- Published on
UTCTF 2022 – IRC
- Authors
- Name
- n0b0dy
- Description
- #p0tat0life
IRC
Original Challenge Link: https://utctf.live/challenges#IRC-26
Steal my irc password.
Note: the password is the flag, but it is not in utflag format (that would make it too easy). Do not guess; the correct solution finds the password with certainty. If you believe you have the correct password, but CTFd still marks it as wrong, DM me rather than using all your attempts.
I spent way too long solving this problem...
By Daniel Parks (@danielp on discord)
Memory Image: https://utexas.box.com/s/z2ljzoah8cp3alsp8p0uwh7hdvvz5wq3
1. Unpack the image:
$ zlib-flate -uncompress memdump.lime.z
2. Figure out what version of Linux the image is running:
$ strings memdump.lime | grep -i 'Linux version' | uniq
SWIMS: Linux Version: %04X
MESSAGE=Linux version 5.10.0-11-amd64 ([email protected]) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.92-1 (2022-01-18)
Mar 2 16:45:35 hackme kernel: [ 0.000000] Linux version 5.10.0-11-amd64 ([email protected]) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.92-1 (2022-01-18)
Linux version 5.10.0-11-amd64 ([email protected]) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.92-1 (2022-01-18)
3. Build a custom profile for Debian 10:
You can do this lots of ways – basically you will need a system.map for the running kernel, and you will need to combine it in an appropriately named zip file with module.dwarf – then put that zip file in your volatility profiles directory. Lots of good tutorials out there to do this – like https://andreafortuna.org/2019/08/22/how-to-generate-a-volatility-profile-for-a-linux-system/
4. Once you have a working profile:
First step is to see if we get lucky and he was running the IRC client when the memory image was created (shortened):
$ vol.py -f memdump.lime --profile=LinuxDebian1102x64 linux_pslist
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff9a010020af80 systemd 1 0 0 0 0x00000001010c2000 2022-03-02 22:45:38 UTC+0000
0xffff9a010020c740 kthreadd 2 0 0 0 ------------------ 2022-03-02 22:45:38 UTC+0000
0xffff9a0100208000 rcu_gp 3 2 0 0 ------------------ 2022-03-02 22:45:38 UTC+0000
0xffff9a01002097c0 rcu_par_gp 4 2 0 0 ------------------ 2022-03-02 22:45:38 UTC+0000
0xffff9a010020df00 kworker/0:0 5 2 0 0 ------------------ 2022-03-02 22:45:38 UTC+0000
0xffff9a0100234740 kworker/0:0H 6 2 0 0 ------------------ 2022-03-02 22:45:38 UTC+0000
.
.
.
.
0xffff9a0105470000 xfce4-terminal 950 1 1000 1000 0x0000000110bc6000 2022-03-02 22:46:06 UTC+0000
0xffff9a01019317c0 bash 955 950 1000 1000 0x000000010469c000 2022-03-02 22:46:06 UTC+0000
0xffff9a015da48000 hexchat 959 779 1000 1000 0x0000000103b88000 2022-03-02 22:46:18 UTC+0000
0xffff9a0101b3c740 hexchat 972 959 1000 1000 0x0000000103a5e000 2022-03-02 22:46:49 UTC+0000
0xffff9a01055c4740 sudo 977 955 1000 0 0x00000001024c0000 2022-03-02 22:46:57 UTC+0000
0xffff9a0101930000 insmod 978 977 0 0 0x0000000101b0c000 2022-03-02 22:46:57 UTC+0000
5. Review process listing:
He is running hexchat, next you can google or install hexchat locally to figure out where things are stored and how things are setup. Some quick googling reveals that the confing file will be in hexchat.conf, also while googling I found some previous mention about a file servlist.conf that used to hold credentials in earlier versions. I decided to do a bit more recon on the image, maybe get lucky with bash history:
$ vol.py -f memdump.lime --profile=LinuxDebian1102x64 linux_bash
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
955 bash 2022-03-02 22:46:01 UTC+0000 ll
955 bash 2022-03-02 22:46:01 UTC+0000 git clone https://github.com/504ensicsLabs/LiME
955 bash 2022-03-02 22:46:01 UTC+0000 sudo apt install linux-headers-amd64 build-essential git
955 bash 2022-03-02 22:46:01 UTC+0000 sudo insmod ./lime-5.10.0-11-amd64.ko "path=/home/daniel/memdump.z format=lime compress=1"
955 bash 2022-03-02 22:46:01 UTC+0000 H?D?a?
