Forensic Lab Game Zero - Level 2 Results

Below are my solutions to the level 2 of the forensics lab game zero. The solutions to  the level 1 of the game are posted here.

1. Find way to reset root's account password and retrieve flag from /root/flag.txt

Reboot the VM and press 'e ' edit inside the Grub menu screen. Add command init=/bin/bash at the end of the line starting with linux and press F10. Thne mount file system as read-write.

root@(none):/# mount -n -o remount,rw /

Change password for user root.
root@(none):/# passwd

root@(none):/# cat /root/flag.txt
8d55761dfafe912daa2fa6c38e05435093f7f636

root@(none):/# echo -n '8d55761dfafe912daa2fa6c38e05435093f7f636' | sha1sum
0166bc38c1165d0ba783ea722b84ed3a0d2547f8

Restart the virtual machine and switch to the root account.

2. There is a memory dump of the windows machine is stored in file /root/memdump.mem. Find the flag among commands executed on that machine

Find info about our memory dump with imageinfo plugin.

root@debian1989:/home/kassad# python /opt/tools/volatility-2.4/vol.py imageinfo -f /root/memdump.mem | grep Profile
Volatility Foundation Volatility Framework 2.4
Suggested Profile(s) : Win7SP0x86, Win7SP1x86

To avoid typing chosen profile --profile=Win7SP1x86 every time vol.py is called, export the profile.

root@debian1989:/home/kassad# export VOLATILITY_PROFILE=Win7SP1x86

To avoid typing path to memory dump file, export memory dump location so you do not need to add argument -f /root/memdump.mem.

root@debian1989:/home/kassad# export VOLATILITY_LOCATION=file:///root/memdump.mem

root@debian1989:/home/kassad# cd /opt/tools/volatility-2.4

Extract commands history.

root@debian1989:/opt/tools/volatility-2.4# python vol.py cmdscan | grep flag
Volatility Foundation Volatility Framework 2.4
Cmd #3 @ 0x113e68: echo 'The flag is the sha1 sum of the text: "modern internet explorer"'

root@debian1989:/opt/tools/volatility-2.4# echo -n 'modern internet explorer' | sha1sum
b56ee489d66686a469eb3a96a6bc2ba4c19b7fe2

root@debian1989:/opt/tools/volatility-2.4# echo -n 'b56ee489d66686a469eb3a96a6bc2ba4c19b7fe2' | sha1sum
7d58d518074deccbbce0655f24cb09f392242bab

3. The Volatility Framework has remarkable number of plugins, extract the NT hash of logged in user

Checking the commands history helps us to find logged user who entered the commands.

root@debian1989:/opt/tools/volatility-2.4# python vol.py consoles

C:\Users\IEUser>Hello sans ;)
<Output truncated>

User IEUser was logged in. Now we can extract the hash of the user IEUser from the dump.

root@debian1989:/opt/tools/volatility-2.4# python ./vol.py hashdump | grep IEUser
Volatility Foundation Volatility Framework 2.4
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::

The hash type is LM hash and the constant value aad3b435b51404eeaad3b435b51404ee is easily recognized. It means that  password is less than 8 characters. The LM hash is fc525c9683e8fe067095ba2ddc971889.

root@debian1989:/opt/tools/volatility-2.4# echo -n 'fc525c9683e8fe067095ba2ddc971889' | sha1sum
fe20c26f4948915bdaa0b509203ff7005d136a22

Cracking the hash with hashcat gives us the password Passw0rd!.

$ ./hashcat-cli64.bin -m 1000 hashlm.txt /home/brezular/rockyou.txt
fc525c9683e8fe067095ba2ddc971889:Passw0rd!

