Posts DCTF 2022
Post
Cancel

DCTF 2022

Posted Apr 18, 2022 2022-04-18T00:00:00+03:00 by Stephen Kageche

Hey you and welcome back to my blog. Today i will be sharing my thought process on the two forensic challenges i managed to solve at the DCTF 2022 organized by the DragonSec SI. This was a Jeopardy style kinda CTF where my team fr334aks-Mini secured 45th place out of 425 teams. (My teammates think the CTF was somewhat challenging, but anyways, we say #IWDWD).

With that said, lets get started.

Secure Creds

With the connection to the victim’s computer you managed to dump the lsass.exe process. Can you get the password from the dump file?

After downloading the challenge, i thought this was a memory dump that i could explore with Volatility.

1
2

➜  file lsass.DMP
lsass.DMP: Mini DuMP crash report, 16 streams, Sat Apr  9 02:47:27 2022, 0x421826 type

With a little research,I learnt that a crash minidump file (DMP file) contains various information about the state of the application at the moment of time when it crashed. Technically, the crash minidump file may contain:

  • general system information (OS version, CPU count, etc.);
  • blocks of process memory (including values of global variables, the call stack and local variables for each execution thread);
  • the list of loaded and unloaded modules (including their versions and timestamps).

With that said, we can also try understand what lsass is.

Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON. It uses authentication packages specified in HKLM\System\CurrentControlSet\Control\Lsa.

If we are to solve this challenge on a windows VM, we can do it as follows (Assuming you have mimikatz):

1
2
3

sekurlsa::minidump lsass.DMP
log lsass.txt
sekurlsa::logonPasswords

Analysing the DMP file on linux, we can use PyPyKatz, a python implementation of mimikatz.

To install PyPyKatz, simply run pip3 install pypykatz

With that done, you simply need to run the following command and extract the flag which is a password.

image

dctf{n0_ant1v1ru5_l0l}

Alternatively, if you wish to take a deep dive, you can use:

  • Windows Visual Studio
  • WinDbg
  • IDA
  • Radare

Hidden Fox

I let Firefox save some of my stuff while browsing, it should be written somewhere in it’s directory, can you find it? Flag is in two parts.

This challenge tested your understanfing on browser forensics, something i’ve always wanted to explore but finally presented itself. Looking at the directory structure of the files downloaded, we get:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

