Home Magnet Weekly CTF 10 - Google search stored in memory?
Post
Cancel

Magnet Weekly CTF 10 - Google search stored in memory?

Challenge 10 Part 1 – 15pts

At the time of the RAM collection there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

Looking at the reference page for commands, the main command useful for Windows 7 profiles is netscan. This command “finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound or when the connection was established, and the current state (for TCP connections only).” Using grep, we can parse the output for only connections with the ESTABLISHED flag.

1
2
3
4
5
6
> volatility -f memdump.mem --profile=Win7SP0x64 netscan | grep ESTABLISHED
Volatility Foundation Volatility Framework 2.6
0x13d48f540        TCPv4    192.168.10.146:54279           151.101.116.106:443  ESTABLISHED      -1                      
0x13ec87cd0        TCPv4    192.168.10.146:54282           172.253.63.188:443   ESTABLISHED      -1                      
0x13ece73b0        TCPv4    192.168.10.146:54281           13.35.82.31:443      ESTABLISHED      -1                      
0x13ecf8010        TCPv4    192.168.10.146:54280           13.35.82.102:443     ESTABLISHED      -1 

Then the Linux whois command can be used to check who owns the addresses returned. In this case, the second address is owned by Google.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
> whois 172.253.63.188

NetRange:       172.253.0.0 - 172.253.255.255
CIDR:           172.253.0.0/16
NetName:        GOOGLE
NetHandle:      NET-172-253-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google LLC (GOGL)
RegDate:        2013-04-04
Updated:        2013-04-04
Ref:            https://rdap.arin.net/registry/ip/172.253.0.0



OrgName:        Google LLC
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2019-10-31
Comment:        Please note that the recommended way to file abuse complaints are located in the following links. 
Comment:        
Comment:        To report abuse and illegal activity: https://www.google.com/contact/
Comment:        
Comment:        For legal requests: http://support.google.com/legal 
Comment:        
Comment:        Regards, 
Comment:        The Google Team
Ref:            https://rdap.arin.net/registry/entity/GOGL

The correct answer to this challenge is 172.253.63.188:443.

Challenge 10 Part 2 – 15pts

What was the Local IP address and port number? same format as part 1.

The answer to this challenge is also shown above on the same line as the last answer in the netscan output. The answer is 192.168.10.146:54282.

Challenge 10 Part 3 – 10pts

What was the URL?

Hm. Before trying to extract any Chrome history files from the memory dump, I searched to see if there were any plugins that could automatically recover the history. We know Chrome was open when the image was created and we need the URL closest to that time. This GitHub repo includes a plugin called chromehistroy that attempts to recover URLs, titles, times, and other information. Using the imageinfo, we know the date the image was processed (2020-04-20 23:23:26). We can grep for that day making sure to use -a to parse binary data as text due to the output formatting.

1
2
3
4
5
6
7
8
9
10
11
12
13
> volatility --plugins=volatility-plugins -f memdump.mem --profile=Win7SP1x64 chromehistory | grep -a '2020-04-20'
Volatility Foundation Volatility Framework 2.6
   316 https://myaccount.google.com/accounts/S...7Tvn4UuSh52LjamQbhxd1cs3HXAE8kXh9vRFAg Google Account                                                                        1     0 2020-04-20 20:24:47.494432        N/A       
   314 https://accounts.google.com/AccountChoo...%3Futm_source%3Dchrome-profile-chooser Google Account                                                                        1     0 2020-04-20 20:24:47.494432        N/A       
   317 https://myaccount.google.com/?utm_source=chrome-profile-chooser&pli=1            Google Account                                                                        3     0 2020-04-20 23:17:31.577179        N/A       
   310 https://accounts.google.com/CheckCookie...Y0Nw58kMWKsff7unbUvALH2XEg&gidl=EgIIAA Google                                                                                1     0 2020-04-20 20:24:38.839800        N/A       
   315 https://accounts.google.com/ServiceLogi...oser&sacu=1&passive=1209600&authuser=0 Google Account                                                                        1     0 2020-04-20 20:24:47.494432        N/A       
   313 https://www.google.com/                                                          Google                                                                                3     0 2020-04-20 23:17:33.124246        N/A       
   312 https://accounts.google.com/signin/chro...KkPjA8gTgn_TY0Nw58kMWKsff7unbUvALH2XEg Google                                                                                1     0 2020-04-20 20:24:38.839800        N/A       
   311 https://accounts.youtube.com/accounts/S...gTgn_TY0Nw58kMWKsff7unbUvALH2XEg&tcc=1 Google                                                                                1     0 2020-04-20 20:24:38.839800        N/A       
   309 https://accounts.google.com/signin/v2/c...AnlkPinzwtk7y95PtmKf6zRC-RpnA60VS1IJLP Sign in - Google Accounts                                                             1     0 2020-04-20 20:23:58.462223        N/A       
   308 https://accounts.google.com/signin/chro....com%2F&flowName=GlifDesktopChromeSync Sign in - Google Accounts                                                             1     0 2020-04-20 20:23:56.325236        N/A       
   307 https://accounts.google.com/signin/chro...ntinue=https%3A%2F%2Fwww.google.com%2F Sign in - Google Accounts                                                             2     0 2020-04-20 20:23:56.264731        N/A 

The URL that was visited closest to that time is https://www.google.com/ and is the solution to this challenge.

Challenge 10 Part 4 – 5pts

What user was responsible for this activity based on the profile?

Throughout the history and rest of the image, multiple references are made to the user Warren. And I believe a question last week asked a similar question.

Challenge 10 Part 5 – 10pts

How long was this user looking at this browser with this version of Chrome? Format: X:XX:XX.XXXXX

Hm. Again, checking the reference page, a section titled userassist can be found. Looking at the example output, this command can show the length of time a window was in focus. Running the plugin and a grep for Chrome shows us the answer. Kinda.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
volatility -f memdump.mem --profile=Win7SP0x64 userassist | grep 'Chrome' -B 5 -A 5Volatility Foundation Volatility Framework 2.6
0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00   ................
0x00000040  00 00 00 00 00 00 00 00                           ........

REG_BINARY    Chrome          : 
Count:          9
Focus Count:    106
Time Focused:   3:36:47.301000
Last updated:   2020-04-20 23:17:07 UTC+0000
Raw Data:
--
0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 70 b3 dc 43   ............p..C
0x00000040  6f e3 d5 01 00 00 00 00                           o.......

Entering 3:36:47.301000 as the solution returns that it is incorrect. However, looking closely at the format required by the solution reveals that the answer requires only 5 decimal places in the seconds, whereas the userassist command retruns six places. Sneaky Magnet, sneaky….

The correct solution is 3:36:47.30100.

This post is licensed under CC BY 4.0 by the author.