto.Cipher import DES
key = b"AKaPdSgV"
iv = b"QeThWmYq"
def decryptSessionData(ctext):
def pad(text):
n = len(text) % 8
return text + (b' ' * n)
data = pad(base64.b64decode(ctext))
des = DES.new(key, DES.MODE_CBC, iv)
print(des.decrypt(data))
path = 'veracrypt1/malware_agent/sessions/'
for file in os.listdir(path):
f = open(os.path.join(path, file), 'r')
lines = f.readlines()
f.close()
for line in lines:
decryptSessionData(line)
Rootflag
The decryptor decrypts now each file line by line in some where must be the flag.
Here is the flag
HTB{570r1ng_53cr37_1n_m3m0ry_15_n07_g00d}
This challenge was fun and I hope you enjoyed it and see you next time 😄