DEFCON2K12 Prequals: for400 writeup
In this forensic challenge, we have access to a Windows RAM dump. The clue is “HBgary say waht?!” so we know it is an email related problem. Let’s fire up an hex editor and volatility. Let’s look at the processes that were running at the time of the dump:
kalenz@chev ~/lse/ctf/defcon/f400 12-06-04 3:10:11
> vol.py -f memory.dmp --profile=Win7SP1x86 pstree
Volatile Systems Volatility Framework 2.0
Name Pid PPid Thds Hnds Time
0x8541F130:wininit.exe 396 328 3 75 2012-05-28 02:31:20
. 0x8545EB00:lsm.exe 512 396 10 143 2012-05-28 02:31:21
. 0x85457030:services.exe 492 396 9 207 2012-05-28 02:31:21
.. 0x854BE660:svchost.exe 780 492 19 440 2012-05-28 02:31:23
.. 0x855C5030:dirmngr.exe 1424 492 5 83 2012-05-28 02:31:26
.. 0x8567D108:TPAutoConnSvc. 1812 492 9 133 2012-05-28 02:31:28
... 0x85793A38:TPAutoConnect. 2408 1812 5 145 2012-05-28 02:33:54
.. 0x85619D40:vmtoolsd.exe 1568 492 8 255 2012-05-28 02:31:27
.. 0x8558BA30:svchost.exe 1328 492 18 305 2012-05-28 02:31:26
.. 0x8573B8C0:svchost.exe 1872 492 13 327 2012-05-28 02:33:28
.. 0x85674840:svchost.exe 1220 492 5 69 2012-05-28 02:33:28
.. 0x856795D8:msdtc.exe 296 492 12 143 2012-05-28 02:31:31
.. 0x854A33F0:svchost.exe 684 492 7 258 2012-05-28 02:31:23
.. 0x84690538:taskhost.exe 2060 492 7 150 2012-05-28 02:33:52
.. 0x854D6BD0:svchost.exe 820 492 17 410 2012-05-28 02:31:23
... 0x85501A00:dwm.exe 2116 820 7 143 2012-05-28 02:33:52
.. 0x855F6A58:svchost.exe 1476 492 6 107 2012-05-28 02:31:26
.. 0x854DA030:svchost.exe 844 492 26 851 2012-05-28 02:31:23
.. 0x84863030:svchost.exe 2872 492 4 40 2012-05-28 02:55:09
.. 0x8550B8F0:svchost.exe 996 492 10 502 2012-05-28 02:31:23
.. 0x856A6030:dllhost.exe 1996 492 13 184 2012-05-28 02:31:29
.. 0x85578518:spoolsv.exe 1296 492 14 331 2012-05-28 02:31:25
.. 0x8552B030:svchost.exe 1124 492 14 349 2012-05-28 02:31:24
.. 0x85491C48:svchost.exe 616 492 11 352 2012-05-28 02:31:22
.. 0x84433560:SearchIndexer. 1508 492 13 612 2012-05-28 02:33:29
. 0x8545BC00:lsass.exe 500 396 6 535 2012-05-28 02:31:21
0x852067B8:csrss.exe 336 328 9 378 2012-05-28 02:31:19
0x85744D40:explorer.exe 2176 2108 21 831 2012-05-28 02:33:52
. 0x85431D40:mspaint.exe 2696 2176 5 115 2012-05-28 02:34:23
. 0x85787030:VMwareTray.exe 2284 2176 5 67 2012-05-28 02:33:54
. 0x8485EAB8:chrome.exe 3440 2176 24 716 2012-05-28 02:36:00
.. 0x84881D40:chrome.exe 3624 3440 4 130 2012-05-28 02:36:07
.. 0x8495D508:chrome.exe 4004 3440 6 124 2012-05-28 02:36:41
.. 0x8494DD40:rundll32.exe 3916 3440 2 84 2012-05-28 02:36:37
.. 0x84945030:chrome.exe 3884 3440 6 126 2012-05-28 02:36:37
.. 0x848DF550:chrome.exe 3736 3440 6 126 2012-05-28 02:36:19
.. 0x8494ED40:chrome.exe 3924 3440 6 209 2012-05-28 02:36:37
