Symbolic Needs 1
SEKAI{H0u5T0n_w3_4r3_1n!!!}
We recently got hold of a cryptocurrency scammer and confiscated his laptop.
Analyze the memdump. Submit the string you find wrapped with SEKAI{}
.
Inflating the .zip
, we are given a .mem
memory dump of a machine of an unknown operating system. We will be using the Volatility 3 framework to analyze it.
Firstly, clone the repository on GitHub:
$ git clone https://github.com/volatilityfoundation/volatility3.git$ cd volatility3
Since we’ll need to find a debugging package for this memory dump later, we need to run the banner
command to identify the exact operating system, version and kernel:
$ python3 vol.py -f dump.mem bannerVolatility 3 Framework 2.3.1Progress: 100.00 PDB scanning finishedOffset Banner
0x42400200 Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)0x437c3718 Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)9)
This identifies the following:
- OS: Ubuntu 22.04
- Kernel: Linux version 5.15.0-43-generic
Note
Since these are very recent versions, there were no readily available Volatility profiles. Honestly, I couldn’t make Volatility 2 work with Ubuntu 22 even after successful profile creation (KeyError: 'DW_AT_data_member_location'
). Let me know if you were able to, since everyone’s learning! :)
Profile Creation + Symbol Table
In order to run Volatility plugins we need to build a symbol table in the .json
format. They can be generated from DWARF files using the dwarf2json tool. The hardest part is probably finding the kernel with debugging symbols for Linux version 5.15.0-43-generic
. A complete list is available here, but linux-image-unsigned-5.15.0-43-generic-dbgsym_5.15.0-43.46_amd64.ddeb
is the version we need. After inflating the archive, the relevant file we need is the vmlinux-5.15.0-43-generic
DWARF located in usr/lib/debug/boot
.
Next, we’ll clone the dwarf2json tool from the Volatility repository and build it:
$ git clone https://github.com/volatilityfoundation/dwarf2json$ cd dwarf2json$ go build
Finally, we can run:
$ dwarf2json linux --elf vmlinux-5.15.0-43-generic > ubuntu22.json
Copy the symbol table to volatility3/volatility3/symbols/linux
, and your profile should be set up!
Once we have a valid symbols.json
, we can run Volatility 3 plugins. The first one we always run is linux.bash
, to display bash history:
$ python3 vol.py -f dump.mem linux.bashVolatility 3 Framework 2.3.1Progress: 100.00 Stacking attempts finishedPID Process CommandTime Command
1863 bash 2022-08-29 13:45:56.000000 72.48.117.53.84.48.110.95.119.51.95.52.114.51.95.49.110.33.33.33
Those are easily identifiable as ASCII codes. Convert 72 48 117 53 84 48 110 95 119 51 95 52 114 51 95 49 110 33 33 33
to text and get the flag: SEKAI{H0u5T0n_w3_4r3_1n!!!}
.