# 所需工具及環境 1. [Volatility 2](https://github.com/volatilityfoundation/volatility) - 可以使用 kali 虛擬機 - 在此我使用 [docker](https://github.com/sk4la/volatility3-docker) 環境 - `docker pull sk4la/volatility:edge` - `docker pull blacktop/volatility` 2. python2 - `sudo apt-get install python2-dev yara libyara-dev` - `pip2 install pycryptodome distorm3 yara pillow ujson construct ` 3. pip2 - `wget https://bootstrap.pypa.io/pip/2.7/get-pip.py` - `python2 get-pip.py` 5. [Plugins](https://github.com/volatilityfoundation/community.git) - 放置在 volatility/plugins/ 底下 # MemLabs Lab 0 - Never Too Late Mister My friend John is an "environmental" activist and a humanitarian. He hated the ideology of Thanos from the Avengers: Infinity War. He sucks at programming. He used too many variables while writing any program. One day, John gave me a memory dump and asked me to find out what he was doing while he took the dump. Can you figure it out for me? 我的朋友約翰是一位「環保」活動家和人道主義者。他討厭《復仇者聯盟:無限之戰》中薩諾斯的意識形態。他程式設計很糟糕。他在編寫任何程式時都使用了太多的變數。有一天,John 給了我一個記憶體轉儲,讓我看看他在處理 Dump 時在做什麼。你能幫我弄清楚嗎? ## 開始解題 稍微分析題目敘述,可以得知幾個資訊 1. environmental 2. John hates Thanos 3. John sucks at programming and used too many variables. 在 volatility2 當中,必須指定 profile 才能使用,因此我們先使用 imageinfo 來取得記憶體檔的 profile。 ### imageinfo 判斷 windows 版本 `python2 vol.py -f ../Challenge.raw imageinfo` 該命令通常用於識別作業系統、服務包和硬體架構(32 或 64 位元),但它還包含其他有用的信息,例如 DTB 位址和收集樣本的時間。 imageinfo 輸出告訴您建議的設定文件,在使用其他外掛程式時,您應該將其作為參數傳遞給--profile=PROFILE 。 ``` INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86 AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/home/guantou/Challenge.raw) PAE type : PAE DTB : 0x185000L KDBG : 0x8273cb78L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x80b96000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2018-10-23 08:30:51 UTC+0000 Image local date and time : 2018-10-23 14:00:51 +0530 ``` ### kdbgscan KDBG: kernel debugger block 1. Debugger 資訊儲存: 包含與內核調試相關的重要資料,例如系統版本、debugger 符號、kernel base address等。 2. kernel 資料結構的入口點: 許多 kernel 資料結構(例如活動進程鏈表、模組清單等)都可以通過 KDBG 結構找到。 3. 協助記憶體取證: 在記憶體取證工具(如 Volatility)中,KDBG 被用作進一步分析 kernel 結構和映像檔的重要依據。 kdbgscan 旨在主動識別正確的設定檔和正確的 KDBG 位址(如果碰巧有多個)。該插件掃描連結到波動性配置檔案的 KDBGHeader 簽名,並應用健全性檢查以減少誤報。 ``` ************************************************** Instantiating KDBG using: /data/Challenge.raw WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x273cb78 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x86_23418 Version64 : 0x273cb50 (Major: 15, Minor: 7601) PsActiveProcessHead : 0x82751d70 PsLoadedModuleList : 0x82759730 KernelBase : 0x82604000 ************************************************** Instantiating KDBG using: /data/Challenge.raw WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x273cb78 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x86 Version64 : 0x273cb50 (Major: 15, Minor: 7601) PsActiveProcessHead : 0x82751d70 PsLoadedModuleList : 0x82759730 KernelBase : 0x82604000 ************************************************** Instantiating KDBG using: /data/Challenge.raw WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x273cb78 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x86_24000 Version64 : 0x273cb50 (Major: 15, Minor: 7601) PsActiveProcessHead : 0x82751d70 PsLoadedModuleList : 0x82759730 KernelBase : 0x82604000 ************************************************** Instantiating KDBG using: /data/Challenge.raw WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x273cb78 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x86 Version64 : 0x273cb50 (Major: 15, Minor: 7601) PsActiveProcessHead : 0x82751d70 PsLoadedModuleList : 0x82759730 KernelBase : 0x82604000 ``` 經過 imageinfo 可以得到四個 profile "Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86",而經過測試,四個 profile 在此都可使用。 :::info imageinfo 以及 kdbgscan 都只適用於 windows image ::: ### pslist 觀察系統當下有哪些程式正在運作 可以觀察到 cmd 正在執行 `0x851a6610 cmd.exe 2096 324 1 22 1 0 2018-10-23 08:30:18 UTC+0000` ### cmdscan 因此我們使用 cmdscan 來查看執行過的指令 ``` CommandProcess: conhost.exe Pid: 2104 CommandHistory: 0x300498 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x5c Cmd #0 @ 0x2f43c0: C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt Cmd #12 @ 0x2d0039: ??? Cmd #19 @ 0x300030: ??? Cmd #22 @ 0xff818488: ? Cmd #25 @ 0xff818488: ? Cmd #36 @ 0x2d00c4: /?0?-???- Cmd #37 @ 0x2fd058: 0?-???? ************************************************** CommandProcess: conhost.exe Pid: 2424 CommandHistory: 0x2b04c8 Application: DumpIt.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x5c Cmd #22 @ 0xff818488: ? Cmd #25 @ 0xff818488: ? Cmd #36 @ 0x2800c4: *?+?(???( Cmd #37 @ 0x2ad070: +?(???? ``` 可以觀察到 `Cmd #0 @ 0x2f43c0: C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt` 透過 cmd.exe 執行一個 python檔,我們想知道是否有輸出內容 stdout,因此使用 consoles 查看 ### consoles consoles 會尋找攻擊者在 cmd.exe 中輸入或透過後門執行的命令。