. 0x85431780:calc.exe 2712 2176 4 77 2012-05-28 02:34:24
. 0x85716D40:thunderbird.ex 2372 2176 36 432 2012-05-28 02:47:24
.. 0x84A25030:gpg.exe 2464 2372 0 ------ 2012-05-28 02:54:56
.. 0x849BC030:gpg.exe 2404 2372 0 ------ 2012-05-28 02:56:03
.. 0x848A8D40:gpg.exe 2360 2372 0 ------ 2012-05-28 02:54:56
.. 0x84A16168:gpg-connect-ag 3616 2372 0 ------ 2012-05-28 02:50:29
.. 0x849E2540:gpg.exe 2804 2372 0 ------ 2012-05-28 02:50:29
. 0x85789BD8:GoogleUpdate.e 2304 2176 5 109 2012-05-28 02:33:54
. 0x85787400:vmtoolsd.exe 2292 2176 6 214 2012-05-28 02:33:54
0x84A25D40:gpg-agent.exe 4036 3128 1 72 2012-05-28 02:50:30
. 0x8491E738:pinentry.exe 3252 4036 0 ------ 2012-05-28 02:55:15
. 0x849EA8C0:pinentry.exe 1168 4036 0 ------ 2012-05-28 02:56:10
. 0x848E1030:pinentry.exe 668 4036 0 ------ 2012-05-28 02:56:22
. 0x84A22A38:pinentry.exe 3692 4036 0 ------ 2012-05-28 02:56:27
. 0x848636B8:pinentry.exe 3816 4036 0 ------ 2012-05-28 02:56:18
. 0x84A27AF0:pinentry.exe 1856 4036 0 ------ 2012-05-28 02:55:43
. 0x849FB620:pinentry.exe 3868 4036 0 ------ 2012-05-28 02:56:30
. 0x84997778:pinentry.exe 2576 4036 0 ------ 2012-05-28 02:56:23
. 0x85709D40:pinentry.exe 2904 4036 0 ------ 2012-05-28 02:55:13
. 0x84965C90:pinentry.exe 3284 4036 0 ------ 2012-05-28 02:55:03
0x84415AE8:csrss.exe 388 380 11 369 2012-05-28 02:31:20
. 0x85792D40:conhost.exe 2416 388 1 33 2012-05-28 02:33:54
0x85420170:winlogon.exe 432 380 3 110 2012-05-28 02:31:20
0x84138C40:System 4 0 86 496 2012-05-28 02:31:14
. 0x846EA308:smss.exe 244 4 2 29 2012-05-28 02:31:14
We can see two interesting things: a Thunderbird process and a GnuPG process. Let’s try to find PGP armored data by looking for “BEGIN PGP” in the memory. We find a few encrypted messages and a public key:
text:::
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
mI0ET8EtUQEEANXfPR5qcpm+37qy9dKrREx0vYtzzBQR7178Shg9RwEnJGpshFoq
i2/xmtCfa1LuAXTuI89yE1Iv4YrmQ3DHw0oLBVUi5FqQUVrqY8UaAEptJR+i9Hh+
IDhMOcP0SfkDS9fMHQ5HCgqwpkgP0MuY1XuNyx42BtGlBIDhxsPpCr6pABEBAAG0
OlBvc2VpZG9uIChkZWZjb24gY3RmIHF1YWxzIGtleSkgPHBvc2VpZG9uLmRkdGVr
QGdtYWlsLmNvbT6IvgQTAQIAKAUCT8EtUQIbIwUJACeNAAYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQZP3N4PucaV5/ZQP/VpSiXViw/x6dWww+4/PP8orn54z0
4B2+OVCj7BOzxIUQHYl+hZmmRs3lA/ndugpz4MZ4FPitYZFqw0rZVZ+di5UxO0xq
tURPGieyIkwOWV3HhsCK2FCQMTLWZWzbxgXFVoPJJjemiPLcAnY7xCSydi6XI2Dj
E4IX1zbF/rLo89e4jQRPwS1RAQQAxdP8WNMW+iXIxf9m5ekTV3JtK1G8MvZ7xvNP
jNl4n1V9GgXyCr9MR0aLibKYcxXpzRQ3GF7s2Cj3IxoXVT6kscHCh0malnWxFITP
siVGX+7v2YOIiaqIDLewOhh456Tg6QCJmGb/icazT0oHICNppTMs+NXqH2u+AGiO
KFMIuoUAEQEAAYilBBgBAgAPBQJPwS1RAhsMBQkAJ40AAAoJEGT9zeD7nGleHG4E
AJ5iyDGAo7ikY0PEm2h+xdzRfNWxKcbkiVJR6W6kxr/HUZ+5XqPP3g59DwTcJZ3q
