Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Nuit du Hack 2014 Quals - Windows Forensic (forensic 200)
Sun 06 April 2014 — download

On a client computer of a merchandise transport company, an employee realized that a command prompt containing commands appeared on the screen. The company contacted NianSec, a computer security company to assess the risk. John, trainee, was tasked to retrieve the memory of the windows system. By mistake, he only extracted the pagefile of the system before turning off the machine. You must retrace the attack and understand what happened on the machine.

The big hint here is the fact that we are looking for some command prompt. Someone named matonis was looking for the same thing, and wrote a tool to parse a pagefile.sys and apply some YARA rules on it. We rewrote the buggy rules, and were awarded with some juicy positives matches.

The script spits some ".block" files. A couple of shell-script black-magic later:

strings -el *.block | sed -e "s/\s\{7,\}/\\n/g" | less

750 Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrateur>ncat 192.168.130.105 1234
Username : JackTheRipper
Password : 200020012002
1337 - USER VALID
1338 - 04c0f778e6dd6c0a
1338 - 025e48c9f5f22f87
close: No error
C:\Documents and Settings\Administrateur>

Flag: 04c0f778e6dd6c0a025e48c9f5f22f87