Everything Is Just Dandy!

Basic Linux Memory Forensics – Dumping Memory and Files with DD – Analyzing Metttle/Meterpreter

IppSec
IppSec
2022 04 03
https://www.youtube.com/watch?v=uYWTfWV3dQI
00:00 – Intro
00:47 – Discovering a weird binary running in /tmp/ but it doesn’t exist on disk
01:55 – Start of explaining dd copying things out of memory
02:30 – Reading maps to identify where the file is, showing how to covnert hex to decimal in bash
04:00 – File extracted from memory
05:15 – Copying the heap from memory and discovering it is mettle/meterpreter based upon strings
06:55 – Showing we don’t need to use DD to extract the file, can just use the "exe" file in proc/pid/
09:15 – Opening the elf in Ghidra and examining its decompiled output
12:00 – Showing what the file looks like in Cutter, which has a different decompile view
13:40 – Reading the Metasploit source code to identify what it looked like, to confirm what our findings from reversing
16:00 – Using MSFVenom to generate our own stager in order to confirm this is indeed what we saw on the box and that we extracted it correctly
18:50 – Using GDB against the stager to just practice reversing