4. Analyze saved web browser profile in /root/web_browser_profile folder. What is the password for administrative account for local LAN router of the profile's user.

root@debian1989:/opt/tools/volatility-2.4# cd /root/web_browser_profile/1hysdb7q.default/
root@debian1989:~/web_browser_profile1hysdb7q.default/# grep 'admin' *

<Output truncated>
http://administrator:velmiDl0uh3aB3zpecneH3s10@192.168.1.1/favicon.ico
<Output truncated>

root@debian1989:~/web_browser_profile1hysdb7q.default/# echo -n 'velmiDl0uh3aB3zpecneH3s10' | sha1sum
2284b4bc84941ba29f2e4565483c8ec5d143ec28

5. Find the flag inside core dump file in /root directory

root@debian1989:/opt/tools/volatility-2.4# strings /root/core.watch.xx

There is the string ca6f99804a29c7979ae0155e01a61cb622d9213e inside the file which is the flag.

root@debian1989:/opt/tools/volatility-2.4# echo -n ca6f99804a29c7979ae0155e01a61cb622d9213e | sha1sum
eaef2ac12f4e48d69eb68fa5c6a710e54ebdc9f7

6. Find a hidden flag inside animated GIF from /root folder

root@debian1989:~# strings homer1.gif
<Output truncated>
6f77ac81e69a136a3141a30917b2781e04cfd4b1
flag.txtUT
eM+Wux

The flag is 6f77ac81e69a136a3141a30917b2781e04cfd4b1.

root@debian1989:~# echo -n '6f77ac81e69a136a3141a30917b2781e04cfd4b1' | sha1sum
6c9d2f2d70b6a7724cfc787a647fd77b92995f5b

7. In the packet capture located at /root/icmp.pcap, what is the most likely reason that one of the nodes isn't getting replies from the queried host? - wrong ttl, incorrect mac address, icmp destination port, bad checksum

Incorrect MAC address for host 10.0.2.2 (default gw) 52:54:11:af:cc:92. The correct MAC address for the host 10.0.2.2 should be 52:54:00:12:35:02.

kassad@debian1989:~$ echo -n 'incorrect mac address' | sha1sum
2bd71159233742ecd6f8a6002a64e7919aedaa10

8. What process is listening on tcp/4444? Enter the full path of the executable as the answer

First find the name and PID of process.

root@debian1989:/home/kassad# ps -auxew | grep 4444 | grep -v grep
nobody 2300 0.0 0.1 20616 1992 ? S 22:16 0:00 ncat --send-only -l -k 127.0.0.1 4444 HOME=/nonexistent LOGNAME=nobody PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin LANG=en_US.UTF-8 SHELL=/bin/sh PWD=/var/spool/cron

The script starting ncat is running wit PID 2300. Utility ncat is listening on port 4444. The last line of the /etc/crontab tells us that every minute, the check is done if the process with the name local-service is running. If not, the script /usr/local/bin/local-service.sh is started.

root@debian1989:/home/kassad# tail -1 /etc/crontab
* * * * * nobody pgrep local-service || /usr/local/bin/local-service.sh

The script local-service.sh is responsible for 'keeping ncat listening on port 44444'. It loops checking if the number 4444 can be found in the process. If not it starts ncat binary.

root@debian1989:/home/kassad# cat /usr/local/bin/local-service.sh
#!/bin/sh
#in courtesy of sans.org, I hate to reinvent a wheel

while true; do lsof -i | grep ":4444" || cat /etc/motd | ncat --send-only -l -k 127.0.0.1 4444; done

In fact, they are two ncat binaries in the path.

root@debian1989:/home/kassad# whereis ncat
ncat: /usr/bin/ncat /usr/local/bin/ncat /usr/share/man/man1/ncat.1.gz

The find out an absolute path to binary ncat which is listening on TCP port 4444 we use the command:

root@debian1989:/home/kassad# readlink  /proc/2300/exe
/usr/local/bin/ncat

root@debian1989:/home/kassad# echo -n '/usr/local/bin/ncat' | sha1sum
4498850f38ab1be0a9a16b79df17a280a39f7c04

9. In C program, /root/program.o, which of the expected arguments can trigger heap buffer overflow – none, first, second, third

root@debian1989:~# /root/program.o 

If the argument 1 exceeds the certain length of characters,  binary crashes.

root@debian1989:~# echo -n 'first' | sha1sum
e0996a37c13d44c3b06074939d43fa3759bd32c1

End of level 2.

3 thoughts on “Forensic Lab Game Zero - Level 2 Results

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.