DEV Community: Noah Mugaya

HACKING A BANK

Noah Mugaya — Thu, 21 Jul 2022 06:00:50 +0000

Advanced Banking Logic Vulnerabilities

_**

_Banks form the core of the economy. Today, Cyber Attacks are taking place daily and banks worldwide are affected.

In the past year, we have observed the security of various banks in terms of mobile application security. The security flaws described are those due to poor programming practices_

The Flaws can be elucidated as follows

Replay Attack 2.Bypassing payment to a malicious beneficiary 3.Bypass Challenge Response in 2FA

In order to describe the attacks, consider a fictional bank, “HACKED Bank”. The customers of the bank are censy and shodan, and the hacker is Noah. We want to reflect flaws in logic, and we use Charles Proxy to sniff SSL traffic between the mobile bank and the bank server.

A mobile banking application should allow the users to perform a subset of operations they can perform at the bank. Thus we lay down our assumptions of how the mobile banking application should actually function. While making a payment, a payment request should be valid only once. Similarly, transfers should be possible only to approved and trusted beneficiaries. Moving on to the challenge response, banks, as an added layer of security may ask for certain digits of a password (like 2nd,3rd and 7th digit), or a similar form of secondary authentication. Only upon responding with what was asked for, is the transaction processed
**
1). Replay Attack
**
`

)

Suppose censy is transferring money to shodan through the mobile banking application. The payment request should be valid only once. Any attempts to provide the same to the bank should be treated as invalid. In a practical scenario, suppose censy is transferring 10$ to shodan legitimately. censy can pair up with the hacker Noah, and can have replay the request 10 times. Thus 90$ is siphoned off from shodan’s account without her authorisation.

The defence against replay attacks is a nonce, or a secret between the client and the server as a function of time.

2. Bypass Payment Attack

As part of everyday business, censy transfers 100 $ to shodan. This is a valid transaction since shodan exists in the list of approved beneficiaries.

The steps in completing a transaction are as follows-

censy->Server : Transfer 100$ to shodan

Server-> censy: OK ; Give me authentication numbers : 1 , 5 ,8

censy->Server : Transfer 100$ to shodan ; Authentication 1:22 5:45 8:12

Transfer Successful

The Authentication characters can be considered to be Key Value pairs, where there are 16 Keys 1…16. There exist authentication digits for each of these

The Bypass payment hack happens in step 3. Eve, the adversary can tamper the request as

3. censy-> Server : Transfer 10000$ to Eve ; Authentication 1:22 5:45 8:12

The server accepts it, and the transfer is successful. The problem is

Lack of check in step 3, if recipient is a beneficiary
State not maintained between step 1 and 3.

Thus money can be diverted to malicious entities.

**3. Two Factor Authentication Bypass

As described in the transaction steps, authentication values need to be provided. The server asks for 3 values randomly out of 16, as a two factor auth.

An attack is changing the challenge response questions.

In Step 2, When the Bank asks for the 2FA

2. Server-> censy: OK ; Give me authentication numbers : 1 , 5 ,8

Eve can tamper with the request response, and provide the 3 valid key value pairs she knows. Thus irrespective of what the server asks for, Eve can provide the key value pairs she knows, and the transaction still goes through. Thus she effectively bypasses the security mechanism since she can spoof each transaction.

censy->Server : Transfer 100$ to shodan ; Authentication 1:22 2:99 3:10

This attack is an advanced one, and requires Eve to possess the session key. However once she has it by sniffing a live transaction, By combining vulnerability 2 & 3, She can create malicious transactions.

These flaws are related to the logic and may not fall under the banks threat model, as they assume the application to be in the trusted computing base. However, this assumption, may not hold true, given how easy it is to poison the phone certificate store through an application with misleading permissions.

Public Key Pinning would solve the problem in the sniffing, However there may be an adversary sniffing traffic on the first install and run of the banking application. In addition, these logic vulnerabilities would exist even in the web banking application.

At Spherical Defence (neural.ai), we are developing technology for banks to detect intrusion attempts real time using Deep Learning by learning grammar and the semantics of trusted communication.

