The following write-up details a solution to one of the Nuit Du Hack qualification phase challenges.
Nuit Du Hack is a french security event which takes place for its 15th edition in Disneyland Paris on the 24th and 25th of June, 2017.
Two contests take place during this event, a public and a private one.
The private contest is reserved for the 10 winning teams of the qualifications phase, which took place on the 1st of April, 2017. Four members of Devoteam were among the competitors.
The contest featured several types of challenges, from traditional web/exploit/forensics to steganography.
The Bender Bending Rodriguez challenge
The challenge, categorized as Forensics, is described as follows :
The new co-worker looks weird. He behaves like he is hiding something on his computer. We discreetly dumped the memory of his computer from SSH, in the hope to learn more. But we don’t know much what to do with it. Can you help us? The system is an
Ubuntu 16.04, x64
The provided file is a memory dump dump.img.
Information about the operating system’s version and architecture is provided but a crucial information is lacking : the kernel version. It can be retrieved via the dump strings, in this case the version is 4.4.0-57-generic.
We now need to build a Volatility profile fitting the correct kernel version, for this matter a quick Ubuntu server Virtual Machine has been set up.
On this machine the following packets have been installed for the required kernel version :
The latest version of Volatility has been pulled from Github as well.
After updating Grub and rebooting, uname confirms the correct version is installed.
Two files have to be gathered from this VM : System.map and module.dwarf.
The first can be found in /boot, the second can be generated using tools provided in Volatility and some additional standard Linux tools (build-essential, dwarfdump, zip) as specified in Volatility’s documentation.
We now have a corresponding Volatility profile, that we will now use back in our forensics’ system.
While analyzing the processes, the focus has been put on two elements : Firefox and some GNU radio python script.
Open handles have been scanned using Volatility’s linux_lsof, revealing existence of a test.wav file in /tmp.
Extraction is then executed using linux_find_file…
The audio files dictates the validation flag … It’s a win !