但是,該插件不是掃描 COMMAND_HISTORY,而是掃描 CONSOLE_INFORMATION。該插件的主要優點是它不僅列印攻擊者輸入的命令,而且還收集整個螢幕緩衝區(輸入和輸出)。例如,您將看到攻擊者所看到的內容,而不只是看到“dir”,包括“dir”命令列出的所有檔案和目錄。 ``` ConsoleProcess: conhost.exe Pid: 2104 Console: 0xe981c0 CommandHistorySize: 50 HistoryBufferCount: 2 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\Windows\system32\cmd.exe AttachedProcess: cmd.exe Pid: 2096 Handle: 0x5c ---- CommandHistory: 0x300690 Application: python.exe Flags: CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x0 ---- CommandHistory: 0x300498 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x5c Cmd #0 at 0x2f43c0: C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt ---- Screen 0x2e6368 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\hello>C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt 335d366f5d6031767631707f ``` 可以看到當執行 `C:\Users\hello>C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt` 時在終端機輸出 `335d366f5d6031767631707f` "335d366f5d6031767631707f" 可能是一個 hex string,因此將他轉回 ascii 看看 "3]6o]\`1vv1p",顯然有問題 而從題目敘述可以找到 "environmental" 被標註,我們可以檢查看看環境變數 ### envars 能看到比較特別的變數 `340 csrss.exe 0x003807f0 Thanos xor and password` 變數名稱為 Thanos 值為 xor and password 因此嘗試看看將 "335d366f5d6031767631707f" 進行 xor 使用[工具](https://www.dcode.fr/xor-cipher)暴力破解後可以看到在 xor 2 時出現 `1_4m_b3tt3r}` 似乎為一段 flag 的結尾 xor 已經用完了,但是 pasdsword 還沒使用,[NTLM](https://websec.readthedocs.io/zh/latest/auth/ntlm.html) 為 windows 的登入密碼,會以 hash 格式儲存在記憶體內 ### hashdump ``` Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: hello:1000:aad3b435b51404eeaad3b435b51404ee:101da33f44e92c27835e64322d72e8b7::: ``` 得到使用者 hello 的 NTLM 值 "aad3b435b51404eeaad3b435b51404ee:101da33f44e92c27835e64322d72e8b7" 其中 "aad3b435b51404eeaad3b435b51404ee" 為 LM hash "101da33f44e92c27835e64322d72e8b7" 為 NT hash NT hash 是目前 Windows 所使用的密碼儲存方式,因此我們關注在後面的內容 原本作者可以破解的網站現已無法破解,但可使用 mimikatz plugins 來得到明文 `docker run --rm -v .:/workspace sk4la/volatility:edge --plugins /workspace/FrancescoPicasso -f /workspace/Challenge.raw mimikatz --profile=Win7SP1x86` ``` Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest hello hello-PC flag{you_are_good_but wdigest HELLO-PC$ WORKGROUP ``` flag{you_are_good_but1_4m_b3tt3r} # MemLabs Lab 1 - Beginner's Luck My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash. 我姊姊的電腦壞了。我們非常幸運地恢復了這個記憶體轉儲。你的工作是從系統中取得她所有的重要文件。根據我們的記憶,我們突然看到一個黑色的窗口彈出,其中有一些東西正在執行。車禍發生時,她正試著畫點東西。這就是我們從事故發生以來所記得的一切。 Note: This challenge is composed of 3 flags. --- ## 開始解題 分析題目敘述 1. black window pop up 2. draw something 3. get all her important files ### imageinfo ``` INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/data/MemoryDump_Lab1.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800028100a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002811d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-12-11 14:38:00 UTC+0000 Image local date and time : 2019-12-11 20:08:00 +0530 ``` ### pslist ``` 0xfffffa8002222780 cmd.exe 1984 604 1 21 1 0 2019-12-11 14:34:54 UTC+0000 0xfffffa8002227140 conhost.exe 2692 368 2 50 1 0 2019-12-11 14:34:54 UTC+0000 0xfffffa80022bab30 mspaint.exe 2424 604 6 128 1 0 2019-12-11 14:35:14 UTC+0000 0xfffffa8000eac770 svchost.exe 2660 484 6 100 0 0 2019-12-11 14:35:14 UTC+0000 0xfffffa8001e68060 csrss.exe 2760 2680 7 172 2 0 2019-12-11 14:37:05 UTC+0000 0xfffffa8000ecbb30 winlogon.exe 2808 2680 4 119 2 0 2019-12-11 14:37:05 UTC+0000 0xfffffa8000f3aab0 taskhost.exe 2908 484 9 158 2 0 2019-12-11 14:37:13 UTC+0000 0xfffffa8000f4db30 dwm.exe 3004 852 5 72 2 0 2019-12-11 14:37:14 UTC+0000 0xfffffa8000f4c670 explorer.exe 2504 3000 34 825 2 0 2019-12-11 14:37:14 UTC+0000 0xfffffa8000f9a4e0 VBoxTray.exe 2304 2504 14 144 2 0 2019-12-11 14:37:14 UTC+0000 0xfffffa8000fff630 SearchProtocol 2524 480 7 226 2 0 2019-12-11 14:37:21 UTC+0000 0xfffffa8000ecea60 SearchFilterHo 1720 480 5 90 0 0 2019-12-11 14:37:21 UTC+0000 0xfffffa8001010b30 WinRAR.exe 1512 2504 6 207 2 0 2019-12-11 14:37:23 UTC+0000 ``` 可以看到 cmd.exe,查看是否有執行指令 還能看到 mspaint.exe,此為小畫家執行檔,在題目敘述得知當下正在畫畫 還有 winrar.exe ### cmdscan ``` CommandProcess: conhost.exe Pid: 2692 CommandHistory: 0x1fe9c0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 @ 0x1de3c0: St4G3$1 Cmd #15 @ 0x1c0158: Cmd #16 @ 0x1fdb30: ``` 可以找到 St4G3$1,我們看看是否有終端機輸出 ### consoles ``` ConsoleProcess: conhost.exe Pid: 2692 Console: 0xff756200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\Windows\system32\cmd.exe - St4G3$1 AttachedProcess: cmd.exe Pid: 1984 Handle: 0x60 ---- CommandHistory: 0x1fe9c0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x1de3c0: St4G3$1 ---- Screen 0x1e0f70 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\SmartNet>St4G3$1 ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= Press any key to continue . . . ``` 可以得知 St4G3$1 為執行檔 `C:\Users\SmartNet>St4G3$1`,會輸出 `ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=` 使用 base64 解碼,得到 `flag{th1s_1s_th3_1st_st4g3!!