ohdCaaqGkkCGvTart1GNs6ldGZ+J1SSlfXhVl8jbve8NidyZh5Mrxle0Y3lcmvDM
M/L88kLcIG0mMr+mULg/IJSjerPjVWrplZVgAz6aZKLC
=3D811y
-----END PGP PUBLIC KEY BLOCK-----
We now have to find the private key to be able to decipher the messages. Of course the private key is not present in its armored form in the memory, so we have to look for its binary counterpart. We know that the private key contains all the data of the public key (RFC 4880), therefore we just have to look for a few bytes of the public key in the memory. Let’s look at what the public key looks like:
text:::
kalenz@chev /sgoinfre/defcon/forensics/400 12-06-04 03:14:44
> pgpdump -i public-key
Old: Public Key Packet(tag 6)(141 bytes)
Ver 4 - new
Public key creation time - Sat May 26 21:21:53 CEST 2012
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(1024 bits) - d5 df 3d 1e 6a 72 99 be df ba b2 f5 d2 ab 44 4c 74 bd 8b 73 cc 14 11 ef 5e fc 4a 18 3d 47 01 27 24 6a 6c 84 5a 2a 8b 6f f1 9a d0 9f 6b 52 ee 01 74 ee 23 cf 72 13 52 2f e1 8a e6 43 70 c7 c3 4a 0b 05 55 22 e4 5a 90 51 5a ea 63 c5 1a 00 4a 6d 25 1f a2 f4 78 7e 20 38 4c 39 c3 f4 49 f9 03 4b d7 cc 1d 0e 47 0a 0a b0 a6 48 0f d0 cb 98 d5 7b 8d cb 1e 36 06 d1 a5 04 80 e1 c6 c3 e9 0a be a9
RSA e(17 bits) - 01 00 01
Old: User ID Packet(tag 13)(58 bytes)
User ID - Poseidon (defcon ctf quals key) <poseidon.ddtek@gmail.com>
Old: Signature Packet(tag 2)(190 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat May 26 21:21:53 CEST 2012
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to certify other keys
Flag - This key may be used to sign data
Flag - This key may be used for authentication
Hashed Sub: key expiration time(sub 9)(4 bytes)
Time - Mon Jun 25 21:21:53 CEST 2012
Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes)
Sym alg - AES with 256-bit key(sym 9)
Sym alg - AES with 192-bit key(sym 8)
Sym alg - AES with 128-bit key(sym 7)
Sym alg - CAST5(sym 3)
Sym alg - Triple-DES(sym 2)
Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)
Hash alg - SHA256(hash 8)
Hash alg - SHA1(hash 2)
Hash alg - SHA384(hash 9)
Hash alg - SHA512(hash 10)
Hash alg - SHA224(hash 11)
Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
Comp alg - ZLIB <RFC1950>(comp 2)
Comp alg - BZip2(comp 3)
Comp alg - ZIP <RFC1951>(comp 1)
Hashed Sub: features(sub 30)(1 bytes)
Flag - Modification detection (packets 18 and 19)
Hashed Sub: key server preferences(sub 23)(1 bytes)
Flag - No-modify
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x64FDCDE0FB9C695E
Hash left 2 bytes - 7f 65