INTRODUCTION TO DATA STRUCTURE AND ALGORITHMS :

Noah Mugaya — Tue, 28 Jun 2022 17:28:33 +0000

Introduction to Data Structures and Algorithms

Data Structure is a way of collecting and organising data in such a way that we can perform operations on these data in an effective way. Data Structures is about rendering data elements in terms of some relationship, for better organization and storage. For example, we have some data which has, player's name "Virat" and age 26. Here "Virat" is of String data type and 26 is of integer data type.

We can organize this data as a record like Player record, which will have both player's name and age in it. Now we can collect and store player's records in a file or database as a data structure. For example: "Dhoni" 30, "Gambhir" 31, "Sehwag" 33

If you are aware of Object Oriented programming concepts, then a class also does the same thing, it collects different type of data under one single entity. The only difference being, data structures provides for techniques to access and manipulate data efficiently.

In simple language, Data Structures are structures programmed to store ordered data, so that various operations can be performed on it easily. It represents the knowledge of data to be organized in memory. It should be designed and implemented in such a way that it reduces the complexity and increases the efficiency.

Basic types of Data Structures
As we have discussed above, anything that can store data can be called as a data structure, hence Integer, Float, Boolean, Char etc, all are data structures. They are known as Primitive Data Structures.

Then we also have some complex Data Structures, which are used to store large and connected data. Some example of Abstract Data Structure are :

Linked List
Tree
Graph
Stack, Queue etc.
All these data structures allow us to perform different operations on data. We select these data structures based on which type of operation is required. We will look into these data structures in more details in our later lessons.


Introduction to Data Structures

The data structures can also be classified on the basis of the following characteristics:

Characterstic Description
Linear In Linear data structures,the data items are arranged in a linear sequence. Example: Array
Non-Linear In Non-Linear data structures,the data items are not in sequence. Example: Tree, Graph
Homogeneous In homogeneous data structures,all the elements are of same type. Example: Array
Non-Homogeneous In Non-Homogeneous data structure, the elements may or may not be of the same type. Example: Structures
Static Static data structures are those whose sizes and structures associated memory locations are fixed, at compile time. Example: Array
Dynamic Dynamic structures are those which expands or shrinks depending upon the program need and its execution. Also, their associated memory locations changes. Example: Linked List created using pointers
What is an Algorithm ?
An algorithm is a finite set of instructions or logic, written in order, to accomplish a certain predefined task. Algorithm is not the complete code or program, it is just the core logic(solution) of a problem, which can be expressed either as an informal high level description as pseudocode or using a flowchart.

Every Algorithm must satisfy the following properties:

Input- There should be 0 or more inputs supplied externally to the algorithm.
Output- There should be atleast 1 output obtained.
Definiteness- Every step of the algorithm should be clear and well defined.
Finiteness- The algorithm should have finite number of steps.
Correctness- Every step of the algorithm must generate a correct output.
An algorithm is said to be efficient and fast, if it takes less time to execute and consumes less memory space. The performance of an algorithm is measured on the basis of following properties :
_
Time Complexity
Space Complexity

Space Complexity_

Its the amount of memory space required by the algorithm, during the course of its execution. Space complexity must be taken seriously for multi-user systems and in situations where limited memory is available.

An algorithm generally requires space for following components :

Instruction Space: Its the space required to store the executable version of the program. This space is fixed, but varies depending upon the number of lines of code in the program.
Data Space: Its the space required to store all the constants and variables(including temporary variables) value.
Environment Space: Its the space required to store the environment information needed to resume the suspended function.
To learn about Space Complexity in detail, jump to the Space Complexity tutorial.

Time Complexity

Time Complexity is a way to represent the amount of time required by the program to run till its completion. It's generally a good practice to try to keep the time required minimum, so that our algorithm completes it's execution in the minimum time possible. We will study about Time Complexity in details in later sections.

forensics volatility

Noah Mugaya — Mon, 27 Jun 2022 09:08:07 +0000

volatilitynotes.md
TOOLS SET UP Setup on this is actually very simple, seeing we will be focusing on one tool, Volatility (GitHub). Volatility supports Linux, MacOS and Windows. Volatility is a terminal(CMD) based application, meaning you have to run it via the terminal (the GUI version Volatility WorkBench can also be used but wont be covered here seeing its a windows based GUI).
**

INSTALLING VOLATILITY Volatility
can be installed from the official repository on Ubuntu 18.