}` ### filescan 因為題目有說到重要文件,且在 pslist 中看到 winrar.exe,所以使用 filescan 來看看是否有壓縮檔 直接查看會看到很多不相關的文件,可以使用 grep 或是 Select-String 來過濾關鍵字 由於使用 winrar,直接查看是否有 rar 檔 `0x000000003fac3bc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar` 找到一個檔名就是 important 的 rar 檔案 因此將他提取出來 ### dumpfiles 參數為`-Q 0x000000003fac3bc0 --dump-dir . -n` 可以在[官方 wiki](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles:~:text=There%20are%20several%20options%20in%20the%20dumpfiles%20plugin%2C%20for%20example%3A) 查看參數 ``` -Q PHYSOFFSET, --physoffset=PHYSOFFSET Dump File Object at physical address PHYSOFFSET -D DUMP_DIR, --dump-dir=DUMP_DIR Directory in which to dump extracted files ``` 他會將導出檔案儲存成 dat 檔,只需將 dat 副檔名刪除即可 使用 winrar 打開後可以看到需要密碼,密碼為 Alissa 的密碼 ![image](https://hackmd.io/_uploads/B1ewjFBHke.png) ### hashdump ``` Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SmartNet:1001:aad3b435b51404eeaad3b435b51404ee:4943abb39473a6f32c11301f4987e7e0::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f0fc3d257814e08fea06e63c5762ebd5::: Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6::: ``` 嘗試將 `f4ff64c8baac57d22f22edc681055ba6` 破解,成功破解出 `goodmorningindia` ![image](https://hackmd.io/_uploads/SkzenYHBkx.png) 而密碼要求為 NTLM hash(in uppercase) `F4FF64C8BAAC57D22F22EDC681055BA6` `flag{w3ll_3rd_stage_was_easy}` ### clipboard 因為找不到 stage 2 的flag,所以嘗試看看其他指令 ``` Session WindowStation Format Handle Object Data ---------- ------------- ------------------ ------------------ ------------------ -------------------------------------------------- 2 WinSta0 CF_UNICODETEXT 0x0 ------------------ 2 WinSta0 0x0L 0x10 ------------------ 2 WinSta0 0x100ffL 0x200000000000 ------------------ 2 WinSta0 CF_TEXT 0x1 ------------------ 1 WinSta0 CF_UNICODETEXT 0x1801bf 0xfffff900c00f34e0 St4G3$1 1 WinSta0 CF_TEXT 0x10 ------------------ 1 WinSta0 0xb01ebL 0x200000000000 ------------------ 1 WinSta0 CF_TEXT 0x1 ------------------ 1 ------------- ------------------ 0xb01eb 0xfffff900c2194390 2 ------------- ------------------ 0x100ff 0xfffff900c1fed490 ``` ### memdump 因為題目提到畫畫,所以搜尋 mspaint 是否有例子,找到[此文章](https://github.com/ffffffff0x/1earn/blob/master/1earn/Security/%E5%AE%89%E5%85%A8%E5%B7%A5%E5%85%B7/Volatility.md#:~:text=dlllist%20%2Dp%20%5Bpid%5D-,%E8%BD%AC%E5%82%A8%E5%87%BA%E5%8F%AF%E5%AF%BB%E5%9D%80%E7%9A%84%E5%86%85%E5%AD%98%E6%95%B0%E6%8D%AE,-%E5%9C%A8%E4%B8%8A%E9%9D%A2%E7%9A%84) mspaint.exe 的 pip 為 2424,參數為 `memdump -p 2424 --dump-dir .` 取得 2424.dmp,將副檔名改成 data,使用 gimp 打開 ![image](https://hackmd.io/_uploads/HktlEcrrye.png) 不斷嘗試 offset, width, height,在 offset:177512011, width:2184, height:772 可以看到 flag ![image](https://hackmd.io/_uploads/S12gOcSHJe.png) `flag{Good_Boy_good_girl}` # MemLabs Lab 2 - A New World One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular "environmental" activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us. 我們公司的一位客戶由於未知錯誤而無法存取其係統。據說他是一位非常受歡迎的“環保”活動家。作為調查的一部分,他告訴我們他使用的應用程式是瀏覽器、密碼管理器等。 --- ## 開始解題 1. environmental 2. unknown error 3. password managers 4. browsers ### imageinfo ``` INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/data/MemoryDump_Lab2.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027f20a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027f3d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-12-14 10:38:46 UTC+0000 Image local date and time : 2019-12-14 16:08:46 +0530 ``` ### pslist ``` 0xfffffa80022e5950 cmd.exe 2096 2664 1 19 2 0 2019-12-14 10:36:35 UTC+0000 0xfffffa8000e63060 conhost.exe 2068 2308 2 50 2 0 2019-12-14 10:36:35 UTC+0000 0xfffffa8002109b30 chrome.exe 2296 2664 27 658 2 0 2019-12-14 10:36:45 UTC+0000 0xfffffa8001cc7a90 chrome.exe 2304 2296 8 71 2 0 2019-12-14 10:36:45 UTC+0000 0xfffffa8000eea7a0 chrome.exe 2476 2296 2 55 2 0 2019-12-14 10:36:46 UTC+0000 0xfffffa8000ea2b30 chrome.exe 2964 2296 13 295 2 0 2019-12-14 10:36:47 UTC+0000 0xfffffa8000fae6a0 chrome.exe 2572 2296 8 177 2 0 2019-12-14 10:36:56 UTC+0000 0xfffffa800105c060 WmiPrvSE.exe 2636 588 12 293 0 0 2019-12-14 10:37:02 UTC+0000 0xfffffa800100c060 WmiApSrv.exe 2004 484 6 115 0 0 2019-12-14 10:37:05 UTC+0000 0xfffffa800230eb30 chrome.exe 1632 2296 14 219 2 0 2019-12-14 10:37:12 UTC+0000 0xfffffa800101e640 dllhost.exe 2376 588 9 250 1 0 2019-12-14 10:37:40 UTC+0000 0xfffffa800224a8c0 KeePass.exe 3008 1064 12 316 1 0 2019-12-14 10:37:56 UTC+0000 0xfffffa8002230b30 sppsvc.exe 2764 484 5 151 0 0 2019-12-14 10:38:00 UTC+0000 0xfffffa80010e5b30 svchost.exe 1076 484 17 337 0 0 2019-12-14 10:38:02 UTC+0000 0xfffffa80010f44a0 wmpnetwk.exe 928 484 18 523 0 0 2019-12-14 10:38:03 UTC+0000 0xfffffa80011956a0 