DEADFACE2022 Logo

Author(s):

  • syyntax

Category:

  • Forensics

Points:

  • 100

File(s):

  • esu-mem-20220727154029.tar.gz

Hint(s):

  • None

Inode What You Did Last Summer

Challenge:

One of the security researchers at ESU needs help in their forensics of the ESU attack that occurred on 2022-07-27. They are asking if you can help them find the Inode of the file that was compromised and enabled the attackers to escalate their privileges to root.

Submit the flag as flag{inode_value}.

Solution:

The challenge file provided was an archive containing a file named esu-mem-20220727154029.dmp, which had magic-bytes indicating it was a memory dump acquired via Linux Memory Extractor.

$ xxd esu-mem-20220727154029.dmp | head -n1
00000000: 454d 694c 0100 0000 0010 0000 0000 0000  EMiL............

The archive also contained a file named Ubuntu_5.4.0-122-generic.zip which was a memory profile and needed to be in Volatility's plugin directory:

$ mv Ubuntu_5.4.0-122-generic.zip [VOLATILITY_HOME]/volatility/plugins/linux/

$ volatility2 --info | grep Ubuntu

Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu_5_4_0-122-genericx64 - A Profile for Linux Ubuntu_5.4.0-122-generic x64

Finally, a quick validation test that everything is working as expected:

$ volatility2 --profile LinuxUbuntu_5_4_0-122-genericx64 -f esu-mem-20220727154029.dmp limeinfo
Volatility Foundation Volatility Framework 2.6.1
Memory Start       Memory End         Size
------------------ ------------------ ------------------
0x0000000000001000 0x000000000009efff 0x000000000009e000
0x0000000000100000 0x000000003ffd7ffe 0x000000003fed7fff

The challenge description is asking for the "…Inode of the file that was compromised and enabled the attackers to escalate their privileges to root", During the Escalation challenge we determined the file that was compromised was named "backup.py", so now it's just a matter of finding the file in the memory dump. The linux_enumerate_files plugin lists files referenced by the filesystem cache and outputs three columns, Inode Address, Inode Number and Path. Running the plugin and grep'ing for 'backup.py' produces the Inode number needed to solve the challenge.

$ volatility2 --profile LinuxUbuntu_5_4_0-122-genericx64 -f esu-mem-20220727154029.dmp linux_enumerate_files | grep -F "backup.py"

Volatility Foundation Volatility Framework 2.6.1
0xffff959183253cd8                    788070 /opt/backup.py

The accepted flag was: flag{788070}

Published:

Updated:

Leave a comment