Symbolic Needs 1
Overview

Symbolic Needs 1

November 28, 2022
2 min read
symbolic-needs-1
Symbolic Needs 1
Author
Battlemonger
Category
Forensics
Points
467
Solves
24
Files
memdump
Flag
SEKAI{H0u5T0n_w3_4r3_1n!!!}

We recently got hold of a cryptocurrency scammer and confiscated his laptop.
Analyze the memdump. Submit the string you find wrapped with SEKAI{}.

Inflating the .zip, we are given a .mem memory dump of a machine of an unknown operating system. We will be using the Volatility 3 framework to analyze it.

Firstly, clone the repository on GitHub:

Terminal window
$ git clone https://github.com/volatilityfoundation/volatility3.git
$ cd volatility3

Since we’ll need to find a debugging package for this memory dump later, we need to run the banner command to identify the exact operating system, version and kernel:

Terminal window
$ python3 vol.py -f dump.mem banner
Volatility 3 Framework 2.3.1
Progress: 100.00 PDB scanning finished
Offset Banner
0x42400200 Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)
0x437c3718 Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)9)

This identifies the following:

  • OS: Ubuntu 22.04
  • Kernel: Linux version 5.15.0-43-generic
Note

Since these are very recent versions, there were no readily available Volatility profiles. Honestly, I couldn’t make Volatility 2 work with Ubuntu 22 even after successful profile creation (KeyError: 'DW_AT_data_member_location'). Let me know if you were able to, since everyone’s learning! :)

Profile Creation + Symbol Table

In order to run Volatility plugins we need to build a symbol table in the .json format. They can be generated from DWARF files using the dwarf2json tool. The hardest part is probably finding the kernel with debugging symbols for Linux version 5.15.0-43-generic. A complete list is available here, but linux-image-unsigned-5.15.0-43-generic-dbgsym_5.15.0-43.46_amd64.ddeb is the version we need. After inflating the archive, the relevant file we need is the vmlinux-5.15.0-43-generic DWARF located in usr/lib/debug/boot.

Next, we’ll clone the dwarf2json tool from the Volatility repository and build it:

Terminal window
$ git clone https://github.com/volatilityfoundation/dwarf2json
$ cd dwarf2json
$ go build

Finally, we can run:

Terminal window
$ dwarf2json linux --elf vmlinux-5.15.0-43-generic > ubuntu22.json

Copy the symbol table to volatility3/volatility3/symbols/linux, and your profile should be set up!

Once we have a valid symbols.json, we can run Volatility 3 plugins. The first one we always run is linux.bash, to display bash history:

Terminal window
$ python3 vol.py -f dump.mem linux.bash
Volatility 3 Framework 2.3.1
Progress: 100.00 Stacking attempts finished
PID Process CommandTime Command
1863 bash 2022-08-29 13:45:56.000000 72.48.117.53.84.48.110.95.119.51.95.52.114.51.95.49.110.33.33.33

Those are easily identifiable as ASCII codes. Convert 72 48 117 53 84 48 110 95 119 51 95 52 114 51 95 49 110 33 33 33 to text and get the flag: SEKAI{H0u5T0n_w3_4r3_1n!!!}.