TrueSecrets

CHALLENGE DESCRIPTION

Our cybercrime unit has been investigating a well-known APT group for several months. The group has been responsible for several high-profile attacks on corporate organizations. However, what is interesting about that case, is that they have developed a custom command & control server of their own. Fortunately, our unit was able to raid the home of the leader of the APT group and take a memory capture of his computer while it was still powered on. Analyze the capture to try to find the source code of the server.

Once unzipped, there is a file called TrueSecrets.raw, which is a RAM memory image.

So first I’ll use volatility to find out the OS:

Install it in a python virtual environment with: pip install volatility3

vol -f TrueSecrets.raw windows.info
 
Kernel Base     0x82606000
DTB     0x185000
Symbols file:///home/gitblanc/HackTheBox/hackthebox_env/lib/python3.13/site-packages/volatility3/symbols/windows/ntkrpamp.pdb/92D32EE7188A4CB3AB23EDA0CB0F9D7B-2.json.xz
Is64Bit False
IsPAE   True
layer_name      0 WindowsIntelPAE
memory_layer    1 FileLayer
KdDebuggerDataBlock     0x82732c78
NTBuildLab      7601.23915.x86fre.win7sp1_ldr.17
CSDVersion      1
KdVersionBlock  0x82732c50
Major/Minor     15.7601
MachineType     332
KeNumberProcessors      1
SystemTime      2022-12-14 21:33:30+00:00
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  6
NtMinorVersion  1
PE MajorOperatingSystemVersion  6
PE MinorOperatingSystemVersion  1
PE Machine      332
PE TimeDateStamp        Wed Sep 13 14:47:57 2017

I’ll dump files of the .raw:

vol -f TrueSecrets.raw windows.dumpfiles | grep ".zip"
 
DataSectionObject       0x8e19c6b0      zipfldr.dll.mui Error dumping file
DataSectionObject       0x918a5b78      zipfldr.dll.mui Error dumping file
ImageSectionObject      0x918c3038      zipfldr.dll     file.0x918c3038.0x91831620.ImageSectionObject.zipfldr.dll-1.img
ImageSectionObject      0x838aef80      7-zip.dll       file.0x838aef80.0x9180a850.ImageSectionObject.7-zip.dll-1.img
DataSectionObject       0x843f6158      backup_development.zip  file.0x843f6158.0x839339d0.DataSectionObject.backup_development.zip-1.dat
SharedCacheMap  0x843f6158      backup_development.zip  file.0x843f6158.0x9185db40.SharedCacheMap.backup_development.zip-1.vacb

Now, to dump the file I need to perform a filescan:

vol -f TrueSecrets.raw windows.filescan | grep ".zip"
0x483038:  100.0\Windows\System32\zipfldr.dll
0x28acb78       \Windows\System32\en-US\zipfldr.dll.mui
0x95796b0       \Windows\System32\en-US\zipfldr.dll.mui
0xbbf6158       \Users\IEUser\Documents\backup_development.zip
0xc4aef80       \Program Files\7-Zip\7-zip.dll

Now I’ll dump the file:

vol -f TrueSecrets.raw windows.dumpfiles --physaddr 0xbbf6158
 
Cache   FileObject      FileName        Result
 
DataSectionObject       0xbbf6158       backup_development.zip  file.0xbbf6158.0x839339d0.DataSectionObject.backup_development.zip.dat
SharedCacheMap  0xbbf6158       backup_development.zip  file.0xbbf6158.0x9185db40.SharedCacheMap.backup_development.zip.vacb

Now I unzip one of the files:

unzip file.0xbbf6158.0x839339d0.DataSectionObject.backup_development.zip.dat 
Archive:  file.0xbbf6158.0x839339d0.DataSectionObject.backup_development.zip.dat
 extracting: development.tc

After doing it, I found a TrueCrypt file. I’ll use Veacrypt to mount the file:

As I need a password, I’ll use the plugin windows.truecrypt to find the password in the .raw capture:

vol -f TrueSecrets.raw windows.truecrypt
 
Volatility 3 Framework 2.26.0
Progress:  100.00               PDB scanning finished                        
Offset  Length  Password
 
0x89ebf064      28      X2Hk2XbEJqWYsh8VdbSYg6WpG9g7

I need veracrypt 1.24, because TrueCrypt Mode has been discontinued

Can follow this writeup