Note: The following command is for reference purposes only and should not be executed in this scenario as the VM lacks internet access by design. Volatility has already been installed.

_apt install volatility -_y
The above command installs additional packages which are dependencies of Volatility tool:

... The following additional packages will be installed: dwarfdump libdistorm3-3 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 liblcms2-2 libtiff5 libwebp6 libwebpdemux2 libwebpmux3 libyara3 python-attr python-bs4 python-chardet python-crypto python-distorm3 python-et-xmlfile python-funcsigs python-html5lib python-jdcal python-lxml python-olefile python-openpyxl python-pil python-pkg-resources python-pluggy python-py python-pytest python-six python-tz python-webencodings python-yara volatility-tools Suggested packages: liblcms2-utils python-attr-doc python-crypto-doc python-funcsigs-doc python-genshi python-lxml-dbg python-lxml-doc python-pil-doc python-pil-dbg python-setuptools subversion python-pytest-xdist python-mock libraw1394-11 lime-forensics-dkms gcc make zip The following NEW packages will be installed: dwarfdump libdistorm3-3 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 liblcms2-2 libtiff5 libwebp6 libwebpdemux2 libwebpmux3 libyara3 python-attr python-bs4 python-chardet python-crypto python-distorm3 python-et-xmlfile python-funcsigs python-html5lib python-jdcal python-lxml python-olefile python-openpyxl python-pil python-pkg-resources python-pluggy python-py python-pytest python-six python-tz python-webencodings python-yara volatility volatility-tools 0 upgraded, 35 newly installed, 0 to remove and 289 not upgraded. Validate volatility installation by running the following command which outputs the tool usage command options:
_
volatility --help_
Sample Output:

Volatility Foundation Volatility Framework 2.6 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=/root/.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (colon separated) --info Print information about all registered objects --cache-directory=/root/.cache/volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the (Olson) timezone for displaying timestamps using pytz (if installed) or tzset -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load (use --info to see a list of supported profiles) -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --shift=SHIFT Mac KASLR shift address --output=text Output in this format (support is module specific, see the Module Output Options below) --output-file=OUTPUT_FILE Write output in this file -v, --verbose Verbose information --physical_shift=PHYSICAL_SHIFT Linux kernel physical shift address --virtual_shift=VIRTUAL_SHIFT Linux kernel virtual shift address -g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit Windows 8 and above this is the address of KdCopyDataBlock) ... LABS SET UP This scenario will be using MemLabs cloned from https://github.com/stuxnet999/MemLabs. The labs contain the CTF memory images as referenced earlier.

Note: The following command is for reference purposes only and should not be executed in this scenario as the VM lacks internet access by design. The labs have already been cloned located at /home/admin/labs/MemLab.

git clone https://github.com/stuxnet999/MemLabs.git
The scenario will head start on the first lab, Lab 1:

According to the ReadMe, this is the easiest of them all, and currently what i would urge all beginners to start from, starting from this will show you a clear path to how memory forensics work, and best of all an easier approach to what sometimes may be a huge learning curve, note also we will be learning about the tool more than the CTF itself which is crucial.

VOLATILITY INTRODUCTION Lets start of by a small introduction to the tool and what exactly it does and why we would need it:

Memory forensics(volatile memory) is done to a system that was live and the investigator managed to grab a copy of the memory snapshot at the current time, this would and can help us investigate a few things, including, processes, files, IP addresses(network information) ,user information heck even dump some passwords, the list is huge!!

This would help an investigator find pattern to how/who attacked the system or they navigated , also find how a malware infected a system too etc. the possibilities are so many we wouldn't be able to cover them here however, take a look at volatility's wiki and read more.