RSA m^d mod n(1023 bits) - 56 94 a2 5d 58 b0 ff 1e 9d 5b 0c 3e e3 f3 cf f2 8a e7 e7 8c f4 e0 1d be 39 50 a3 ec 13 b3 c4 85 10 1d 89 7e 85 99 a6 46 cd e5 03 f9 dd ba 0a 73 e0 c6 78 14 f8 ad 61 91 6a c3 4a d9 55 9f 9d 8b 95 31 3b 4c 6a b5 44 4f 1a 27 b2 22 4c 0e 59 5d c7 86 c0 8a d8 50 90 31 32 d6 65 6c db c6 05 c5 56 83 c9 26 37 a6 88 f2 dc 02 76 3b c4 24 b2 76 2e 97 23 60 e3 13 82 17 d7 36 c5 fe b2 e8 f3 d7
-> PKCS-1
Old: Public Subkey Packet(tag 14)(141 bytes)
Ver 4 - new
Public key creation time - Sat May 26 21:21:53 CEST 2012
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(1024 bits) - c5 d3 fc 58 d3 16 fa 25 c8 c5 ff 66 e5 e9 13 57 72 6d 2b 51 bc 32 f6 7b c6 f3 4f 8c d9 78 9f 55 7d 1a 05 f2 0a bf 4c 47 46 8b 89 b2 98 73 15 e9 cd 14 37 18 5e ec d8 28 f7 23 1a 17 55 3e a4 b1 c1 c2 87 49 9a 96 75 b1 14 84 cf b2 25 46 5f ee ef d9 83 88 89 aa 88 0c b7 b0 3a 18 78 e7 a4 e0 e9 00 89 98 66 ff 89 c6 b3 4f 4a 07 20 23 69 a5 33 2c f8 d5 ea 1f 6b be 00 68 8e 28 53 08 ba 85
RSA e(17 bits) - 01 00 01
Old: Signature Packet(tag 2)(165 bytes)
Ver 4 - new
Sig type - Subkey Binding Signature(0x18).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat May 26 21:21:53 CEST 2012
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to encrypt communications
Flag - This key may be used to encrypt storage
Hashed Sub: key expiration time(sub 9)(4 bytes)
Time - Mon Jun 25 21:21:53 CEST 2012
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x64FDCDE0FB9C695E
Hash left 2 bytes - 1c 6e
RSA m^d mod n(1024 bits) - 9e 62 c8 31 80 a3 b8 a4 63 43 c4 9b 68 7e c5 dc d1 7c d5 b1 29 c6 e4 89 52 51 e9 6e a4 c6 bf c7 51 9f b9 5e a3 cf de 0e 7d 0f 04 dc 25 9d ea a2 17 42 69 aa 86 92 40 86 bd 36 ab b7 51 8d b3 a9 5d 19 9f 89 d5 24 a5 7d 78 55 97 c8 db bd ef 0d 89 dc 99 87 93 2b c6 57 b4 63 79 5c 9a f0 cc 33 f2 fc f2 42 dc 20 6d 26 32 bf a6 50 b8 3f 20 94 a3 7a b3 e3 55 6a e9 95 95 60 03 3e 9a 64 a2 c2
-> PKCS-1
Let’s look for “d5 df 3d 1e 6a 72 99 be df ba b2 f5 d2 ab 44”. It yields three results, two of which are the public key in binary form, and the last is longer and somewhat different but has a lot of the public key data in it. It must therefore be the private key:
We now just have to dump the private key (this is the armored version):
text:::
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
lQHYBE/BLVEBBADV3z0eanKZvt+6svXSq0RMdL2Lc8wUEe9e/EoYPUcBJyRqbIRa
Kotv8ZrQn2tS7gF07iPPchNSL+GK5kNwx8NKCwVVIuRakFFa6mPFGgBKbSUfovR4
fiA4TDnD9En5A0vXzB0ORwoKsKZID9DLmNV7jcseNgbRpQSA4cbD6Qq+qQARAQAB
AAP+OmlE/QifkgQCgLAd2VKzTZpYpjyTESwwzyViaypZOSRimrpWj3WtLX60BKR1
oGmmdjQQDbkfM8Ql+lSXOLcmS5Ny96ow2GucGTQ2xzJAsl22Sxri1gieGO8wZoeX
eV/cc1DxXlCC+RJFnYBnodsF1hUtiXCqH2aNJW7sgGrCF50CANiVCv4cE+Rypfz6
xKGnBF9hbWzdJQErj/AWe++XGOx1XQBm9XhHpSN2UVlNBMqD9iXBB95PQum1igi6
u8nCBO8CAPzL7Igeucy+cWpMtKb58FVLxcKdIH5IsOxJpQNeWSP7+mznm7+fjCop
