I consider biology classes the most fun of all and sometimes scary. For example, in the last lesson we learned about brain dumping. It was extraordinary (black magic as my dad said, btw he’s a computer scientist), learning about interactions and activities in the memory. What? Yes, of course you can look at it, too. The pleasure is mine! Download: https://drive.google.com/open?id=1IKI7Pn73y8L2u-znw3H7PLYhzSAtYJRK Authors: Sin__ & 0xcpu
Creating a volatility profile
While running the file command on the challenge file, we get the following output :
The latter seems to be the answer as we can find out that the file is a memory dump.
florent@kali:~# strings image | grep "Linux version" Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 (Ubuntu 4.4.0-116.140-generic 4.4.98)
To analyze this memory dump, we can use volatility. Unfortunately, the volatility profile for this kernel version isn’t available by default, so we need to make one. To do so, we set up an Ubuntu 16.04 VM and install the following packages :
Then, we modify the GRUB so it can boot on our newly added kernel. This tutorial can be used to do so.
We put the zip file in the desired directory (might change according to the version of yours tools) :
If imported successfully, you should be able to see the profile :
florent@kali:~# volatility --info | grep Profiles -A 5 Volatility Foundation Volatility Framework 2.5 Profiles -------- Linuxubuntu1604timctfx64 - A Profile for Linux ubuntu1604timctf x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64
The profile can now be used to retrieve information from the memory dump. We run the linux bash command which allows us to have a look at the .bash_history :
As we can see, there is what seems to be an interesting file called ht0p. At this point, we could just dump the process from memory. However, for some reason, it doesn’t work as intended when we try do so and we get a corrupted binary. Below is another method to dump the binary :