Rating:

# G1bs0n - misc 300
###### @mjdubell - ChalmersCTF

```
Agent Gill called, we have until tomorrow at 15:00 UTC to fix some virus problem.

File: G1bs0n.tar.gz
```

Even though I followed too many rabbit holes, this was a fun challenge to work on. In order to solve this challenge, you would need some basic understanding on how to analyze memory dumps. I solved this challenge with `volatility` which is a forensic tool for analyzing memory dumps, and it's built with python! Volatility can be found here https://github.com/volatilityfoundation/volatility

After downloading the memory dump, I ran `strings G1bs0n > strings.txt` which I then skimmed through to see what kind of information was present. I could quickly determine that the memory dump belonged to a Windows 7 system. Volatility can also help identifying the system by running `vol.py -f G1bs0n imageinfo` which returned:

```
vagrant@stretch:~/G1bson$ vol.py -f G1bs0n imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VMWareAddressSpace (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/vagrant/G1bson/G1bs0n)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf8000284f0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002850d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-09-03 10:33:21 UTC+0000
Image local date and time : 2017-09-03 12:33:21 +0200
```

Now that the system has been identified, the hunt for the flag can begin!

## RECON

I began by extracting a list of all files present in the dump.
```
vol.py -f G1bs0n --profile=Win7SP0x64 filescan > filescan.txt
```

From here I could identify some interesting files such as:
```
0x000000003fe14390 16 0 R--rwd \Device\HarddiskVolume2\Users\plauge\Desktop\g4rb4g3.txt
```

Let's extract the contents of that file!
```
vol.py -f G1bs0n --profile=Win7SP0x64 dumpfiles -Q 0x000000003fe14390 --name -D files/
```

Running `strings file.None.0xfffffa8001264bb0.g4rb4g3.txt.dat` revealed `_X43EUC_3H64YC{GPRF`, could this be part of the flag???

## Don't follow the white rabbit

At this point I assumed I had some part of the flag and I followed a few rabbit holes looking for the next part of the flag. But after taking a break, I started looking for files with the keyword `gibson` which yielded the following result:

```
vagrant@stretch:~/G1bson$ grep gibson strings.txt
jpg C:\T3MP\gibson.jpg
certutil -decode gibson.jpg gibson.zip >nul
del gibson.zip
[...]
```

The windows command `certutil` was used to decode base64 data found in gibson.jpg and the result is gibson.zip. The next step was to search for `gibson` in filescan.txt to find the above files.

```
vagrant@stretch:~/G1bson$ grep gibson filescan.txt
0x000000003ed50dd0 16 0 -W-r-- \Device\HarddiskVolume2\T3MP\gibson.jpgp
```

Great, now extract the file like before:

```
vol.py -f G1bs0n --profile=Win7SP0x64 dumpfiles -Q 0x000000003ed50dd0 --name -D files/
```

Opening the resulting file showed that it contained base64 data, and since we know that certutil was used to decode the data, let's do the same thing:

```
C:\Users\sect\Documents\Virtual_Machines\ubuntu\share
λ certutil -decode gibson.jpgp gibson.zip
Input Length = 4096
Output Length = 1409
CertUtil: -decode command completed successfully.
```

## GET THE FLAG

The .zip file contained three files (run.bat, run.ps1, run.reg) with some interesting data, but only one of them contained the next part of the flag:

```
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
"Special"="}JGS_3G4X_GH0_3Z"
```

Now we have the flag, but it doesn't look correct: `_X43EUC_3H64YC{GPRF}JGS_3G4X_GH0_3Z`

Reversing the flag and applying ROT13 returned the flag in the wrong order `M3_0UT_K4T3_FTW}SECT{PL46U3_PHR34K_`. By moving `M3_0UT_K4T3_FTW}` to the end of the string we get the correct flag: `SECT{PL46U3_PHR34K_M3_0UT_K4T3_FTW}`

Original writeup (https://github.com/ChalmersCTF/Writeups/tree/master/SEC-T_2017/G1bs0n_misc_300).