955 bash 2022-03-02 22:46:01 UTC+0000 mkdir .ssh
955 bash 2022-03-02 22:46:01 UTC+0000 watch ls -lh memdump.z
955 bash 2022-03-02 22:46:01 UTC+0000 ATA??U??H??????H??tI?_?
955 bash 2022-03-02 22:46:01 UTC+0000 cat > .ssh/authorized_keys
955 bash 2022-03-02 22:46:01 UTC+0000 0
955 bash 2022-03-02 22:46:01 UTC+0000 cd
955 bash 2022-03-02 22:46:01 UTC+0000 ip addr
955 bash 2022-03-02 22:46:01 UTC+0000 logout
955 bash 2022-03-02 22:46:01 UTC+0000 cd src
955 bash 2022-03-02 22:46:01 UTC+0000 ?:?
955 bash 2022-03-02 22:46:01 UTC+0000 systemctl reboot
955 bash 2022-03-02 22:46:01 UTC+0000 make
955 bash 2022-03-02 22:46:01 UTC+0000 ls -l
955 bash 2022-03-02 22:46:01 UTC+0000 sudo apt install spice-vdagent
955 bash 2022-03-02 22:46:01 UTC+0000 ls -lh
955 bash 2022-03-02 22:46:01 UTC+0000 groups
955 bash 2022-03-02 22:46:01 UTC+0000 su
955 bash 2022-03-02 22:46:01 UTC+0000 sudo apt install neovim spice-vdagent hexchat
955 bash 2022-03-02 22:46:01 UTC+0000 ls
955 bash 2022-03-02 22:46:01 UTC+0000 cd sr
955 bash 2022-03-02 22:46:01 UTC+0000 cd LiME/
955 bash 2022-03-02 22:46:01 UTC+0000 sudo rmmod lime
955 bash 2022-03-02 22:46:01 UTC+0000 rm memdump.z
955 bash 2022-03-02 22:46:01 UTC+0000 sudo insmod ./lime-5.10.0-11-amd64.ko "path=/home/daniel/memdump.z format=lime compress=1"
955 bash 2022-03-02 22:46:01 UTC+0000 systemctl poweroff
955 bash 2022-03-02 22:46:01 UTC+0000 AWAVAUATUSH??8dH?%(
955 bash 2022-03-02 22:46:01 UTC+0000 watch ls -lh memdump.z
955 bash 2022-03-02 22:46:01 UTC+0000 apt search linux-image
955 bash 2022-03-02 22:46:25 UTC+0000 rm memdump.z
955 bash 2022-03-02 22:46:31 UTC+0000 cd LiME/
955 bash 2022-03-02 22:46:32 UTC+0000 ll
955 bash 2022-03-02 22:46:45 UTC+0000 sudo insmod ./lime-5.10.0-11-amd64.ko "path=/home/daniel/memdump.z format=lime compress=1"
955 bash 2022-03-02 22:46:51 UTC+0000 cd src/
955 bash 2022-03-02 22:46:52 UTC+0000 sudo insmod ./lime-5.10.0-11-amd64.ko "path=/home/daniel/memdump.z format=lime compress=1"
6. More recon:
Not much there except we know the user is daniel. More recon (abbreviated):
$ vol.py -f memdump.lime --profile=LinuxDebian1102x64 linux_lsof
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
Offset Name Pid FD Path
------------------ ------------------------------ -------- -------- ----
0xffff9a010020af80 systemd 1 0 /dev/null
0xffff9a010020af80 systemd 1 1 /dev/null
0xffff9a010020af80 systemd 1 2 /dev/null
0xffff9a010020af80 systemd 1 3 /dev/kmsg
.