notepad.exe 3260 3180 1 61 1 0 2019-12-14 10:38:20 UTC+0000 0xfffffa80011aa060 DumpIt.exe 3844 1064 2 45 1 1 2019-12-14 10:38:43 UTC+0000 0xfffffa8001194570 conhost.exe 3852 368 2 52 1 0 2019-12-14 10:38:43 UTC+0000 0xfffffa8001189b30 WmiPrvSE.exe 4004 588 9 1572864 ------ 0 2019-12-14 10:39:00 UTC+0000 ``` 可以看到 cmd、chrome、KeePass、notepad,這些都可能是線索 KeePass 可以找到[這篇文章](https://www.forensicxlab.com/posts/keepass/),還有[這篇 CTF 題目](https://blog.bi0s.in/2020/02/09/Forensics/HackTM-FindMyPass/) ### cmdscan ``` ************************************************** CommandProcess: conhost.exe Pid: 2068 CommandHistory: 0x3deb10 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 @ 0x3db330: Nothing here kids :) Cmd #15 @ 0x3a0158: = Cmd #16 @ 0x3ddc80: > ``` 沒有東西 ### consoles 也沒有東西 ### filescan KeePass 資料庫檔案的副檔名為 .kdbx,嘗試找看看是否有該檔案 `0x000000003fb112a0 16 0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Secrets\Hidden.kdbx` ### dumpfiles 將密碼庫提取出來 由於 sk4la/volatility 無法匯出檔案,因此使用 blacktop/volatility `docker run --rm -v .:/data blacktop/volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 --dump-dir . -n` ### memdump `memdump -p 3008 -D .` ### keepass 找到有一個[擴充套件](https://github.com/forensicxlab/volatility3_plugins/blob/main/keepass.py)能夠破解 keepass 的密碼,嘗試看看 `docker run --rm -v .:/workspace sk4la/volatility3:edge -f /workspace/MemoryDump_Lab2.raw --plugin-dirs /workspace/volatility3_plugins keepass --pid 3008` ``` Volatility 3 Framework 2.9.0 Progress: 100.00 PDB scanning finished Offset Size Constructed_Password 0xf800027a9000 0x3b1000 ; 0xf8a001b7f000 0x1000 ; 0xf980046c8000 0x1000 {;,C} ``` ### [chromehistory](https://github.com/superponible/volatility-plugins) 既然說與 chrome 有關,那就來看一下瀏覽紀錄 `docker run --rm -v .:/workspace sk4la/volatility --plugins /workspace/volatility-plugins -f /workspace/MemoryDump_Lab2.raw chromehistory` ``` Index URL Title Visits Typed Last Visit Time Hidden Favicon ID ------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ---------- 34 https://bi0s.in/ Amrita Bios 1 1 2019-12-14 10:37:11.596681 N/A 33 http://bi0s.in/ Amrita Bios 1 0 2019-12-14 10:37:11.596681 N/A 32 https://mega.nz/#F!TrgSQQTS!H0ZrUzF0B-ZKNM3y9E76lg MEGA 2 0 2019-12-14 10:21:39.602970 N/A 31 https://www.ndtv.com/ NDTV: Latest News, India News, Breaking...s, Bollywood, Cricket, Videos & Photos 1 1 2019-12-14 10:18:09.449115 N/A 30 http://ndtv.com/ NDTV: Latest News, India News, Breaking...s, Bollywood, Cricket, Videos & Photos 1 0 2019-12-14 10:18:09.449115 N/A 28 http://blog.bi0s.in/ bi0s 1 0 2019-12-14 09:41:52.269568 N/A 29 https://blog.bi0s.in/ bi0s 1 1 2019-12-14 10:18:12.073607 N/A 27 https://r3xnation.wordpress.com/about/ About – R3xNation 1 0 2019-12-14 10:07:31.296539 N/A 26 https://www.youtube.com/ YouTube 1 1 2019-12-14 10:04:59.173510 N/A 24 http://in.yahoo.com/ Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment 1 0 2019-12-14 09:33:25.210345 N/A 23 http://yahoo.in/ Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment 1 1 2019-12-14 09:33:25.210345 N/A 25 https://in.yahoo.com/ Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment 2 0 2019-12-14 09:33:32.266003 N/A 21 https://www.bbc.com/sport/football/50780855 Jurgen Klopp signs new Liverpool deal until 2024 - BBC Sport 1 0 2019-12-14 09:31:35.842850 N/A 19 https://bbc.com/ BBC - Homepage 1 1 2019-12-14 09:30:55.836868 N/A 18 http://bbc.com/ BBC - Homepage 1 0 2019-12-14 09:30:55.836868 N/A 20 https://www.bbc.com/ BBC - Homepage 1 0 2019-12-14 09:30:55.836868 N/A 17 https://volatilevirus.home.blog/blog-posts/ Blog Posts – Abhiram's Blog 1 0 2019-12-14 10:07:35.236223 N/A 16 https://ashutosh1206.github.io/writeups/ Writeups | Ashutosh 1 0 2019-12-14 10:07:32.324863 N/A 15 https://www.india.com/ Latest India News, Breaking News, Entertainment News | India.com News 1 1 2019-12-14 09:30:08.206258 N/A 14 https://www.onlinesbi.com/ State Bank of India 1 1 2019-12-14 09:29:37.802253 N/A 12 http://ashutosh1206.github.io/ Home | Ashutosh 1 0 2019-12-14 09:29:33.876790 N/A 13 https://ashutosh1206.github.io/ Home | Ashutosh 1 1 2019-12-14 09:29:33.876790 N/A 10 http://r3xnation.wordpress.com/ R3xNation – Free Flowing passions 1 0 2019-12-14 09:29:17.212089 N/A 9 https://volatilevirus.home.blog/ Abhiram's Blog – Dying Is The Day Worth Living For!! 1 1 2019-12-14 09:27:31.877522 N/A 8 http://volatilevirus.home.blog/ Abhiram's Blog – Dying Is The Day Worth Living For!! 1 0 2019-12-14 09:27:31.877522 N/A 11 https://r3xnation.wordpress.com/ R3xNation – Free Flowing passions 1 1 2019-12-14 09:29:17.212089 N/A 7 https://www.facebook.com/ Facebook – log in or sign up 3 1 2019-12-14 09:33:15.814086 N/A 4 http://bing.com/ Bing 1 0 2019-12-14 09:16:18.118193 N/A 6 https://www.bing.com/?toWww=1&redig=2BBD701F84AA44D2A71D870534D085AE Bing 1 0 2019-12-14 09:33:00.366479 N/A 5 https://bing.com/ Bing 1 1 2019-12-14 09:16:18.118193 N/A 3 https://www.google.com/ Google 2 1 2019-12-14 09:32:52.147284 N/A 2 https://chrome.google.com/webstore/category/extensions?hl=en Chrome Web Store - Extensions 1 0 2019-12-14 09:32:53.844597 N/A 1 https://chrome.google.com/webstore?hl=en Chrome Web Store - Extensions 1 0 2019-12-14 09:16:05.724461 N/A ``` https://mega.nz/folder/TrgSQQTS#H0ZrUzF0B-ZKNM3y9E76lg 提供一個 zip 檔 ![image](https://hackmd.io/_uploads/S1SXg3HBJg.png) 需要 lab 1 的 stage 3 做 sha1 來當密碼,`6045dd90029719a039fd2d2ebcca718439dd100a` `flag{oK_So_Now_St4g3_3_is_DoNE!!