WExnHFb0Ux5jGNe6/Ty876rANZ1aZecCAOtq50GKGTS1ViAGNiMCAW/4bt2DjIQx
epQ540zp95hc0vlbZd3ujilCUFPExgdvpQy6RcMgywdwTCU/DZLxM7GZsLQ6UG9z
ZWlkb24gKGRlZmNvbiBjdGYgcXVhbHMga2V5KSA8cG9zZWlkb24uZGR0ZWtAZ21h
aWwuY29tPoi+BBMBAgAoBQJPwS1RAhsjBQkAJ40ABgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRBk/c3g+5xpXn9lA/9WlKJdWLD/Hp1bDD7j88/yiufnjPTgHb45
UKPsE7PEhRAdiX6FmaZGzeUD+d26CnPgxngU+K1hkWrDStlVn52LlTE7TGq1RE8a
J7IiTA5ZXceGwIrYUJAxMtZlbNvGBcVWg8kmN6aI8twCdjvEJLJ2LpcjYOMTghfX
NsX+sujz150B2ARPwS1RAQQAxdP8WNMW+iXIxf9m5ekTV3JtK1G8MvZ7xvNPjNl4
n1V9GgXyCr9MR0aLibKYcxXpzRQ3GF7s2Cj3IxoXVT6kscHCh0malnWxFITPsiVG
X+7v2YOIiaqIDLewOhh456Tg6QCJmGb/icazT0oHICNppTMs+NXqH2u+AGiOKFMI
uoUAEQEAAQAD/RxgqU0wkpY1f1Rvq5oFUiH0JxbUtbN1yhGi62Ff/L6Wa8ik27CQ
+mcrBm8tMFMp7Izffnu/eigT0Ee3wWsX/lXEnbvutN/yXn47XX3ubT+fJH8XO/UN
2+DHRJMgrZ2lWQ1CxTiMI2jV0thnGWx256/xxRt3NTEAkN4Hdhd5UejhAgDQb8JA
8AxPhezYqd1Hw91ZUa27jW7uizdv1ngtS3mRup5Nf6qqbwRP1iqoYaj0vJKwOGiC
cLqLNPey6L7rBgLdAgDy+IK9wi+LX/CWc7tTHcDn6Du+90+7LCu1VmI4tiYTnujA
98+w2zeTrt8HtqIP+4CKR3LvYcBvT84gXJjwzzfJAgC+0Grk4XhN99icOxjA1bB+
6OBgx0nsRE1mZ79N5fYecjFKCRJ8Glpzkg+188FTElyEMYPy91qDQKDrXttjlYWX
qiCIpQQYAQIADwUCT8EtUQIbDAUJACeNAAAKCRBk/c3g+5xpXhxuBACeYsgxgKO4
pGNDxJtofsXc0XzVsSnG5IlSUelupMa/x1GfuV6jz94OfQ8E3CWd6qIXQmmqhpJA
hr02q7dRjbOpXRmfidUkpX14VZfI273vDYncmYeTK8ZXtGN5XJrwzDPy/PJC3CBt
JjK/plC4PyCUo3qz41Vq6ZWVYAM+mmSiwg==
=pDML
-----END PGP PRIVATE KEY BLOCK-----
And, then try to decrypt all the messages we found earlier. There were a bunch of funny messages and then we stumbled upon this one:
text:::
-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
hIwDsrGmc9elHMUBA/9aYQWeLQ9tSBdFK9mNKNZKuJ5KbTNtt4irHXnxqDXhFTgW
j77y3oFg6v1MKiEFqVJY1dBsmVYVa6N9pL/hJ5jZswSng6j8bZAGj1DxVobgoSDR
lwXC/UGatkCrB20TvUMlMUgiz3lKFiqwtQBkhvOgAc+NUVpnoyOCkItqx+RV0IUB
DAMhh3587BtR2wEIAMb9yaOBY17hSr01i4594PYBZlW1P4fdQgoK+DskDQRFoYeQ
YFlaR1v0pjTGYz8imFF2KVVym83MRElU/BirXavWaWN3oIIROePp82KgnVKUcoKi
pfFhw5hnHchkhlo4AateQgHBOibknzfZ38jUyqAoY75k5RV42IfZlAlgizSaGdfs
gZKeeBSkPTH0GEbvDh116PCZEtP3eY7WpbZ+meSp2kooXZ2qjWF6O84BE6YeguDd
r5cD5AzkwSpV4kjt9tWZCC0o/eUDZ2yXb1PLYrppdX9kChw+Xc6nkp7nJwvARQNv
o4vAPwP2iibPcttTqsNgRvPUmUstM3Xr20D/sk7SewHWQlEuKSWyMyTdWKNwSU82
MxBcDAODNV1Wju7q8KYYdfPcPXgsIHF0MNPCKnX6J6gyf9H45ERMsPzWGKnJQaIJ
gJQLWPUi6pnqOqf+c68JuINTOmhv7W9XyfyNKEHb/zYcZtF46dK8xYSjyIHzR14E
uzHweaqnPPHo4w==
=x441
-----END PGP MESSAGE-----
And that’s it:
text:::
kalenz@chev /sgoinfre/defcon/forensics/400 12-06-04 03:17:21
> gpg -d foolol3
gpg: encrypted with RSA key, ID EC1B51DB
gpg: encrypted with 1024-bit RSA key, ID D7A51CC5, created 2012-05-26
"Poseidon (defcon ctf quals key) <poseidon.ddtek@gmail.com>"
the key is: as it turns out, Phil Zimmermann also likes sheep.