13cubed Linux Memory Forensics Challenge

Introduction

Today’s challenge is about investigating a memory dump of Ubuntu Linux system in order to know what happened to our guy Walter O’Reilly when he was surfing the Internet and got tricked into downloading malware.

Credit

This Memory Forensic CTF Challenge is made by 13Cubed.

Challenge Scenario

“Walter O’Reilly was hired by a company called 12 squared Industries and his job was to develop a new website on his first day he was assigned an Ubuntu 22.04 developer workstation. After completing the new employee orientation, he started work around 19:20 UTC. Walter began by searching for articles on how to develop a website using AI because of course he would. During his research, he decided to download some YouTube videos locally to his system. Through a combination of malicious ads and social engineering, unfortunately, he was tricked into downloading a binary and running it with super user privileges.

So it’s up to us to determine exactly what happened on this particular computer system”

Downloading the Memory Dump / Running on the Cloud Lab

You can download the challenge file directly from its official link here, or if you do not want to build the Symbol Table, download it from here

Provided Files in the Downloaded Image File

memory.vmem is the memory dump file, whereas memory.vmsn is just a metadata file for the running state of the virtual machine.

CTF Challenge Video

You can check the related video made by the challenge author here!

How It Works

  • There are 10 memory forensic questions you need to answer.
  • You can use any memory forensic tool such as Volatility3, Rekall, etc.

CTF Challenge Questions

  • Question 1: What is the hostname of this device?
  • Question 2: What is the username of the primary user on this device?
  • Question 3: What is the IP address assigned to this device?
  • Question 4: What is the name of the malicious file downloaded by the victim?
  • Question 5: What is the PID associated with the execution of the file downloaded by the victim?
  • Question 6: What is the PID spawned by that process?
  • Question 7: What is the full name and path of the malicious process used for persistence?
  • Question 8: What is the full path and filename of the file created via a popular text editor?
  • Question 9: What is the IP address from which one of the malicious binaries was downloaded?
    • HINT: This is a difficult question. Don’t make assumptions. If you are unable to find a plugin that can provide you with this information, consider more “foundational” approaches to enumerating data within the memory dump.
  • Question 10: A user was manually added to this device by the Threat Actor. The UID is 1001. What is the username?
    • HINT: This is a difficult question. Don’t make assumptions. If you are unable to find a plugin that can provide you with this information, consider more “foundational” approaches to enumerating data within the memory dump.

Other Hints to Solve the Challenge

  • Hint 1: To get started, run the Volatility 3 banners plugin to determine the correct kernel version, and subsequently install the correct symbols and create the ISF.
  • Hint 2: The kernel version in use on this Ubuntu 22.04 machine was 6.5.0-41. It is recommended that Ubuntu 22.04 be used for the analysis.

Useful Resources Recommended by the Challenge’s Author

A YouTube playlist made by the author contains multiple videos only on memory forensics, check it out here.

A Walk-through Referred by the Challenge’s Author

I do not recommend checking it before trying to solve it yourself, but if you are really stuck, you can check a write-up by Andrew Malec, which is referred by the author from here. I will do mine soon as well.

Conclusion

In this blog, I briefly notified you about a Linux memory forensic challenge to get some practice and get your hands dirty.

~ Cya in the Next One