}` ### envars 突然想到題目還說到 environmental,查看一下環境變數 ``` 320 csrss.exe 0x0000000000481320 TMP C:\Windows\TEMP 368 csrss.exe 0x0000000000371320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 368 csrss.exe 0x0000000000371320 TMP C:\Windows\TEMP 376 psxss.exe 0x0000000000311320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 376 psxss.exe 0x0000000000311320 TMP C:\Windows\TEMP 416 winlogon.exe 0x000000000028d890 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 416 winlogon.exe 0x000000000028d890 TMP C:\Windows\TEMP 424 wininit.exe 0x000000000030a600 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 424 wininit.exe 0x000000000030a600 TMP C:\Windows\TEMP 484 services.exe 0x00000000001a1320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 484 services.exe 0x00000000001a1320 TMP C:\Windows\TEMP 492 lsass.exe 0x00000000001a1320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 492 lsass.exe 0x00000000001a1320 TMP C:\Windows\TEMP 500 lsm.exe 0x00000000003f1320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 500 lsm.exe 0x00000000003f1320 TMP C:\Windows\TEMP 588 svchost.exe 0x00000000002e1320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 588 svchost.exe 0x00000000002e1320 TMP C:\Windows\TEMP 652 VBoxService.ex 0x00000000001d50f0 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 652 VBoxService.ex 0x00000000001d50f0 TMP C:\Windows\TEMP 720 svchost.exe 0x00000000002c1320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 720 svchost.exe 0x00000000002c1320 TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp 812 svchost.exe 0x0000000000221320 NEW_TMP C:\Windows\ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 ``` 會發現有很多相同的檔案名稱,都叫 `ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9` 猜測為 base64,解碼後得出 flag `flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}` ### filescan 因為找太久都沒想法 所以偷看了一下 writeup,有一個 png 檔 `0x000000003fce1c70 1 0 R--r-d \Device\HarddiskVolume2\Users\Alissa Simpson\Pictures\Password.png` ### dumpfiles ` -Q 0x000000003fce1c70 -D . -n` 上面寫著 `Psst!! password is P4SSw0rd_123` 使用 KeePassXC 打開 ![image](https://hackmd.io/_uploads/rk2w_2HBJe.png) 在回收桶找到 flag ![image](https://hackmd.io/_uploads/HkFnu3BBJe.png) `flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}` # MemLabs Lab 3 - The Evil's Den A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please? 惡意腳本加密了我係統上的一條非常秘密的訊息。您能幫我恢復資訊嗎? Note-1: This challenge is composed of only 1 flag. The flag split into 2 parts. Note-2: You'll need the first half of the flag to get the second. --- ## 開始解題 1. malicious script 2. encrypted 3. secret piece of information ### imageinfo ``` INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86 AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/data/MemoryDump_Lab3.raw) PAE type : PAE DTB : 0x185000L KDBG : 0x82742c68L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x82743d00L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2018-09-30 09:47:54 UTC+0000 Image local date and time : 2018-09-30 15:17:54 +0530 ``` ### pslist ``` 0x83d09c60 System 4 0 88 541 ------ 0 2018-09-30 08:09:59 UTC+0000 0x84551b98 smss.exe 260 4 2 29 ------ 0 2018-09-30 08:09:59 UTC+0000 0x84d58030 csrss.exe 340 332 9 352 0 0 2018-09-30 08:10:04 UTC+0000 0x84d76030 csrss.exe 380 372 10 189 1 0 2018-09-30 08:10:05 UTC+0000 0x84d77d28 wininit.exe 388 332 3 83 0 0 2018-09-30 08:10:05 UTC+0000 0x84da6d28 winlogon.exe 424 372 3 115 1 0 2018-09-30 08:10:05 UTC+0000 0x84dcdbd0 services.exe 484 388 6 195 0 0 2018-09-30 08:10:07 UTC+0000 0x84dd0658 lsass.exe 492 388 6 561 0 0 2018-09-30 08:10:08 UTC+0000 0x84dd4b28 lsm.exe 500 388 10 151 0 0 2018-09-30 08:10:08 UTC+0000 0x8454e348 svchost.exe 588 484 10 351 0 0 2018-09-30 08:10:12 UTC+0000 0x84e15d28 VBoxService.ex 648 484 12 115 0 0 2018-09-30 08:10:13 UTC+0000 0x84e1d030 svchost.exe 712 484 8 268 0 0 2018-09-30 08:10:14 UTC+0000 0x84e5ad28 svchost.exe 800 484 18 438 0 0 2018-09-30 08:10:14 UTC+0000 0x84e67d28 svchost.exe 852 484 16 371 0 0 2018-09-30 08:10:15 UTC+0000 0x84e6b030 svchost.exe 880 484 18 452 0 0 2018-09-30 08:10:15 UTC+0000 0x84e6fa18 svchost.exe 904 484 31 1116 0 0 2018-09-30 08:10:15 UTC+0000 0x8481bcb0 svchost.exe 1236 484 15 478 0 0 2018-09-30 08:10:22 UTC+0000 0x8484a800 spoolsv.exe 1340 484 12 285 0 0 2018-09-30 08:10:24 UTC+0000 0x8485b030 svchost.exe 1368 484 18 302 0 0 2018-09-30 08:10:24 UTC+0000 0x8488e860 svchost.exe 1488 484 11 267 0 0 2018-09-30 08:10:26 UTC+0000 0x84893030 svchost.exe 1516 484 12 215 0 0 2018-09-30 08:10:26 UTC+0000 0x85192030 LogonUI.exe 876 388 5 152 0 0 2018-09-30 08:10:40 UTC+0000 0x8515cae0 sppsvc.exe 292 484 6 153 0 0 2018-09-30 08:12:31 UTC+0000 0x8514bbf0 svchost.exe 440 484 13 342 0 0 2018-09-30 08:12:32 UTC+0000 0x84d69d00 SearchIndexer. 