Forensic 220 challenge of ASIS CTF 2013
Task
Points: 220
Level: 1
What if the flag?
file: http://asis.io/media/mem.dump.xz
mirror: https://docs.google.com/file/d/0B5y5AGVPzpIOM3dINnlPUkk4aGc/edit
MD5: 7d06b077961dbd564e600c5363eaffb8
In this challenge, we get a big file which is obviously a memory dump of a running machine.
1 2 |
|
Okay, what filetype is it exactly?
1 2 3 4 5 |
|
It’s a VirtualBox memory dump… Lets see, which OS its running, possibly linux?
1 2 |
|
Okay, we have a VirtualBox memory dump of a running Ubuntu Linux with kernel 3.5.0. We can use Volatility for analysing the contents but first we need to have a Volatility profile for this exact kernel, luckily someone else did this for us already.
Now we have everything we need to find whats inside this memory dump with Volatility. Lets see which processes are running:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
|
Okay, we have a running editor and a running app called asis-ctf, that process sounds interesting, lets dump the process ./asis-ctf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
The file task.9425.0x600000.vma contains the binary itself, lets open it in IDA. The function sub_400644 is the main function, we can see, that the app asks “What do you want?” and if we input “flag”, it prints out every second char from a variable in the stack initialized at the beginning of the function:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
|
Lets see, what happens if we do the same in python:
1 2 3 |
|
Voila!
+= 220