Since I never had a chance to work with volatility and Linux dumps, I've decided to take a crack at this challenge.
We were given a memory dump. Looking at strings we could tell it's from a VirtualBox image running Ubuntu with a 3.5.0-23-generic kernel.
strings /tmp/mem.dump | grep BOOT_ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic
Since the profile available on volatilty site is for older kernel we had to make our own (the steps are described here).
After that it's time to play ;]
First: bash_history it's quite long but this looks important:
$ ./vol.py -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_bash -H 0x6ee4c0
Volatile Systems Volatility Framework 2.3_beta
....
967 bash 2013-08-26 11:27:53 UTC+0000 uname -a
967 bash 2013-08-26 11:27:53 UTC+0000 wget 172.16.133.149:8090/asis-ctf -O /tmp/
967 bash 2013-08-26 11:27:53 UTC+0000 wget 172.16.133.149:8090/asis-ctf
967 bash 2013-08-26 11:27:53 UTC+0000 ls
967 bash 2013-08-26 11:27:53 UTC+0000 du -h asis-ctf
967 bash 2013-08-26 11:27:53 UTC+0000 chmod +x asis-ctf
967 bash 2013-08-26 11:27:53 UTC+0000 ./asis-ctf
967 bash 2013-08-26 11:27:53 UTC+0000 sudo poweroff
967 bash 2013-08-26 11:27:54 UTC+0000 ls
967 bash 2013-08-26 11:30:37 UTC+0000 ./asis-ctf
967 bash 2013-08-26 12:00:04 UTC+0000 sudo apt-get install lynx
967 bash 2013-08-26 12:00:27 UTC+0000 lynx
967 bash 2013-08-26 12:10:44 UTC+0000 sudo apt-get install elinks
967 bash 2013-08-26 12:10:57 UTC+0000 elinks
967 bash 2013-08-26 12:14:58 UTC+0000 clear
967 bash 2013-08-26 12:15:00 UTC+0000 ls
967 bash 2013-08-26 12:15:28 UTC+0000 cp asis-ctf flag1
...
So lets take a look at procesess:
vol.py -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_pstree Volatile Systems Volatility Framework 2.3_beta Name Pid Uid ... .login 837 0 ..bash 967 1000 ...asis-ctf 9425 1000 ...nano 15584 1000 .apache2 16346 0 ...
And lets dump the asis-ctf process memory and analyze it:
$ vol.py -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_dump_map -p 9425 -D foo/
Volatile Systems Volatility Framework 2.3_beta
Task VM Start VM End Length Path
---------- ------------------ ------------------ ------------------ ----
9425 0x0000000000400000 0x0000000000401000 0x1000 foo/task.9425.0x400000.vma
9425 0x0000000000600000 0x0000000000601000 0x1000 foo/task.9425.0x600000.vma
9425 0x0000000000601000 0x0000000000602000 0x1000 foo/task.9425.0x601000.vma
9425 0x00007fd496e34000 0x00007fd496fe9000 0x1b5000 foo/task.9425.0x7fd496e34000.vma
9425 0x00007fd496fe9000 0x00007fd4971e8000 0x1ff000 foo/task.9425.0x7fd496fe9000.vma
9425 0x00007fd4971e8000 0x00007fd4971ec000 0x4000 foo/task.9425.0x7fd4971e8000.vma
9425 0x00007fd4971ec000 0x00007fd4971ee000 0x2000 foo/task.9425.0x7fd4971ec000.vma
9425 0x00007fd4971ee000 0x00007fd4971f3000 0x5000 foo/task.9425.0x7fd4971ee000.vma
9425 0x00007fd4971f3000 0x00007fd497215000 0x22000 foo/task.9425.0x7fd4971f3000.vma
9425 0x00007fd497408000 0x00007fd49740b000 0x3000 foo/task.9425.0x7fd497408000.vma
9425 0x00007fd497411000 0x00007fd497415000 0x4000 foo/task.9425.0x7fd497411000.vma
9425 0x00007fd497415000 0x00007fd497416000 0x1000 foo/task.9425.0x7fd497415000.vma
9425 0x00007fd497416000 0x00007fd497418000 0x2000 foo/task.9425.0x7fd497416000.vma
9425 0x00007fff62ff0000 0x00007fff63012000 0x22000 foo/task.9425.0x7fff62ff0000.vma
9425 0x00007fff63048000 0x00007fff63049000 0x1000 foo/task.9425.0x7fff63048000.vma,/
To do real RE we should reconstruct the binary, but I didn't bother assuming it's a really simple app, and IDA can follow programs headers, excluding sections which are not present dumped image.
The binary was indeed simple, it waits for input, if input was 'flag' it prints the flag.
The flag was put on the stack byte-by-byte:
LOAD:0000000000400683 mov byte ptr [rbp+var_A0], 66
LOAD:000000000040068A mov byte ptr [rbp+var_A0+1], 73
LOAD:0000000000400691 mov byte ptr [rbp+var_A0+2], 85
LOAD:0000000000400698 mov byte ptr [rbp+var_A0+3], 82
LOAD:000000000040069F mov byte ptr [rbp+var_A0+4], 76
LOAD:00000000004006A6 mov byte ptr [rbp+var_A0+5], 65
LOAD:00000000004006AD mov byte ptr [rbp+var_A0+6], 87
LOAD:00000000004006B4 mov byte ptr [rbp+var_A0+7], 78
LOAD:00000000004006BB mov [rbp+var_98], 100
LOAD:00000000004006C2 mov [rbp+var_97], 95
LOAD:00000000004006C9 mov [rbp+var_96], 105
LOAD:00000000004006D0 mov [rbp+var_95], 55
LOAD:00000000004006D7 mov [rbp+var_94], 105
LOAD:00000000004006DE mov [rbp+var_93]
...
and printed:
400867
LOAD:0000000000400867 loc_400867:
LOAD:0000000000400867 mov eax, [rbp+idx]
LOAD:000000000040086D add eax, eax
LOAD:000000000040086F cdqe
LOAD:0000000000400871 movzx eax, byte ptr [rbp+rax+var_A0]
LOAD:0000000000400879 movsx eax, al
LOAD:000000000040087C sub eax, [rbp+idx]
LOAD:0000000000400882 sub eax, 1
LOAD:0000000000400885 mov edi, eax
LOAD:0000000000400887 call sub_400500
LOAD:000000000040088C add [rbp+idx], 1
Since we don't have a runnable binary, we have to do it `manually` - easiest method, use idapython:
Python>
add = 0x400683
for i in range(0,38):
OpDecimal(add,1)
sys.stdout.write(chr(int(GetOpnd(add,1)) - i -1))
add = Rfirst(Rfirst(add))
print ""
ASIS_cb6bb012a8ea07a426254293de2bc0ef
Python>
Done.
No comments:
Post a Comment