Home Magnet Weekly CTF 12 - How Hackers Hack

Magnet Weekly CTF 12 - How Hackers Hack

Challenge 12 Part 1 – 20pts

What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: XXXX.

Hm. What application could we learn about hackers hacking in? Out of the running processes found with pslist it seems like a browser or Slack are probably the best options. Note, we have to be careful because this challenge only allowed one attempt. We can dump the memory for each process and then simply grep the memory dump to determine which process was used to learn about hacking. First was Chrome, with no results. Next, was Internet Explorer.

> volatility -f memdump.mem --profile=Win7SP1x64 memdump -p 2984 --dump-dir .
Volatility Foundation Volatility Framework 2.6
Writing iexplore.exe [  2984] to 2984.dmp
> strings 2984.dmp | grep -i "how hackers hack, and how to stop them"
> volatility -f memdump.mem --profile=Win7SP1x64 memdump -p 4480 --dump-dir . 
Volatility Foundation Volatility Framework 2.6
Writing iexplore.exe [  4480] to 4480.dmp
> strings 4480.dmp | grep -i "how hackers hack, and how to stop them"
                         mid="FBABF1271656C3A838C9FBABF1271656C3A838C9"><div id="mc_vtvc__3" class="mc_vtvc b_canvas" data-priority="1"><a aria-label="How Hackers Hack, and How To Stop Them" class="mc_vtvc_link" href="/videos/search?q=how+to+stop+getting+hacked+over+and+over&amp;docid=608015374195556429&amp;mid=FBABF1271656C3A838C9FBABF1271656C3A838C9&amp;view=detail&amp;FORM=VIRE" h="ID=SERP,5354.1"><div class="mc_vtvc_con_rc"><div class="mc_vtvc_th b_canvas"><div class="cico"><img height="110" width="197" data-src-hq="/th?id=OVP.bUG_h63hq--RoSDYSZHoUQHgFo&amp;w=197&amp;h=110&amp;c=7&amp;rs=1&amp;qlt=90&amp;pid=1.7" alt="How Hackers Hack, and How To Stop Them" data-priority="2" id="emb74949A0" class="rms_img" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAEALAAAAAABAAEAAAIBTAA7" /></div><div class="mc_vtvc_htc"><div class="mc_vtvc_htb"><div class="mc_vtvc_ht">Watch video</div></div></div><div class="mc_vtvc_center_play"></div><div class="mc_vtvc_ban_lo"><div class="vtbc"><div class="mc_bc_w b_smText"><div class="mc_bc items">8:47</div></div></div></div></div><div class="mc_vtvc_meta"><div class="mc_vtvc_title b_promtxt" title="">How Hackers Hack, and How To Stop Them</div><div class="mc_vtvc_meta_block_area"><div class="mc_vtvc_meta_block"><div class="mc_vtvc_meta_row mc_vtvc_meta_pubdate"><span>783K views</span><span>Feb 1, 2017</span></div><div class="mc_vtvc_meta_row mc_vtvc_meta_channel"><span>YouTube</span><span class="mc_vtvc_meta_row_channel">SciShow</span></div></div></div></div></div></a></div></div></div></div><div class="slide" data-dataurl="" data-rinterval="" data-appns="SERP" data-k="5365.1" role="listitem"><div id="mc_vhvc_5" class="mc_vhvc"><div class="mc_vhvc_th" tabindex="0"

Sure enough, Internet Explorer was used! The PID of the process and solution to the challenge is 4480.

Challenge 12 Part 2 – 20pts

What is the product version of the application from Part 1? Format: XX.XX.XXXX.XXXXX

Now we need the Internet Explorer version number. Trying to find the string in memory could return a lot of results that could be difficult to filter through. We know the PID is 4480 and using the procdump command we can dump the actual Internet Explorer executable and look there.

> volatility -f memdump.mem --profile=Win7SP1x64 procdump --dump-dir . -p 4480
Volatility Foundation Volatility Framework 2.6
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa8031d34a40 0x00000000013d0000 iexplore.exe         OK: executable.4480.exe

Then after loading and processing the executable in the Ghidra disassembler, we can search for a version string. A unicode string containing the text “ProductVersion” can be found at offset 0x01496572. Right below that at offset 0x01496590 is a version string that matches the format required by the challenge.


The IE version and final challenge solution is 11.00.9600.18858!

The End

And that concludes the Magnet CTF. The event has been fun, I’ve learned a lot, and the weekly challenge format has been incredibly fun and rewarding. I hope they do more CTF events in the future.

This post is licensed under CC BY 4.0 by the author.