CATF 2023 Forensics Challenges Writeup

Mohamed Adel
5 min readJul 29, 2023

Hello and welcome,

I’m Mohamed Adel, my team got 3rd place at CATF 2023 organized by CAT Reloaded and powered by 0xL4ugh Team.

this is my writeup for 6 of 8 forensics challenges:

Let’s start with the first one.

R4n-0:

Category: Memory Forensics

We need to know what’s the most suitable profile for this image, Ok will use Volatility version 2.6.1 for that.

python2 vol.py -f R4n.vmem imageinfo
Flag: CATF{Win10x64_19041}

R4n-1:

Now, we need to move into volatility3 because it’s easy to use.

Q1: to get the parent process of the ransomware will use pstree plugin:

python3 vol.py -f R4n.vmem windows.pstree.PsTree

the ransomware name is R4n50m.exe and the parent process is explorer.exe

Q2: the ransomware encrypted the data with a specific extension, so let’s try to see the files that were encrypted, by using the Filescan plugin and grep for the user folders like Download, Desktop, Documents …etc., in this case, I found those files on Desktop.

python3 vol.py -f R4n.vmem windows.filescan.FileScan | grep 'Desktop' 
Flag: CATF{explorer.exe_Clop}

R4n-2:

Q1: we need to know the full path of the ransomware.

From Q1 of R4n-1 we knew the name of the ransomware which is R4n50m.exe, let’s use the Filescan plugin and grep for it.

python3 vol.py -f R4n.vmem windows.filescan.FileScan | grep 'R4n50m.exe'

Also, you can use the dlllist plugin with pid of the ransomware which is 6212 to get the path:

python3 vol.py -f R4n.vmem windows.dlllist.DllList --pid 6212

Q2: to get the DTB of the ransomware, Will use volshell plugin, but first we need to get the PID which is 6212 from Q1 of R4n-1.

python2 vol.py R4n.vmem --profile=Win10x64_19041 volshell -p 6212

Or you can type this command:

python2 vol.py R4n.vmem --profile=Win10x64_19041 volshell

then to show the current context and get DTB address:

> cc(pid = 6212)

Flag: CATF{C:\Users\Work\AppData\Temp\R4n50m.exe_0x45ebb000}

R4n-3:

Q1: you can ask your favorite friend Google to get it.

Q2: the fast way you can use strings to get the text message in the readme file which the manager email in it:

strings R4n.vmem | grep -i -A 4 -B 22 'contact email'
Flag: CATF{T1027_managersmaers@tutanota.com}

Revenge I:

It’s a Microsoft Excel file and just contains those:

At first, I thought that’s a malicious document and contain macros but no.

I used Exiftool to check the metadata of the file and get the attacker's name who the creator of the file:

Now, need to unzip the xlsx file, you will find the path where the attacker saved the file in the XML folder and then the workbook.xml file.

Flag: CATF{Th3-0b3l1sk_n!NjaTur7l5}

RanDev-1:

Category: Memory Forensics

Q1: as usual the fast way to get the Bitcoin wallet using strings.

strings RanDev.vmem | grep -i -B 6 'bitcoin wallet'

Q2: to get SHA256 need to dump the ransomware process, so let’s try the pslist plugin to know the ransom name.

There isn’t any malicious process, but how???

Yes, the ransomware worked and encrypted the files, and it was finished.

From the description, we know that they hire a full stack developer so Why don’t we check and investigate his files?

Ok now, look again at the processes, there is an interesting one:

Now let’s try the Filescan plugin and grep for xampp.

python3 vol.py -f RanDev.vmem windows.filescan.FileScan | grep 'xampp'

We locate 2 PHP files.

Then need to dump the authentication.php file with the dumpfiles plugin and the virtaddr is 0xa001c54102e0.

python3 vol.py -f RanDev.vmem windows.dumpfiles.DumpFiles --virtaddr 0xa001c54102e0

now cat the PHP file we will see this PHP code script, and from the first look there is a base64 encoded with a variable $fileUrl.

let’s decode it with:

echo 'aHR0cDovLzE5Mi4xNjguMjM1LjEzNy9kb3dubG9hZC9SLmV4ZQ0K' | base64 -d

We got the answer of Q3, It’s the full URL of downloaded the ransomware, also now we knew the ransomware name. then let’s try to use the filescan plugin and grep with the name of the malware.

python3 vol.py -f RanDev.vmem windows.filescan.FileScan | grep 'R.exe'

then need to dump it using dumpfiles plugin and the virtaddr is 0xa001c5439960.

python3 vol.py -f RanDev.vmem windows.dumpfiles.DumpFiles --virtaddr 0xa001c5439960

Then run the sha256sum:

Q4: We need go back to the PHP file to get the executed function.

Flag: CATF{bc1qwe5qxdj7aekpj8aeeeey6tf5hjzugk3jkax6lm_d22aff59eae7201e6a4f82dbe99173c7103665beaa0860f81db7130f38c99a35_http://192.168.235.137/download/R.exe_exec}

Thanks for your time and effort to read this. I hope you liked it and enjoyed reading.

If you have any comment, edit or another way to solve them, don’t hesitate to contact me:
https://www.linkedin.com/in/0x4de1

--

--