1184 484 15 724 0 0 2018-09-30 08:12:33 UTC+0000 0x8441d7e0 taskhost.exe 4816 484 8 196 1 0 2018-09-30 09:28:32 UTC+0000 0xa0b21170 dwm.exe 3028 852 3 186 1 0 2018-09-30 09:28:36 UTC+0000 0x8449d890 explorer.exe 5300 5128 30 871 1 0 2018-09-30 09:28:36 UTC+0000 0x851cdd28 VBoxTray.exe 3064 5300 14 154 1 0 2018-09-30 09:28:44 UTC+0000 0x84d77868 wuauclt.exe 5644 904 3 86 1 0 2018-09-30 09:28:49 UTC+0000 0x9c627d28 msiexec.exe 1016 484 7 345 0 0 2018-09-30 09:39:03 UTC+0000 0xbc2d08a8 msiexec.exe 5652 1016 0 -------- 1 0 2018-09-30 09:39:13 UTC+0000 2018-09-30 09:41:17 UTC+0000 0xbc21b9f0 TrustedInstall 4724 484 4 139 0 0 2018-09-30 09:40:24 UTC+0000 0x84489800 audiodg.exe 5996 800 4 120 0 0 2018-09-30 09:45:22 UTC+0000 0x83fbba40 SearchProtocol 5748 1184 7 281 0 0 2018-09-30 09:45:32 UTC+0000 0x84ead628 DumpIt.exe 4116 5300 2 37 1 0 2018-09-30 09:45:43 UTC+0000 0x84e37498 conhost.exe 3176 380 2 51 1 0 2018-09-30 09:45:43 UTC+0000 0x84700ab8 dllhost.exe 1008 588 8 225 1 0 2018-09-30 09:45:48 UTC+0000 0x84ef6768 SearchFilterHo 4036 1184 5 97 0 0 2018-09-30 09:47:36 UTC+0000 0x9c6b0970 notepad.exe 3736 5300 1 60 1 0 2018-09-30 09:47:49 UTC+0000 0x8443d3c0 notepad.exe 3432 5300 1 60 1 0 2018-09-30 09:47:50 UTC+0000 ``` 粗略看了一下,沒有明顯的程式 ### cmdscan 因為提到 script 所以檢查一下是否有執行指令 只有執行 dumpit.exe ### consoles 也只有 dumpit.exe ### pstree 也沒有特別明顯的 ### filescan 可以看到許多 python2.7 的檔案 以及一些可能有問題的檔案 ``` 0x0000000004f34148 2 0 RW---- \Device\HarddiskVolume2\Users\hello\Desktop\suspision1.jpeg ``` ### dumpfiles ` -Q 0x0000000004f34148 -D . -n` 得到一張圖片,丟到[線上工具](https://www.aperisolve.com/)看看 ![image](https://hackmd.io/_uploads/ByUQBcUSkl.png) 取得第一段 flag `inctf{0n3_h4lf` 並使用 steghide 與此密碼進行提取 ![image](https://hackmd.io/_uploads/rJCjr58BJx.png) 獲得一個文字檔 `_1s_n0t_3n0ugh}` `inctf{0n3_h4lf_1s_n0t_3n0ugh}` # MemLabs Lab 4 - Obsession My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me. 我的系統最近遭到破壞。駭客竊取了很多訊息,但他也刪除了我的一個非常重要的檔案。我不知道如何恢復它。目前我們擁有的唯一證據就是記憶體轉儲。請幫我。 --- ## 開始解題 1. stole a lot of information 2. deleted a very important file ### imageinfo ``` Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/data/MemoryDump_Lab4.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027f60a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027f7d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-06-29 07:30:00 UTC+0000 Image local date and time : 2019-06-29 13:00:00 +0530 ``` ### pslist ``` 0xfffffa8000ca0040 System 4 0 79 509 ------ 0 2019-06-29 07:28:07 UTC+0000 0xfffffa80014af950 smss.exe 256 4 3 32 ------ 0 2019-06-29 07:28:07 UTC+0000 0xfffffa8001c57b30 csrss.exe 328 320 11 385 0 0 2019-06-29 07:28:14 UTC+0000 0xfffffa8000ca8960 csrss.exe 376 368 7 200 1 0 2019-06-29 07:28:15 UTC+0000 0xfffffa8001c6f760 wininit.exe 384 320 3 75 0 0 2019-06-29 07:28:15 UTC+0000 0xfffffa8001c751f0 winlogon.exe 412 368 6 119 1 0 2019-06-29 07:28:15 UTC+0000 0xfffffa8001bc1b30 services.exe 472 384 13 193 0 0 2019-06-29 07:28:17 UTC+0000 0xfffffa8001cb5940 lsass.exe 480 384 8 582 0 0 2019-06-29 07:28:17 UTC+0000 0xfffffa8001cc1b30 lsm.exe 488 384 12 187 0 0 2019-06-29 07:28:17 UTC+0000 0xfffffa8001d02b30 svchost.exe 580 472 11 358 0 0 2019-06-29 07:28:21 UTC+0000 0xfffffa8001d30b30 VBoxService.ex 640 472 14 137 0 0 2019-06-29 07:28:21 UTC+0000 0xfffffa8001d43a70 svchost.exe 708 472 7 260 0 0 2019-06-29 07:28:22 UTC+0000 0xfffffa8001dacb30 svchost.exe 804 472 19 393 0 0 2019-06-29 07:28:23 UTC+0000 0xfffffa8001db9b30 svchost.exe 840 472 21 431 0 0 2019-06-29 07:28:24 UTC+0000 0xfffffa8001dc6850 svchost.exe 864 472 37 917 0 0 2019-06-29 07:28:24 UTC+0000 0xfffffa8001df1060 audiodg.exe 952 804 7 131 0 0 2019-06-29 07:28:26 UTC+0000 0xfffffa8001e1b890 svchost.exe 220 472 16 323 0 0 2019-06-29 07:28:27 UTC+0000 0xfffffa8001e45630 svchost.exe 484 472 18 376 0 0 2019-06-29 07:28:29 UTC+0000 0xfffffa8001eaab30 spoolsv.exe 1132 472 15 286 0 0 2019-06-29 07:28:32 UTC+0000 0xfffffa8001ed7b30 svchost.exe 1176 472 21 307 0 0 2019-06-29 07:28:33 UTC+0000 0xfffffa8001f452e0 svchost.exe 1276 472 14 220 0 0 2019-06-29 07:28:34 UTC+0000 0xfffffa8001f81b30 taskhost.exe 1804 472 10 161 1 0 2019-06-29 07:28:42 UTC+0000 0xfffffa8001ff9630 taskeng.exe 1824 864 6 82 0 0 2019-06-29 07:28:42 UTC+0000 0xfffffa80020bbb30 dwm.exe 1908 840 5 77 1 0 2019-06-29 07:28:43 UTC+0000 0xfffffa80020f7b30 explorer.exe 1944 1872 37 854 1 0 2019-06-29 07:28:44 UTC+0000 0xfffffa80021abab0 VBoxTray.exe 1592 1944 13 141 1 0 2019-06-29 07:28:53 UTC+0000 0xfffffa8002201ab0 SearchIndexer. 