.
.
.
0xffff9a0101b3c740 hexchat 972 9 anon_inode:[8059]
0xffff9a0101b3c740 hexchat 972 10 <BAD d_dname pointer>
0xffff9a0101b3c740 hexchat 972 11 /home/daniel/.config/hexchat/logs/NETWORK/server.log
0xffff9a0101b3c740 hexchat 972 12 pipe:[17602]
0xffff9a0101b3c740 hexchat 972 13 pipe:[17602]
0xffff9a0101b3c740 hexchat 972 14 <BAD d_dname pointer>
0xffff9a0101b3c740 hexchat 972 15 <BAD d_dname pointer>
0xffff9a01055c4740 sudo 977 0 /dev/pts/0
0xffff9a01055c4740 sudo 977 1 /dev/pts/0
0xffff9a01055c4740 sudo 977 2 /dev/pts/0
0xffff9a01055c4740 sudo 977 3 pipe:[16065]
0xffff9a01055c4740 sudo 977 4 pipe:[16065]
0xffff9a01055c4740 sudo 977 5 <BAD d_dname pointer>
0xffff9a01055c4740 sudo 977 6 <BAD d_dname pointer>
0xffff9a0101930000 insmod 978 0 /dev/pts/0
0xffff9a0101930000 insmod 978 1 /dev/pts/0
0xffff9a0101930000 insmod 978 2 /dev/pts/0
0xffff9a0101930000 insmod 978 3 /home/daniel/LiME/src/lime-5.10.0-11-amd64.ko
7. Dump the open log file:
$ vol.py -f memdump.lime --profile=LinuxDebian1102x64 linux_find_file -F '/home/daniel/.config/hexchat/logs/NETWORK/server.log'
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
Inode Number Inode File Path
---------------- ------------------ ---------
1056133 0xffff9a0101f838c0 /home/daniel/.config/hexchat/logs/NETWORK/server.log
$ vol.py -f memdump.lime --profile=LinuxDebian1102x64 linux_find_file -i 0xffff9a0101f838c0 -O server.log
$ cat server.log
**** BEGIN LOGGING AT Wed Mar 2 16:10:51 2022
Mar 02 16:10:51 FiSHLiM plugin loaded
Mar 02 16:10:51 Sysinfo plugin loaded
Mar 02 16:10:51 Checksum plugin loaded
Mar 02 16:10:51 Perl interface loaded
**** BEGIN LOGGING AT Wed Mar 2 16:46:44 2022
Mar 02 16:46:44 FiSHLiM plugin loaded
Mar 02 16:46:44 Sysinfo plugin loaded
Mar 02 16:46:44 Checksum plugin loaded
Mar 02 16:46:44 Perl interface loaded
Mar 02 16:46:44 * Looking up utctf.live
Mar 02 16:46:44 * Connecting to utctf.live (18.235.217.204:6667)
8. Pivot on irc server address:
At this point I thought it might be useful to grep through the actual memory dump itself for the utctf.live string, as this seemed unique enough to be useful (abbreviated):
$ strings memdump.lime | grep -i -B 2 -A 2 utctf.live
current
UNIX
utctf.live
libgstde265.so
startup.txt
--
.
.
.
.
N=utctf.live
P=6cf35d047000d30d39e07b2361668ae8a408db184f24641670f5e2ee0872d86c
E=UTF-8 (Unicode)
F=19
S=utctf.live/6667
N=2600net
E=UTF-8 (Unicode)
--
r.log
daniel
.
.
.
.
--
Connecting to
29utctf.live
2318.235.217.204:6667
Directory tree generator.
9. Get lucky:
So we get a bit lucky here – P=6cf35d047000d30d39e07b2361668ae8a408db184f24641670f5e2ee0872d86c looks pretty promising as a password. We know from the challenge text that the flag won’t be in the usual format as well – and should be obvious. To be honest a long hash like this is not super obvious as a password – but we try to submit it and it is correct.