MEMORY FORENSICS STEPS STEP 1 Change directory to the first Lab:

cd /home/ubuntu/labs/MemLabs/Lab\ 1
Check the contents of the README.md for lab challenge description and challenge instructions.

cat README.md
The readme file indicates the location of the image and pretty much where to download it.

Note: The image file has been downloaded and located in the Lab 1 directory.

root@labs:/home/ubuntu/labs/MemLabs/Lab 1# ls MemoryDump_Lab1.raw README.md The Lab 1 readme indicates the MD5 hash value of the memory dump as b9fec1a443907d870cb32b048bda9380. Validate the hash value of the above downloaded image before proceeding:

md5sum MemoryDump_Lab1.raw
b9fec1a443907d870cb32b048bda9380 MemoryDump_Lab1.raw STEP 2: IDENTIFY WHICH PROFILE TO USE We use plugins available on volatility to interact and manage the image , our first interaction is to identify which profile to use by first identifying what type of image and which system:

volatility -f MemoryDump_Lab1.raw imageinfo
Output:

Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/ubuntu/labs/MemLabs/Lab 1/MemoryDump_Lab1.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800028100a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002811d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-12-11 14:38:00 UTC+0000 Image local date and time : 2019-12-11 20:08:00 +0530 STEP 3: KDGB SCAN The KDBG is a structure maintained by the Windows kernel for debugging purposes. It contains a list of the running processes and loaded kernel modules. It also contains some version information that allows you to determine if a memory dump came from a Windows XP system versus Windows 7, what Service Pack was installed, and the memory model (32-bit vs 64-bit).

Say you have a raw image with the profile Windows 7 SP2 etc, but doesn't show any processes from Pslist (another plugin), so we proceed ahead and use the first profile suggested : (on our case we do not need KDBG) but heres how to do it anyways):

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 kdbgscan
Output:
_
Volatility Foundation Volatility Framework 2.6_

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64_23418 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64_23418 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0) STEP 4: LIST PROCESSES CAPTURED Basically as noted PSLIST shows a list of process on the captured memory image of applications that were running on the system as per the image collection:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist Output:

Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

0xfffffa8000ca0040 System 4 0 80 570 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800148f040 smss.exe 248 4 3 37 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800154f740 csrss.exe 320 312 9 457 0 0 2019-12-11 13:41:32 UTC+0000
0xfffffa8000ca81e0 csrss.exe 368 360 7 199 1 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c45060 psxss.exe 376 248 18 786 0 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c5f060 winlogon.exe 416 360 4 118 1 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c5f630 wininit.exe 424 312 3 75 0 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c98530 services.exe 484 424 13 219 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca0580 lsass.exe 492 424 9 764 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca4b30 lsm.exe 500 424 11 185 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001cf4b30 svchost.exe 588 484 11 358 0 0 2019-12-11 13:41:39 UTC+0000
0xfffffa8001d327c0 VBoxService.ex 652 484 13 137 0 0 2019-12-11 13:41:40 UTC+0000
0xfffffa8001d49b30 svchost.exe 720 484 8 279 0 0 2019-12-11 13:41:41 UTC+0000
0xfffffa8001d8c420 svchost.exe 816 484 23 569 0 0 2019-12-11 13:41:42 UTC+0000
0xfffffa8001da5b30 svchost.exe 852 484 28 542 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001da96c0 svchost.exe 876 484 32 941 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001e1bb30 svchost.exe 472 484 19 476 0 0 2019-12-11 13:41:47 UTC+0000
0xfffffa8001e50b30 svchost.exe 1044 484 14 366 0 0 2019-12-11 13:41:48 UTC+0000
0xfffffa8001eba230 spoolsv.exe 1208 484 13 282 0 0 2019-12-11 13:41:51 UTC+0000
0xfffffa8001eda060 svchost.exe 1248 484 19 313 0 0 2019-12-11 13:41:52 UTC+0000
0xfffffa8001f58890 svchost.exe 1372 484 22 295 0 0 2019-12-11 13:41:54 UTC+0000
0xfffffa8001f91b30 TCPSVCS.EXE 1416 484 4 97 0 0 2019-12-11 13:41:55 UTC+0000
0xfffffa8000d3c400 sppsvc.exe 1508 484 4 141 0 0 2019-12-11 14:16:06 UTC+0000
0xfffffa8001c38580 svchost.exe 948 484 13 322 0 0 2019-12-11 14:16:07 UTC+0000
0xfffffa8002170630 wmpnetwk.exe 1856 484 16 451 0 0 2019-12-11 14:16:08 UTC+0000
0xfffffa8001d376f0 SearchIndexer. 480 484 14 701 0 0 2019-12-11 14:16:09 UTC+0000
0xfffffa8001eb47f0 taskhost.exe 296 484 8 151 1 0 2019-12-11 14:32:24 UTC+0000
0xfffffa8001dfa910 dwm.exe 1988 852 5 72 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa8002046960 explorer.exe 604 2016 33 927 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa80021c75d0 VBoxTray.exe 1844 604 11 140 1 0 2019-12-11 14:32:35 UTC+0000
0xfffffa80021da060 audiodg.exe 2064 816 6 131 0 0 2019-12-11 14:32:37 UTC+0000
0xfffffa80022199e0 svchost.exe 2368 484 9 365 0 0 2019-12-11 14:32:51 UTC+0000
0xfffffa8002222780 cmd.exe 1984 604 1 21 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa8002227140 conhost.exe 2692 368 2 50 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa80022bab30 mspaint.exe 2424 604 6 128 1 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8000eac770 svchost.exe 2660 484 6 100 0 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8001e68060 csrss.exe 2760 2680 7 172 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000ecbb30 winlogon.exe 2808 2680 4 119 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000f3aab0 taskhost.exe 2908 484 9 158 2 0 2019-12-11 14:37:13 UTC+0000
0xfffffa8000f4db30 dwm.exe 3004 852 5 72 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f4c670 explorer.exe 2504 3000 34 825 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f9a4e0 VBoxTray.exe 2304 2504 14 144 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000fff630 SearchProtocol 2524 480 7 226 2 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8000ecea60 SearchFilterHo 1720 480 5 90 0 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8001010b30 WinRAR.exe 1512 2504 6 207 2 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001020b30 SearchProtocol 2868 480 8 279 0 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001048060 DumpIt.exe 796 604 2 45 1 1 2019-12-11 14:37:54 UTC+0000
0xfffffa800104a780 conhost.exe 2260 368 2 50 1 0 2019-12-11 14:37:54 UTC+0000
STEP 5: SHOW HIDDEN AND/OR UNLINKED PROCESSES Show hidden(injected) and or unlinked processes, an example on our CTF:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pstree
Output:

Name Pid PPid Thds Hnds Time

0xfffffa8000f4c670:explorer.exe 2504 3000 34 825 2019-12-11 14:37:14 UTC+0000 . 0xfffffa8000f9a4e0:VBoxTray.exe 2304 2504 14 144 2019-12-11 14:37:14 UTC+0000 . 0xfffffa8001010b30:WinRAR.exe 1512 2504 6 207 2019-12-11 14:37:23 UTC+0000 0xfffffa8001c5f630:wininit.exe 424 312 3 75 2019-12-11 13:41:34 UTC+0000 . 0xfffffa8001c98530:services.exe 484 424 13 219 2019-12-11 13:41:35 UTC+0000 .. 0xfffffa8002170630:wmpnetwk.exe 1856 484 16 451 2019-12-11 14:16:08 UTC+0000 .. 0xfffffa8001f91b30:TCPSVCS.EXE 1416 484 4 97 2019-12-11 13:41:55 UTC+0000 .. 0xfffffa8001da96c0:svchost.exe 876 484 32 941 2019-12-11 13:41:43 UTC+0000 .. 0xfffffa8001d327c0:VBoxService.ex 652 484 13 137 2019-12-11 13:41:40 UTC+0000 .. 0xfffffa8000eac770:svchost.exe 2660 484 6 100 2019-12-11 14:35:14 UTC+0000 .. 0xfffffa80022199e0:svchost.exe 2368 484 9 365 2019-12-11 14:32:51 UTC+0000 .. 0xfffffa8001e50b30:svchost.exe 1044 484 14 366 2019-12-11 13:41:48 UTC+0000 .. 0xfffffa8001d8c420:svchost.exe 816 484 23 569 2019-12-11 13:41:42 UTC+0000 ... 0xfffffa80021da060:audiodg.exe 2064 816 6 131 2019-12-11 14:32:37 UTC+0000 .. 0xfffffa8001c38580:svchost.exe 948 484 13 322 2019-12-11 14:16:07 UTC+0000 .. 0xfffffa8001eba230:spoolsv.exe 1208 484 13 282 2019-12-11 13:41:51 UTC+0000 .. 0xfffffa8001d376f0:SearchIndexer. 480 484 14 701 2019-12-11 14:16:09 UTC+0000 ... 0xfffffa8000fff630:SearchProtocol 2524 480 7 226 2019-12-11 14:37:21 UTC+0000 ... 0xfffffa8001020b30:SearchProtocol 2868 480 8 279 2019-12-11 14:37:23 UTC+0000 ... 0xfffffa8000ecea60:SearchFilterHo 1720 480 5 90 2019-12-11 14:37:21 UTC+0000 .. 0xfffffa8000f3aab0:taskhost.exe 2908 484 9 158 2019-12-11 14:37:13 UTC+0000 .. 0xfffffa8001cf4b30:svchost.exe 588 484 11 358 2019-12-11 13:41:39 UTC+0000 .. 0xfffffa8001d49b30:svchost.exe 720 484 8 279 2019-12-11 13:41:41 UTC+0000 .. 0xfffffa8001da5b30:svchost.exe 852 484 28 542 2019-12-11 13:41:43 UTC+0000 ... 0xfffffa8000f4db30:dwm.exe 3004 852 5 72 2019-12-11 14:37:14 UTC+0000 ... 0xfffffa8001dfa910:dwm.exe 1988 852 5 72 2019-12-11 14:32:25 UTC+0000 .. 0xfffffa8001e1bb30:svchost.exe 472 484 19 476 2019-12-11 13:41:47 UTC+0000 .. 0xfffffa8000d3c400:sppsvc.exe 1508 484 4 141 2019-12-11 14:16:06 UTC+0000 .. 0xfffffa8001f58890:svchost.exe 1372 484 22 295 2019-12-11 13:41:54 UTC+0000 .. 0xfffffa8001eda060:svchost.exe 1248 484 19 313 2019-12-11 13:41:52 UTC+0000 .. 0xfffffa8001eb47f0:taskhost.exe 296 484 8 151 2019-12-11 14:32:24 UTC+0000 . 0xfffffa8001ca0580:lsass.exe 492 424 9 764 2019-12-11 13:41:35 UTC+0000 . 0xfffffa8001ca4b30:lsm.exe 500 424 11 185 2019-12-11 13:41:35 UTC+0000 0xfffffa800154f740:csrss.exe 320 312 9 457 2019-12-11 13:41:32 UTC+0000 0xfffffa8000ca0040:System 4 0 80 570 2019-12-11 13:41:25 UTC+0000 . 0xfffffa800148f040:smss.exe 248 4 3 37 2019-12-11 13:41:25 UTC+0000 .. 0xfffffa8001c45060:psxss.exe 376 248 18 786 2019-12-11 13:41:33 UTC+0000 0xfffffa8001c5f060:winlogon.exe 416 360 4 118 2019-12-11 13:41:34 UTC+0000 0xfffffa8000ca81e0:csrss.exe 368 360 7 199 2019-12-11 13:41:33 UTC+0000 . 0xfffffa8002227140:conhost.exe 2692 368 2 50 2019-12-11 14:34:54 UTC+0000 . 0xfffffa800104a780:conhost.exe 2260 368 2 50 2019-12-11 14:37:54 UTC+0000 0xfffffa8002046960:explorer.exe 604 2016 33 927 2019-12-11 14:32:25 UTC+0000 . 0xfffffa80021c75d0:VBoxTray.exe 1844 604 11 140 2019-12-11 14:32:35 UTC+0000 . 0xfffffa8002222780:cmd.exe 1984 604 1 21 2019-12-11 14:34:54 UTC+0000 . 0xfffffa80022bab30:mspaint.exe 2424 604 6 128 2019-12-11 14:35:14 UTC+0000 . 0xfffffa8001048060:DumpIt.exe 796 604 2 45 2019-12-11 14:37:54 UTC+0000 0xfffffa8001e68060:csrss.exe 2760 2680 7 172 2019-12-11 14:37:05 UTC+0000 0xfffffa8000ecbb30:winlogon.exe 2808 2680 4 119 2019-12-11 14:37:05 UTC+0000 So what stands out: (most are system apps/services) so we ignore them, I suspect DumpIT.exe is not relevant for now (might be a dumping tool for the memory) but this will be last for me to run and check ...