➜  Firefox tree
.
├── Crash Reports
│   ├── events
│   └── InstallTime20220330194208
├── installs.ini
├── Pending Pings
├── Profiles
│   └── br873ssy.default-release
│       ├── addons.json
│       ├── addonStartup.json.lz4
│       ├── bookmarkbackups
│       ├── broadcast-listeners.json
│       ├── cert9.db
│       ├── compatibility.ini
│       ├── containers.json
│       ├── content-prefs.sqlite
│       ├── cookies.sqlite
│       ├── crashes
│       │   ├── events
│       │   └── store.json.mozlz4
│       ├── datareporting
│       │   ├── archived
│       │   │   └── 2022-04
│       │   │       ├── 1649804199265.2f07f02b-7a51-4dcf-91a3-fa0331a07a32.new-profile.jsonlz4
│       │   │       ├── 1649804199314.0b7f0210-a4df-4488-855c-17ef0373967f.event.jsonlz4
│       │   │       ├── 1649804199352.88036afe-3a87-4aa4-b641-1d2fb3cb7308.main.jsonlz4
│       │   │       ├── 1649804199367.196cbc5c-23c0-4679-b566-66ff245badac.first-shutdown.jsonlz4
│       │   │       ├── 1649807238040.d777052a-6418-4957-a340-1bb9bd1ba985.health.jsonlz4
│       │   │       ├── 1649807272439.90b4c63f-23d8-4565-9d27-c10b466c267d.event.jsonlz4
│       │   │       ├── 1649807272478.776fb18e-b888-4f30-9153-8697c75e8d58.health.jsonlz4
│       │   │       ├── 1649807272502.caf3dab5-9d0a-46e9-a935-a0a63a70524e.main.jsonlz4
│       │   │       ├── 1649807802813.f4c86730-b03b-45db-b377-53643ad95cd0.health.jsonlz4
│       │   │       ├── 1649807858692.f84c9084-5b95-4e40-83a1-b074a9754e78.event.jsonlz4
│       │   │       ├── 1649807858749.bb133f4f-e7e2-4a2e-a256-2d217d6d48e2.health.jsonlz4
│       │   │       └── 1649807858812.b2240ac9-ab96-4dc1-9b65-d1afd3c12069.main.jsonlz4
│       │   ├── glean
│       │   │   ├── db
│       │   │   │   └── data.safe.bin
│       │   │   ├── events
│       │   │   ├── pending_pings
│       │   │   └── tmp
│       │   ├── session-state.json
│       │   └── state.json
│       ├── extension-preferences.json
│       ├── extensions.json
│       ├── favicons.sqlite
│       ├── formhistory.sqlite
│       ├── handlers.json
│       ├── key4.db
│       ├── logins.json
│       ├── minidumps
│       ├── parent.lock
│       ├── permissions.sqlite
│       ├── pkcs11.txt
│       ├── places.sqlite
│       ├── prefs.js
│       ├── saved-telemetry-pings
│       │   ├── 0b7f0210-a4df-4488-855c-17ef0373967f
│       │   ├── 196cbc5c-23c0-4679-b566-66ff245badac
│       │   ├── 2f07f02b-7a51-4dcf-91a3-fa0331a07a32
│       │   ├── 776fb18e-b888-4f30-9153-8697c75e8d58
│       │   ├── 88036afe-3a87-4aa4-b641-1d2fb3cb7308
│       │   ├── 90b4c63f-23d8-4565-9d27-c10b466c267d
│       │   ├── b2240ac9-ab96-4dc1-9b65-d1afd3c12069
│       │   ├── bb133f4f-e7e2-4a2e-a256-2d217d6d48e2
│       │   ├── caf3dab5-9d0a-46e9-a935-a0a63a70524e
│       │   ├── d777052a-6418-4957-a340-1bb9bd1ba985
│       │   ├── f4c86730-b03b-45db-b377-53643ad95cd0
│       │   └── f84c9084-5b95-4e40-83a1-b074a9754e78
│       ├── search.json.mozlz4
│       ├── security_state
│       ├── sessionCheckpoints.json
│       ├── sessionstore-backups
│       │   ├── previous.jsonlz4
│       │   └── upgrade.jsonlz4-20220330194208
│       ├── sessionstore.jsonlz4
│       ├── shield-preference-experiments.json
│       ├── storage
│       │   ├── default
│       │   │   └── moz-extension+++a0955f49-f81a-42d2-b2af-cf73284fa6a3^userContextId=4294967295
│       │   │       └── idb
│       │   │           ├── 3647222921wleabcEoxlt-eengsairo.files
│       │   │           └── 3647222921wleabcEoxlt-eengsairo.sqlite
│       │   ├── ls-archive.sqlite
│       │   ├── permanent
│       │   │   └── chrome
│       │   │       └── idb
│       │   │           ├── 1451318868ntouromlalnodry--epcr.files
│       │   │           ├── 1451318868ntouromlalnodry--epcr.sqlite
│       │   │           ├── 1657114595AmcateirvtiSty.files
│       │   │           ├── 1657114595AmcateirvtiSty.sqlite
│       │   │           ├── 2823318777ntouromlalnodry--naod.files
│       │   │           ├── 2823318777ntouromlalnodry--naod.sqlite
│       │   │           ├── 2918063365piupsah.files
│       │   │           ├── 2918063365piupsah.sqlite
│       │   │           ├── 3561288849sdhlie.files
│       │   │           ├── 3561288849sdhlie.sqlite
│       │   │           ├── 3870112724rsegmnoittet-es.files
│       │   │           └── 3870112724rsegmnoittet-es.sqlite
│       │   └── temporary
│       ├── storage.sqlite
│       ├── times.json
│       ├── webappsstore.sqlite
│       └── xulstore.json
└── profiles.ini

35 directories, 69 files

In firefox, we have a file called profile.ini. It contains information used to keep track of profiles in Firefox. In windows, it’s locateed in the %APPDATA%\Mozilla\Firefox. You can read more about the same here. In this case, we can use MayorSec’s Firefox Dumper script to identify the current user’s Firefox profile directory and extract credential files.

1
2
3
4
5

➜  python3 firefox_decrypt.py ../Firefox/

Website:   https://dctf.dragonsec.si
Username: 'dragonflag'
Password: 'dctf{1_b00km4rk3d_'

Nice..so we get the first part of the flag. From the first part of the flag, we get a hint of where to look next. Bookmarks! But where can we find bookmarks? With some research, we learn that places.sqlite stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history (a record of visited pages). In this case, we can use another script called dumpzilla.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

➜  python3 dumpzilla.py --Bookmarks ../../Firefox/Profiles/br873ssy.default-release

=============================================================================================================
== Bookmarks
============================================================================================================
=> Source file: /home/kali/Desktop/DCTF/Firefox/Profiles/br873ssy.default-release/places.sqlite
=> SHA256 hash: eb9936a61957c75a1ddc436edea57bbe232469dcab8b0310fa2645ea2fc3d91e

//redacted

Title: Get Help
URL: http://_th15_p455w0rd}/
Creation Time: 2022-04-12 18:52:50
Last Modified: 2022-04-12 18:52:50


===============================================================================================================
== Total Information
==============================================================================================================

Total Bookmarks            : 8

From the above, we get the second part of the flag from the Get Help url.

Combined, the final flag was:

dctf{1_b00km4rk3d_th15_p455w0rd}

Hopefully this short writeup helped and you learnt something…Looking foward to do a deep dive kinda blog on browser forensics. Feel free to share this if you liked it and if you got a question on the same, feel free to ping me on twitter.

Resources

CTF-TIME
browser forensics PyPyKatz mimikatz Firefox Dumper dumpzilla
This post is licensed under CC BY 4.0 by the author.

Recent Update

Contents

HawkEye

ElMariachi-PC - 10.150.150.69

Comments powered by Disqus.