memdump - ASIS CTF 2013

Since I never had a chance to work with volatility and linux dumps i take a crack
at this challenge.

We ware given a memory dump. looking up at string we can tell its
from VirtualBox immage with Ubuntu runing 3.5.0-23-generic kernel

strings /tmp/mem.dump | grep BOOT_
BOOT_IMAGE=/vmlinuz-3.5.0-23-generic

Since the image available on volatilty site is for older kernel we have to make
our own (it described here: http://code.google.com/p/volatility/wiki/LinuxMemoryForensics)

after this is time to play ;]

first bash_history its quite long but this looks important:
$ ./vol.py  -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_bash -H 0x6ee4c0
Volatile Systems Volatility Framework 2.3_beta
....
     967 bash                 2013-08-26 11:27:53 UTC+0000   uname -a
     967 bash                 2013-08-26 11:27:53 UTC+0000   wget 172.16.133.149:8090/asis-ctf -O /tmp/
     967 bash                 2013-08-26 11:27:53 UTC+0000   wget 172.16.133.149:8090/asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   ls
     967 bash                 2013-08-26 11:27:53 UTC+0000   du -h asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   chmod +x asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   ./asis-ctf
     967 bash                 2013-08-26 11:27:53 UTC+0000   sudo poweroff
     967 bash                 2013-08-26 11:27:54 UTC+0000   ls
     967 bash                 2013-08-26 11:30:37 UTC+0000   ./asis-ctf
     967 bash                 2013-08-26 12:00:04 UTC+0000   sudo apt-get install lynx
     967 bash                 2013-08-26 12:00:27 UTC+0000   lynx
     967 bash                 2013-08-26 12:10:44 UTC+0000   sudo apt-get install elinks
     967 bash                 2013-08-26 12:10:57 UTC+0000   elinks
     967 bash                 2013-08-26 12:14:58 UTC+0000   clear
     967 bash                 2013-08-26 12:15:00 UTC+0000   ls
     967 bash                 2013-08-26 12:15:28 UTC+0000   cp asis-ctf flag1
...

so lets look at procesess:
vol.py  -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_pstree
Volatile Systems Volatility Framework 2.3_beta
Name                 Pid             Uid
...
.login               837             0
..bash               967             1000
...asis-ctf          9425            1000
...nano              15584           1000
.apache2             16346           0
...

lets dump it and anylze it:
$ vol.py  -f /tmp/mem.dump --profile=LinuxUbuntu12_10-3_5_0-23x64 linux_dump_map -p 9425 -D foo/
Volatile Systems Volatility Framework 2.3_beta
Task       VM Start           VM End                         Length Path
---------- ------------------ ------------------ ------------------ ----
      9425 0x0000000000400000 0x0000000000401000             0x1000 foo/task.9425.0x400000.vma
      9425 0x0000000000600000 0x0000000000601000             0x1000 foo/task.9425.0x600000.vma
      9425 0x0000000000601000 0x0000000000602000             0x1000 foo/task.9425.0x601000.vma
      9425 0x00007fd496e34000 0x00007fd496fe9000           0x1b5000 foo/task.9425.0x7fd496e34000.vma
      9425 0x00007fd496fe9000 0x00007fd4971e8000           0x1ff000 foo/task.9425.0x7fd496fe9000.vma
      9425 0x00007fd4971e8000 0x00007fd4971ec000             0x4000 foo/task.9425.0x7fd4971e8000.vma
      9425 0x00007fd4971ec000 0x00007fd4971ee000             0x2000 foo/task.9425.0x7fd4971ec000.vma
      9425 0x00007fd4971ee000 0x00007fd4971f3000             0x5000 foo/task.9425.0x7fd4971ee000.vma
      9425 0x00007fd4971f3000 0x00007fd497215000            0x22000 foo/task.9425.0x7fd4971f3000.vma
      9425 0x00007fd497408000 0x00007fd49740b000             0x3000 foo/task.9425.0x7fd497408000.vma
      9425 0x00007fd497411000 0x00007fd497415000             0x4000 foo/task.9425.0x7fd497411000.vma
      9425 0x00007fd497415000 0x00007fd497416000             0x1000 foo/task.9425.0x7fd497415000.vma
      9425 0x00007fd497416000 0x00007fd497418000             0x2000 foo/task.9425.0x7fd497416000.vma
      9425 0x00007fff62ff0000 0x00007fff63012000            0x22000 foo/task.9425.0x7fff62ff0000.vma
      9425 0x00007fff63048000 0x00007fff63049000             0x1000 foo/task.9425.0x7fff63048000.vma

To do real RE we should reconstruct the binary, but I didnt bother assuming its simple bin, and IDA can fallow program headers
not only sections which are not present in dumped image.

Binary indeed was simple, it waits for input, if input is 'flag' it prints acctual flag.
The flag was stack, putted byte-by-byte:

LOAD:0000000000400683 mov     byte ptr [rbp+var_A0], 66
LOAD:000000000040068A mov     byte ptr [rbp+var_A0+1], 73
LOAD:0000000000400691 mov     byte ptr [rbp+var_A0+2], 85
LOAD:0000000000400698 mov     byte ptr [rbp+var_A0+3], 82
LOAD:000000000040069F mov     byte ptr [rbp+var_A0+4], 76
LOAD:00000000004006A6 mov     byte ptr [rbp+var_A0+5], 65
LOAD:00000000004006AD mov     byte ptr [rbp+var_A0+6], 87
LOAD:00000000004006B4 mov     byte ptr [rbp+var_A0+7], 78
LOAD:00000000004006BB mov     [rbp+var_98], 100
LOAD:00000000004006C2 mov     [rbp+var_97], 95
LOAD:00000000004006C9 mov     [rbp+var_96], 105
LOAD:00000000004006D0 mov     [rbp+var_95], 55
LOAD:00000000004006D7 mov     [rbp+var_94], 105
LOAD:00000000004006DE mov     [rbp+var_93]
...

and printed:

400867
LOAD:0000000000400867 loc_400867:
LOAD:0000000000400867 mov     eax, [rbp+idx]
LOAD:000000000040086D add     eax, eax
LOAD:000000000040086F cdqe
LOAD:0000000000400871 movzx   eax, byte ptr [rbp+rax+var_A0]
LOAD:0000000000400879 movsx   eax, al
LOAD:000000000040087C sub     eax, [rbp+idx]
LOAD:0000000000400882 sub     eax, 1
LOAD:0000000000400885 mov     edi, eax
LOAD:0000000000400887 call    sub_400500
LOAD:000000000040088C add     [rbp+idx], 1

Since we haven't runnable binary we have to do it `by hand` easiest method, use idapython:
Python>
add = 0x400683
for i in range(0,38):
    OpDecimal(add,1)
    sys.stdout.write(chr(int(GetOpnd(add,1)) - i -1))
    add = Rfirst(Rfirst(add))
print ""
ASIS_cb6bb012a8ea07a426254293de2bc0ef
Python>

done.