[CTF NDH 2018 Quals] Write-Up – Forensic : Where Is My Purse ?

01
Apr
2018
  • Google Plus
  • LinkedIn
  • Viadeo
Posted by: Yann C.  /   Category: / / Forensic / / NDH2k18   /   No Comments

Write-up of the challenge “Forensic – Where Is My Purse?” of Nuit du Hack 2018 CTF qualifications.

The weekend of 03/31/2018 is pre-qualification for the Nuit du Hack 2018 as a Jeopardy CTF. Having had the opportunity and the time to participate with some colleagues and friends, here’s a write-up resolution of the challenges which we could participate.

  • Category: Forensic
  • Name: Where Is My Purse?
  • Description : Helps an important person to find the content of his numeric purse.
  • File : whereismypurse.7z (2.74GB – 83cf33c0cb86457c929237a1b1d8763fad1a28734b987c0f69b9d9f6b66e85db)
  • Points : 200

The challenge’s goal is to access to a wallet content from a virtual machine and a memory dump provided in fournis dans l’archive 7z.

To run VM, we create a new machine in VirtualBox and we attache the disk file whereismypurse.vdi to it. Once run, we see a Windows 7 system protected with a password :

Win7 authentication

Win7 authentication

One possible option is to use a tool such as konboot to bypass Windows authentication. A loading of the tool’s ISO at system startup allows us to log in as user SatNak without password.

On the desktop, we can see an executable named dcrinstall-windows-amd64-v1.1.2.exe. A quick search on the web tells us it is a tool related to the crypto currency « Decred ». The executable deploy the tool in the directroy %USERPROFILE%\decred\ :

 

Binary in USERPROFILE

Binary in USERPROFILE

The tool’s binaries are likely to provide access to the wallet mentioned in the description of the challenge. After playing a little with these executables, we note that a secret is necessary to continue the challenge.

It is assumed that this secret can be retrieved from the memory dump provided in the 7z archive. Let’s use Volatility to analyze this one:

Volatility identification

Volatility identification

The list of running programs or commands tells us that a KeePass vault is launched:

Keepass detection

Keepass detection

This process can be extracted using the following command:

$ volatility -f whereismypurse.raw --profile=Win7SP1x64 --dump-dir=dump memdump -p 2212

A simple search for strings in the contents of this dump allows us to find the password contained in the Keepass vault:

Keepass password

Keepass password

Back in the VM, we run the executables dcrd.exe and drcwallet.exe and enter the password found previously when prompted:

Run binaries wallet

Run binaries wallet

Once the password is validated, dcrctl.exe allows us to access the content of the Wallet and find the flag:

Flag in wallet

Flag in wallet

Thanks to Timothée MENOCHET for the write-up ! 🙂

Greeting to the whole team ! 🙂

  • Google Plus
  • LinkedIn
  • Viadeo
Yann C.

About the Author : Yann C.

Consultant en sécurité informatique et s’exerçant dans ce domaine depuis le début des années 2000 en autodidacte par passion, plaisir et perspectives, il maintient le portail ASafety pour présenter des articles, des projets personnels, des recherches et développements, ainsi que des « advisory » de vulnérabilités décelées notamment au cours de pentest.