In this post we will go through command and control challenges on https://www.root-me.org/. Since , this challenge is still open we will not post the answers but will only document the steps and approach that was taken to solve the challenges.
Command & Control — level 2
Find workstations hostname from memory dump
The first approach that came into my mind was to look into registry settings.
we will use volatility hivelist plugin to print registry
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
— — — — — — — — — — — —
0x8ee66740 0x141c0740 \SystemRoot\System32\Config\SOFTWARE
0x90cab9d0 0x172ab9d0 \SystemRoot\System32\Config\DEFAULT
0x9670e9d0 0x1ae709d0 \??\C:\Users\John Doe\ntuser.dat
0x9670f9d0 0x04a719d0 \??\C:\Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY
0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x8b20c008 0x039e1008 [no name]
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
0x8b23c008 0x02ccf008 \REGISTRY\MACHINE\HARDWARE
0x8ee66008 0x141c0008 \Device\HarddiskVolume1\Boot\BCD
Next , we will use printkey plugin to print computer name
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 printkey -K “ControlSet001\Control\ComputerName\ComputerName”
Another way to find hostname is to print environment variables
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 envars | find “COMPUTERNAME”
Also, we can use -p to denote process id .Here 560 is the process id of services.exe
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 envars -p 560 | find “COMPUTERNAME”
Command & Control — level 3
In this challenge we have to find the malware in the memory dump
As always we will start with pslist plugin to list out processes
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
0x87978b78 System 4 0 103 3257 — — — 0
0x88c3ed40 smss.exe 308 4 2 29 — — — 0 2013–01–12 16:38:09 UTC+0000
0x8929fd40 csrss.exe 404 396 9 469 0 0 2013–01–12 16:38:14 UTC+0000
0x892ac2b8 wininit.exe 456 396 3 77 0 0 2013–01–12 16:38:14 UTC+0000
0x88d03a00 csrss.exe 468 448 10 471 1 0 2013–01–12 16:38:14 UTC+0000
0x892ced40 winlogon.exe 500 448 3 111 1 0 2013–01–12 16:38:14
0x896294c0 services.exe 560 456 6 205 0 0 2013–01–12 16:38:16
0x896427b8 lsass.exe 576 456 6 566 0 0 2013–01–12 16:38:16 UTC+0000
0x8962f7e8 lsm.exe 584 456 10 142 0 0 2013–01–12 16:38:16 UTC+0000
0x8962f030 svchost.exe 692 560 10 353 0 0 2013–01–12 16:38:21
0x897b5c20 svchost.exe 764 560 7 263 0 0 2013–01–12 16:38:23
0x89805420 svchost.exe 832 560 19 435 0 0 2013–01–12 16:38:23
0x89852918 svchost.exe 904 560 17 409 0 0 2013–01–12 16:38:24
0x8986b030 svchost.exe 928 560 26 869 0 0 2013–01–12 16:38:24
0x898911a8 svchost.exe 1084 560 10 257 0 0 2013–01–12 16:38:26
0x898b2790 svchost.exe 1172 560 15 475 0 0 2013–01–12 16:38:27
0x898a7868 AvastSvc.exe 1220 560 66 1180 0 0 2013–01–12 16:38:28
0x8a0f9c40 spoolsv.exe 1712 560 14 338 0 0 2013–01–12 16:38:58
0x8a102748 svchost.exe 1748 560 18 310 0 0 2013–01–12 16:38:58
0x88cded40 sppsvc.exe 1872 560 4 143 0 0 2013–01–12 16:39:02
0x8a1d84e0 vmtoolsd.exe 1968 560 6 220 0 0 2013–01–12 16:39:14
0x9541c7e0 wlms.exe 336 560 4 45 0 0 2013–01–12 16:39:21 UTC+0000
0x8a1f5030 VMUpgradeHelpe 448 560 4 89 0 0 2013–01–12 16:39:21
0x9542a030 TPAutoConnSvc. 1612 560 9 135 0 0 2013–01–12 16:39:23
0x87ac0620 taskhost.exe 2352 560 8 149 1 0 2013–01–12 16:40:24
0x87ad44d0 dwm.exe 2496 904 5 77 1 0 2013–01–12 16:40:25 UTC+0000
0x87ac6030 explorer.exe 2548 2484 24 766 1 0 2013–01–12 16:40:27
0x87ae2880 TPAutoConnect. 2568 1612 5 146 1 0 2013–01–12 16:40:28
0x87a9c288 conhost.exe 2600 468 1 35 1 0 2013–01–12 16:40:28
0x87b82438 VMwareTray.exe 2660 2548 5 80 1 0 2013–01–12 16:40:29
0x87aa9220 VMwareUser.exe 2676 2548 8 190 1 0 2013–01–12 16:40:30
0x87b784b0 AvastUI.exe 2720 2548 14 220 1 0 2013–01–12 16:40:31
0x898fe8c0 StikyNot.exe 2744 2548 8 135 1 0 2013–01–12 16:40:32
0x87b6b030 iexplore.exe 2772 2548 2 74 1 0 2013–01–12 16:40:34
