Writeup DGA - CTF - Bwing

This article describes my solution for the 150-point challenge called “Bwing”.


Un expert forensic de DGA MI doit travailler sur un dump mémoire.

Au profit de l’activité missile, il doit retrouver des informations au sujet du plan d’une fusée.


We have a file that once decompressed doesn’t give us much information about what type of file it is.

file dump.raw
dump.raw: data

However we know that it is a memory image. The tool of choice to use is Volatility. Before we can use this tool on our memory image we need to generate a profile. I won’t go into the details of what a profile is because this is not the purpose of this article.

To generate a profile you need to know the GNU/Linux distribution and the kernel version to have the right memory mapping (among others).

Profile’s generation

As said before, we need to identify the GNU/Linux distribution as well as the kernel version.

strings dump.raw | grep -i "distrib_description="

Now let’s identify the kernel version.

strings dump.raw | grep -i "linux version"
Linux version 4.15.0-66-generic (buildd@lgw01-amd64-044) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 (Ubuntu 4.15.0-66.75-generic 4.15.18)

So I can tell that it is an Ubuntu 18.04.3 LTS with kernel 4.15.0-66-generic downloadable here.

Once the installation of Ubuntu is done in a virtual machine, the only thing left to do is to generate the profile.

Check the kernel version

uname -r

It is necessary to install the correspondent kernel, it can be installed like follows. Make sure to reboot to load the last version at boot.

Install a new kernel

sudo apt install linux-image-4.15.0-66-generic
sudo reboot

Check the kernel a new time.

uname -r

We are good to go.

Install required utilities

sudo apt install dwarfdump build-essential libelf-dev zip

Clone the Volatility repositories

git clone https://github.com/volatilityfoundation/volatility.git

Generate the profile

cd volatility/tools/linux

Zip all the things

sudo zip $(lsb_release -i -s)_$(uname -r)_profile.zip module.dwarf /boot/System.map-$(uname -r)

Once it is done, you end up with the following file.

file Ubuntu_4.15.0-66-generic_profile.zip
Ubuntu_4.15.0-66-generic_profile.zip: Zip archive data, at least v2.0 to extract

I then retrieved this file on my computer, created a virtual environment, cloned the volatility repository and placed this file in zip format in volatility/volatility/plugins/overlays/linux/.

virtualenv2 bwing
cd bwing
source bin/activate.fish
(bwing) git clone https://github.com/volatilityfoundation/volatility.git
(bwing) mv ~/Ubuntu_4.15.0-66-generic_profile.zip volatility/volatility/plugins/overlays/linux/
(bwing) mv ~/dump.raw .
(bwing) cd volatility/

Some Python modules are required to execute Volatility correctly.

(bwing) pip install distorm3 Crypto pycrypto

Now, we can see if everything is ready to work by executing the following command.

(bwing) python vol.py --info | grep Ubuntu
Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu_4_15_0-66-generic_profilex64 - A Profile for Linux Ubuntu_4.15.0-66-generic_profile x64

Our profile is detected!

Forensic analysis

Now we have everything we need to conduct our forensic analysis. We need to proceed in this way in order, for example, to display the processes running while the memory capture was in progress.

(bwing) python vol.py -f ../dump.raw --profile=LinuxUbuntu_4_15_0-66-generic_profilex64 linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Offset             Name                 Pid             PPid            Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff95a89f22ad80 systemd              1               0               0               0      0x000000001c994000 2019-11-06 09:46:55 UTC+0000
0xffff95a89f2296c0 kthreadd             2               0               0               0      ------------------ 2019-11-06 09:46:55 UTC+0000
0xffff95a89f22db00 kworker/0:0          3               2               0               0      ------------------ 2019-11-06 09:46:55 UTC+0000
0xffff95a89f228000 kworker/0:0H         4               2               0               0      ------------------ 2019-11-06 09:46:55 UTC+0000

A very interesting module named linux_recover_filesystem allows to recover the whole filesystem. I use this plugin with the -D flag to specify the directory where the filesystem should be stored. For some reason I don’t know, if I don’t execute this command with sudo, I have a rights error.

(bwing) mkdir filesystem
(bwing) sudo python vol.py -f ../dump.raw --profile=LinuxUbuntu_4_15_0-66-generic_profilex64 linux_recover_filesystem -D filesystem
Recovered 14394 files

Modify rights.

(bwing) sudo chown -R $USER:users filesystem/

As usual as soon as I have a filesystem I look for all occurrences of the word flag.

(bwing) grep -R "flag" filesystem/
filesystem/tmp/vagrant-shell:sudo cp /vagrant/flag.txt /mnt/confidential/flag.txt
filesystem/tmp/vagrant-shell:cat /mnt/confidential/flag.txt

The /mnt/confidential/flag.txt file seems to be very interesting!

(bwing) cat filesystem/mnt/confidential/flag.txt

This is the flag to validate this challenge.