1068 472 13 710 0 0 2019-06-29 07:28:58 UTC+0000 0xfffffa800226e910 SearchProtocol 1696 1068 7 225 1 0 2019-06-29 07:29:02 UTC+0000 0xfffffa8002279890 SearchFilterHo 1688 1068 5 78 0 0 2019-06-29 07:29:02 UTC+0000 0xfffffa8002292b30 dllhost.exe 2076 580 13 260 1 0 2019-06-29 07:29:02 UTC+0000 0xfffffa80022f0610 GoogleCrashHan 2272 2008 7 99 0 1 2019-06-29 07:29:08 UTC+0000 0xfffffa80022f6b30 GoogleCrashHan 2284 2008 7 93 0 0 2019-06-29 07:29:08 UTC+0000 0xfffffa80020a4420 DumpIt.exe 2624 1944 3 45 1 1 2019-06-29 07:29:25 UTC+0000 0xfffffa8002320350 conhost.exe 2636 376 3 50 1 0 2019-06-29 07:29:25 UTC+0000 0xfffffa8001cac460 csrss.exe 2700 2692 7 164 2 0 2019-06-29 07:29:30 UTC+0000 0xfffffa8002330060 winlogon.exe 2728 2692 6 121 2 0 2019-06-29 07:29:30 UTC+0000 0xfffffa8000e54b30 taskhost.exe 2976 472 9 160 2 0 2019-06-29 07:29:36 UTC+0000 0xfffffa8000e62b30 dwm.exe 3000 840 5 76 2 0 2019-06-29 07:29:36 UTC+0000 0xfffffa8000eaeb30 explorer.exe 3012 2992 28 677 2 0 2019-06-29 07:29:36 UTC+0000 0xfffffa8000eeeb30 VBoxTray.exe 2384 3012 14 144 2 0 2019-06-29 07:29:37 UTC+0000 0xfffffa8000f18b30 StikyNot.exe 2432 3012 10 137 2 0 2019-06-29 07:29:37 UTC+0000 ``` 好像沒有特別的程式 StikyNot.exe 可能有線索 ### cmdscan 只有 dumpit.exe ### pstree 也沒有觀察到明顯的異常 ### filescan 搜尋 zip 檔沒有東西 搜尋 txt 找到 `0x000000003fc398d0 16 0 R--rw- \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt` 搜尋 png `0x000000003e8d19e0 16 0 R--r-- \Device\HarddiskVolume2\Users\eminem\Desktop\Screenshot1.png` 搜尋 jpeg `0x000000003e8ad250 14 0 R--r-- \Device\HarddiskVolume2\Users\eminem\Desktop\galf.jpeg` 由於題目敘述講到檔案被刪除,想到有可能在資源回收桶,搜尋 Recycle ``` 0x000000003eb96870 2 0 R--rwd \Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-410795266-795571449-2132107757-1000\desktop.ini 0x000000003fd36f20 2 0 R--rwd \Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-410795266-795571449-2132107757-1001\desktop.ini ``` ### dumpfiles ``` Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x3fc398d0 None \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt ``` 無法成功提取檔案 Screenshot1.png 以及 galf.jpeg 可以成功提取,Screenshot1.png 似乎需要調整圖片高度才能看到更多資訊 ![file.None.0xfffffa80022d1670.Screenshot1](https://hackmd.io/_uploads/B1XxaiUSye.png) ![image](https://hackmd.io/_uploads/Hk8IAoISke.png) 可以看到 png 格式不對 galf.jpeg 使用[線上工具](https://www.aperisolve.com/)可以發現內有檔案 ![image](https://hackmd.io/_uploads/ryfK6jISkg.png) ![image](https://hackmd.io/_uploads/HJmi6iLBye.png) 似乎只能想辦法取得 Important.txt ### mftparser mftparser 是 Volatility 框架中的一個插件,用於解析內存映像中的主文件表 (Master File Table, MFT)。MFT 是 NTFS 文件系統的核心結構,記錄了所有文件和目錄的元數據,包括名稱、大小、創建時間、修改時間和文件的存儲位置。 1. 解析 NTFS 文件系統中的 MFT 條目: 提取文件的元數據(名稱、大小、時間戳等)。 2. 恢復已刪除的文件: 檢測和解析已刪除但仍在 MFT 中的文件記錄。 3. 檢查文件活動: 分析文件的創建、訪問和修改行為,幫助進行事件調查。 將資料儲存到 txt 檔案以便觀察 `mftparser > mem4_mft.txt` ``` $FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2019-06-27 13:14:13 UTC+0000 2019-06-27 13:14:13 UTC+0000 2019-06-27 13:14:13 UTC+0000 2019-06-27 13:14:13 UTC+0000 Users\SlimShady\Desktop\Important.txt $OBJECT_ID Object ID: 7726a550-d498-e911-9cc1-0800275e72bc Birth Volume ID: 80000000-b800-0000-0000-180000000100 Birth Object ID: 99000000-1800-0000-690d-0a0d0a0d0a6e Birth Domain ID: 0d0a0d0a-0d0a-6374-0d0a-0d0a0d0a0d0a $DATA 0000000000: 69 0d 0a 0d 0a 0d 0a 6e 0d 0a 0d 0a 0d 0a 63 74 i......n......ct 0000000010: 0d 0a 0d 0a 0d 0a 0d 0a 66 7b 31 0d 0a 0d 0a 0d ........f{1..... 0000000020: 0a 5f 69 73 0d 0a 0d 0a 0d 0a 5f 6e 30 74 0d 0a ._is......_n0t.. 0000000030: 0d 0a 0d 0a 0d 0a 5f 45 51 75 34 6c 0d 0a 0d 0a ......_EQu4l.... 0000000040: 0d 0a 0d 0a 5f 37 6f 5f 32 5f 62 55 74 0d 0a 0d ...._7o_2_bUt... 0000000050: 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 5f 74 68 31 73 ..........._th1s 0000000060: 5f 64 30 73 33 6e 74 0d 0a 0d 0a 0d 0a 0d 0a 5f _d0s3nt........_ 0000000070: 6d 34 6b 65 0d 0a 0d 0a 0d 0a 5f 73 33 6e 0d 0a m4ke......_s3n.. 0000000080: 0d 0a 0d 0a 0d 0a 73 33 7d 0d 0a 0d 0a 47 6f 6f ......s3}....Goo 0000000090: 64 20 77 6f 72 6b 20 3a 50 d.work.:P *************************************************************************** *************************************************************************** MFT entry found at offset 0x3bddf000 Attribute: In Use & File Record Number: 26336 Link count: 2 ``` 可以看到 Important.txt 的內容 丟到 cyberchef 中即可 ![image](https://hackmd.io/_uploads/r147Gn8rJx.png) inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} # MemLabs Lab 5 - Black Tuesday We received this memory dump from our client recently. Someone accessed his system when he was not there and he found some rather strange files being accessed. Find those files and they might be useful. I quote his exact statement, 我們最近從客戶那裡收到了這個記憶體轉儲。