0x898fbb18 SearchIndexer. 2900 560 13 636 0 0 2013–01–12 16:40:38
0x87bd35b8 wmpnetwk.exe 3176 560 9 240 0 0 2013–01–12 16:40:48
0x89f3d2c0 svchost.exe 3352 560 9 141 0 0 2013–01–12 16:40:58
0x87c6a2a0 swriter.exe 3452 2548 1 19 1 0 2013–01–12 16:41:01
0x87ba4030 soffice.exe 3512 3452 1 28 1 0 2013–01–12 16:41:03 UTC+0000
0x95483d18 soffice.bin 3556 3544 0 — — — — 1 0 2013–01–12 16:41:05 UTC+0000 2013–01–12 16:41:39 UTC+0000
0x87b8ca58 soffice.bin 3564 3512 12 400 1 0 2013–01–12 16:41:05 UTC+0000
0x89f1d3e8 svchost.exe 3624 560 14 348 0 0 2013–01–12 16:41:22 UTC+0000
0x95495c18 taskmgr.exe 1232 2548 6 116 1 0 2013–01–12 16:42:29 UTC+0000
0x87bf7030 cmd.exe 3152 2548 1 23 1 0 2013–01–12 16:44:50 UTC+0000
0x87c595b0 conhost.exe 3228 468 2 54 1 0 2013–01–12 16:44:50 UTC+0000
0x89898030 cmd.exe 1616 2772 2 101 1 0 2013–01–12 16:55:49 UTC+0000
0x954826b0 conhost.exe 2168 468 2 49 1 0 2013–01–12 16:55:50 UTC+0000
0x9549f678 iexplore.exe 1136 2548 18 454 1 0 2013–01–12 16:57:44 UTC+0000
0x87d4d338 iexplore.exe 3044 1136 37 937 1 0 2013–01–12 16:57:46 UTC+0000
0x87c90d40 audiodg.exe 1720 832 5 117 0 0 2013–01–12 16:58:11 UTC+0000
0x87cbfd40 winpmem-1.3.1. 3144 3152 1 23 1 0 2013–01–12 16:59:17 UTC+0000
One thing that immediately catches my eye is multiple iexplorere.exe and cmd.exe processes.
Lets take a closer look at the hierarchy of the processes by using pstree plugin
0x87ac6030:explorer.exe 2548 2484 24 766 2013–01–12 16:40:27
. 0x87b6b030:iexplore.exe 2772 2548 2 74 2013–01–12 16:40:34
.. 0x89898030:cmd.exe 1616 2772 2 101 2013–01–12 16:55:49 UTC+0000
In the above snippet, explorer.exe is the parent process of iexplore.exe and
iexplore.exe is the parent of cmd.exe, this looks very suspicious and must be explored further.
Next, lets take a look at commands by using cmdline plugin for iexplore.exe process
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 cmdline -p 2772
Volatility Foundation Volatility Framework 2.6
************************************************************************
iexplore.exe pid: 2772
Command line : “C:\Users\John Doe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iexplore.exe”
Lets compare this with another iexplore.exe process
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 cmdline -p 1136
Volatility Foundation Volatility Framework 2.6
************************************************************************
iexplore.exe pid: 1136
Command line : “C:\Program Files\Internet Explorer\iexplore.exe”
process 2772 is looking very suspicious now and further analysis should be done.
Lets take a look at consoles plugin We can see that cmd.exe is attaching itself to conhost.exe and executing tcprelay.exe
ConsoleProcess: conhost.exe Pid: 2168
Console: 0x1081c0 CommandHistorySize: 50
HistoryBufferCount: 3 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 1616 Handle: 0x64
— —
CommandHistory: 0x427a60 Application: tcprelay.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
Command & Control — level 4
In this challenge, Find out the ip of the internal server targeted by the hackers.
Lets start by netscan plugin
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 netscan
Though we cannot gain much insight from netscan except that ip of host is 192.168.1.66.
Next lets take a memory dump of suspicious processes
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 memdump -p 2772 — dump-dir C:\dumps\ch2
As of now we have 2 clues :
- cmd.exe is using tcprelay.exe
- ip of target host can start with 192.168
Based on the above we should search for similar strings in memory dump
Command & Control — level 5
In this challenge we need to find the password of user John.
we will use hashdump plugin to print hashes of users
C:\volatility>volatility.exe -f C:\dumps\ch2\ch2.dmp — profile=Win7SP0x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::
Now, use any online website to break the hash for John Doe