Forensics, SQL injection and long-suffering cat: analysis of task No. 3 of the online stage NeoQUEST-2020

6 min

Today we consider the most controversial task NeoQUEST-2020: the first part is the champion in the number of participants who passed it, and the second part obeyed only to units. What is so special about him? Understand the cut!

Have you ever had to investigate a RAM dump? Do you know how many interesting things you can get from there? (spoiler: everything, including the results of running scripts, recent photos, as well as browser history).
What about exotic SQL injections? You upload a certain image to the site, and you are given information from a closed database – is this not an ideal crime?
In the first part of the article, we will consider the tools for analyzing the RAM dump and learn how to extract the information we need from there, and in the second part of the article we will clearly show the process of manipulating image tags for a tricky injection 🙂

So, the task is offered to download archive, which contains a 1 GB binary file with the speaking name memdump.bin, based on which we can assume that this is a RAM dump. For his research we will use volatility framework. Volatility supports a variety of plugins that make it easy to find and dump from various useful blackmail information analytics. First, use the imageinfo command and get information about the dump:

Judging by the output of the imageinfo command, we are dealing with a Windows 7 memory dump. Next, we will see a list of running processes in the system at the time the dump was removed using the pslist command:

In the list you can see several interesting processes. Let’s start the study with the chrome.exe process – you can always find something intriguing in the browser. There are additional plugins for volatility that automate the extraction of information from processes. For example, a plugin chromehistory will allow us to extract browser history from the core dump:

In the history of chrome, one can notice several interesting things at once. First link to the second part of the assignment, as well as search queries about metadata in PNG images, which is also a hint to the second part, but we will turn to this later. At the current stage, we are interested in requests for a promotional code for a discount to the site and pdf-files, which hints at the object of further searches (also running Acrobat Reader`a may prompt us to this). Let’s try to find pdf documents in a dump using the filescan command:

Luck! It looks like there is some promo.pdf in the dump. Let’s try to pull it using the dumpfiles command:

At this stage, minor difficulties may arise due to the fact that some pdf-document viewers may not recognize the file just extracted (you just need to delete the extra bytes at the end of the file). But are we really afraid of some extra bytes? 🙂 In the end, open the document and see the QR code, after reading which we get the flag from the first part of the task (and at the same time the promotional code for receiving a gift from the NeoQUEST team – we give memorable prizes all participants who completed at least one assignment!).

Next, try to get the second flag. We return to the site, the link to which was found in the browser history. To access the site you need to enter a promotional code. We recall the browser search history and the description of the document itself (USE THIS TO JOIN), from which we can assume that the first flag is the promotional code we need. Enter it in the field and get to the site where we are offered to upload a picture:

Judging by how often the site crashed, our participants decided to experimentally verify the loading of all possible types of documents. A certain amount of time later we understand that only PNG images can be uploaded to the site. The next puzzle is the message “Not enough data to store this image, sorry!”, Which occurs when you try to upload some picture.

Returning to the history of the browser, we recall about requests of the form “add metadata to png file”. Using simple inferences, we conclude that, most likely, certain values ​​must be entered in the metadata to upload an image to a site. You can start by studying the PNG format (there is a description, for example, here) First, check the list of standard keywords for metadata PNG images, for example: “Author”, “Description”, etc. Using, for example, the convert utility from the ImageMagick set, add metadata to the test image:

convert test.png -set ‘Title’ ‘1’ -set ‘Author’ ‘2’ -set ‘Description’ ‘3’ -set ‘Copyright’ ‘4’ -set ‘Creation Time’ ‘5’ -set ‘Software’ ‘6’ -set ‘Disclaimer’ ‘7’ -set ‘Warning’ ‘8’ -set ‘Source’ ‘9’ -set ‘Comment’ ‘0’ out.png

We try to upload the resulting image to the site and enjoy the success:

It turns out that the necessary metadata fields are Title, Description, Author and Copyright.
A hint for this, by the way, can also be found in the memory dump: you can find the mention of the mr_cat.png file using volatility.

Our participants decided that it was with the help of Mr. Cot that it was necessary to inject on the site (a lot of messages came to our mail with Mr. Cat in a compressed, inverted, reflected and other unsightly species), but the cat has nothing to do with it! He simply distracts and hints to the participants: well, look at me, there is something interesting inside! Inside the dump, the image was only partially preserved; however, in its residues, you can notice the necessary completed metadata fields:

Go ahead: now we can upload files to the site; however, what does it give and how to look for a flag? It is logical to assume that once metadata is required for downloading, it is possible that they are somehow used to store downloaded files (for example, as keys in a database). Hooray! We are approaching the dessert: we need to check the site for the possibility of SQL injection. We find out that if you insert a double quotation mark (“) in one of the parameters, then the site will notify us of an error instead of loading the image:

Now we see the SQL query itself and understand what fields we can operate in order to construct an injection to extract data from the database used. As for the location of the flag, in this case it is logical to check the very first image that has been uploaded to the database. Also, during injection operation, you should pay attention to the fact that INSERT is executed in the request. This forces you to construct specific queries, because you cannot explicitly perform a SELECT operation from the same table into which you are inserting at the same time as the insert operation (INSERT).

Let’s make a request with which we pull out the Description of the first image in the database:

convert test1.png -set ‘Title’ ‘1’ -set ‘Author’ ‘”, (SELECT description FROM (SELECT * FROM picture) AS x limit 0,1)) – -‘ -set ‘Description’ ‘3’ – set ‘Copyright’ ‘4’ test.png

Upload the image to the website and get a description in the Copyright field, which is a flag:

Hooray, the task is completed! We hope that we have convinced everyone to double-check user data entry for the millionth time, and also to protect our RAM as the apple of our eye from dumping 🙂
We conclude the article with a quote from the great sages:


Leave a Reply