cmd.exe PID 1984

mpsaint.exe PID 2424

Winrar.exe PID 1512

Now let's see what command launched this apps in question.
**
STEP 6: INVESTIGATE COMMANDS THAT LAUNCHED APPLICATIONS We use the PIDs from which we suspect the process seems to have been initiated:**

_volatility -f MemoryDump_Lab1.raw --_profile=Win7SP1x64 cmdline -p 1984,2424,1512 Output:

_Volatility Foundation Volatility Framework 2._6

cmd.exe pid: 1984 Command line : "C:\Windows\system32\cmd.exe"

mspaint.exe pid: 2424 Command line : "C:\Windows\system32\mspaint.exe"

WinRAR.exe pid: 1512 Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Alissa Simpson\Documents\Important.rar" Trying with console:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
Output:

Volatility Foundation Volatility Framework 2.6

ConsoleProcess: conhost.exe Pid: 2692 Console: 0xff756200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\Windows\system32\cmd.exe - St4G3$1 AttachedProcess: cmd.exe Pid: 1984 Handle: 0x60
CommandHistory: 0x1fe9c0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x1de3c0: St4G3$1
Screen 0x1e0f70 X:80 Y:300 Dump: Microsoft Windows [Version 6

follow me on twitter
https://twitter.com/noahparagon

hackerrank algorithms solution

Noah Mugaya — Sat, 18 Jun 2022 09:47:12 +0000

Given an array of integers, find the sum of its elements.
for example

if the array, arr = [1, 2, 3], 1+2+3 so return 6

function discription

_Complete the simpleArraySum function in the editor below. It must return the sum of the array elements as an integer.

simpleArraySum has the following parameter(s):

ar: an array of integers

input format

The first line contains an integer,n , denoting the size of the array.
The second line contains space-separated integers representing the array's element
_

solutions

// bin/python3
import math
import os
import random
import re
import sys

we define a function to return an interger

def simpleArraySum(ar):
# Write your code here
x=0
for i in range(0,ar_count):
x += ar[i]
return x
if name == 'main':
fptr = open(os.environ['OUTPUT_PATH'], 'w')

ar_count = int(input().strip())

ar = list(map(int, input().rstrip().split()))

result = simpleArraySum(ar)

fptr.write(str(result) + '\n')

fptr.close()

hackerrank algorithns solutions

Noah Mugaya — Thu, 16 Jun 2022 15:03:13 +0000

Given an array of integers, find the sum of its elements.

For example, if the array ,ar[1, 2, 3] ,(1+2+3) so return = 6
here`s is my sample code

Complete the 'simpleArraySum' function below.

The function is expected to return an INTEGER.

The function accepts INTEGER_ARRAY ar as parameter.

import math
import os
import random
import re
import sys

def simpleArraySum(ar):
# Write your code here
x=0
for i in range(0,ar_count):
x += ar[i]
return x

if name == 'main':
fptr = open(os.environ['OUTPUT_PATH'], 'w')

ar_count = int(input().strip())

ar = list(map(int, input().rstrip().split()))

result = simpleArraySum(ar)

fptr.write(str(result) + '\n')

fptr.close()