Skip to main content

Command & Control - level 2

  • Description: Congratulations Berthier, thanks to your help the computer has been identified. You have requested a memory dump but before starting your analysis you wanted to take a look at the antivirus' logs. Unfortunately, you forgot to write down the workstation's hostname. But since you have its memory dump you should be able to get it back! The validation flag is the workstation's hostname.
  • Difficulty: Easy

🔎 Solution

In this challenge - and throughout the Command & Control challenges at levels 3, 4, and 5 - I'll be using Volatility 2, a powerful memory forensics framework. You can download the standalone version from here.

The first step when working with a memory dump is to determine its profile, which defines the operating system and architecture used when the memory was captured. This is crucial because Volatility uses OS-specific structures to parse memory correctly. Using the wrong profile can result in incomplete or inaccurate data.

To identify the profile, we use the imageinfo plugin:

┌──(kali㉿kali)-[~/Desktop]
└─$ ./vol2/volatility2 -f ch2.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kali/Desktop/ch2.dmp)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82929be8L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x8292ac00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2013-01-12 16:59:18 UTC+0000
     Image local date and time : 2013-01-12 17:59:18 +0100

This returns a list of suggested profiles. In this case, the best match is Win7SP0x86.

To retrieve the workstation's hostname, we use the envars plugin. This plugin enumerates environment variables associated with running processes. These environment blocks often contain useful metadata, including usernames, TEMP paths, and sometimes the computer's hostname.

┌──(kali㉿kali)-[~/Desktop]
└─$ ./vol2/volatility2 -f ch2.dmp --profile=Win7SP0x86 envars | grep "COMPUTERNAME"
Volatility Foundation Volatility Framework 2.6
     560 services.exe         0x001207f0 COMPUTERNAME                   WIN-ETSA91RKCFP
     576 lsass.exe            0x002507f0 COMPUTERNAME                   WIN-ETSA91RKCFP
     584 lsm.exe              0x001907f0 COMPUTERNAME                   WIN-ETSA91RKCFP
     692 svchost.exe          0x002c07f0 COMPUTERNAME                   WIN-ETSA91RKCFP
     764 svchost.exe          0x002b07f0 COMPUTERNAME                   WIN-ETSA91RKCFP
     832 svchost.exe          0x003007f0 COMPUTERNAME                   WIN-ETSA91RKCFP

From the results, the hostname of the workstation is WIN-ETSA91RKCFP.

🚩Flag

WIN-ETSA91RKCFP