當他不在時,有人訪問了他的系統,他發現一些相當奇怪的文件被訪問。找到這些文件,它們可能會有用。我引用他的原話, The names were not readable. They were composed of alphabets and numbers but I wasn't able to make out what exactly it was. 這些名字不可讀。它們由字母和數字組成,但我無法弄清楚它到底是什麼。 Also, he noticed his most loved application that he always used crashed every time he ran it. Was it a virus? 此外,他注意到他最喜歡的應用程式每次運行時都會崩潰。是病毒嗎? Note-1: This challenge is composed of 3 flags. If you think 2nd flag is the end, it isn't!! :P 註-1 :本次挑戰由 3 個標誌組成。如果你認為第二面旗幟就是結束,那麼事實並非如此! :P Note-2: There was a small mistake when making this challenge. If you find any string which has the string "L4B_3_D0n3!!" in it, please change it to "L4B_5_D0n3!!" and then proceed. Note-2 :進行此挑戰時出現了一個小錯誤。如果您發現任何字串中包含字串“ L4B_3_D0n3 !! ”,請將其變更為“ L4B_5_D0n3 !! ”,然後繼續。 Note-3: You'll get the stage 2 flag only when you have the stage 1 flag. 註-3 :只有當您擁有第 1 階段標誌時,您才會獲得第 2 階段標誌。 --- ## 開始解題 1. Someone accessed his system 2. some rather strange files being accessed 3. names were not readable 4. application that he always used crashed ### imageinfo ``` INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/data/MemoryDump_Lab5.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800028460a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002847d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-12-20 03:47:57 UTC+0000 Image local date and time : 2019-12-20 09:17:57 +0530 ``` ### pslist ``` 0xfffffa80010213d0 explorer.exe 1580 2256 40 1007 2 0 2019-12-20 03:46:49 UTC+0000 0xfffffa800105ab30 VBoxTray.exe 2144 1580 13 138 2 0 2019-12-20 03:46:50 UTC+0000 0xfffffa8000f97a20 WinRAR.exe 2924 1580 6 210 2 0 2019-12-20 03:47:13 UTC+0000 0xfffffa80010b8060 notepad.exe 2744 1580 1 57 2 0 2019-12-20 03:47:21 UTC+0000 0xfffffa8000eeb060 DumpIt.exe 2208 1580 2 45 2 1 2019-12-20 03:47:39 UTC+0000 0xfffffa8000eab790 conhost.exe 2612 1988 2 51 2 0 2019-12-20 03:47:40 UTC+0000 0xfffffa800108cb30 NOTEPAD.EXE 2724 1580 1 39 2 1 2019-12-20 03:47:53 UTC+0000 0xfffffa800109f060 svchost.exe 2632 484 7 82 0 0 2019-12-20 03:47:54 UTC+0000 0xfffffa8000ee8060 WerFault.exe 2716 2632 8 161 2 1 2019-12-20 03:47:54 UTC+0000 0xfffffa800221ab30 NOTEPAD.EXE 1388 1580 1 39 2 1 2019-12-20 03:48:00 UTC+0000 0xfffffa8000efbb30 WerFault.exe 780 2632 7 160 2 1 2019-12-20 03:48:01 UTC+0000 0xfffffa8000f02b30 NOTEPAD.EXE 2056 1580 1 226 ------ 1 2019-12-20 03:48:15 UTC+0000 0xfffffa8000f05b30 WerFault.exe 2168 2632 7 1572864 ------ 1 2019-12-20 03:48:15 UTC+0000 ``` 可以看到幾個比較有趣的程式 WinRAR.exe NOTEPAD.EXE ### pstree ``` 0xfffffa80010213d0:explorer.exe 1580 2256 40 1007 2019-12-20 03:46:49 UTC+0000 . 0xfffffa800108cb30:NOTEPAD.EXE 2724 1580 1 39 2019-12-20 03:47:53 UTC+0000 . 0xfffffa8000f02b30:NOTEPAD.EXE 2056 1580 1 226 2019-12-20 03:48:15 UTC+0000 ``` 能看到沒有 NOTEPAD.EXE 子程式執行 ### filescan 因為有 winrar,所以直接搜尋 rar `0x000000003eed56f0 1 0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Documents\SW1wb3J0YW50.rar` 得到 Stage2.png 但是需要密碼 另外 NOTEPAD.EXE 很可疑,所以也嘗試搜尋是否有檔案能提取 `0x000000003ee9d070 10 0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Videos\NOTEPAD.EXE` ### dumpfiles 將 SW1wb3J0YW50.rar 和 NOTEPAD.EXE 提取 SW1wb3J0YW50.rar 得到 Stage2.png 但是需要密碼 NOTEPAD.EXE 得到 ``` ImageSectionObject 0x3ee9d070 None \Device\HarddiskVolume2\Users\SmartNet\Videos\NOTEPAD.EXE DataSectionObject 0x3ee9d070 None \Device\HarddiskVolume2\Users\SmartNet\Videos\NOTEPAD.EXE SharedCacheMap 0x3ee9d070 None \Device\HarddiskVolume2\Users\SmartNet\Videos\NOTEPAD.EXE ``` - img (ImageSectionObject):描述加載的映像文件區段,對應可執行文件或 DLL。 - dat (DataSectionObject):描述加載的資料區段,對應程式的靜態資料區域。 - vacb (SharedCacheMap):管理文件的快取頁面,用於提高文件存取效率。 :::spoiler 1. img - ImageSectionObject - 描述:ImageSectionObject 是一個表示映像文件在內存中映射的結構。這個結構包含有關加載的執行檔案(如 EXE 或 DLL)的信息。當一個應用程序被加載到內存中時,操作系統會創建一個 ImageSectionObject,這個結構包含該應用程序的映像數據以及相關的內存映射。 - 用途:這類型的檔案通常用來表示操作系統或應用程式的映像文件在內存中的區段。它可以包含關於映像文件的各種屬性,例如起始地址、大小、加載的虛擬內存範圍等。 - 分析應用:這類文件通常用於分析可執行檔案的加載情況,識別當前正在運行的應用程序或驅動程式。 2. dat - DataSectionObject - 描述:DataSectionObject 是 Windows 內核中的一個結構,用來表示在內存中加載的數據段。它包含指向數據段的指針,這些數據段可以是可執行檔案中的數據區域或其他應用程序使用的數據結構。 - 用途:DataSectionObject 主要用於處理映像文件中數據區段的內存映射,這些數據區段通常存儲著程序運行時所需的全局變數、靜態數據等。 - 分析應用:當分析內存映像時,dat 文件可以幫助識別和提取應用程序的數據區段,進行更詳細的內存分析,並查找可能的惡意行為(例如注入到進程中的代碼)。 3. vacb - SharedCacheMap - 描述:SharedCacheMap 是 Windows 內核中的一個結構,與內存映射的文件有關。它表示與文件共享的緩存頁面,這些頁面是操作系統為了提高文件讀寫性能而在內存中創建的緩存。 - 用途:SharedCacheMap 是用來管理緩存文件的結構,特別是那些經常訪問的文件。它有助於提高操作系統對文件的存取效率,並減少磁碟 I/O 操作的頻率。 - 分析應用:這些檔案主要用於文件緩存的分析,對於檢查正在處理的文件或檢測文件訪問模式非常有用。對於分析檔案存取行為、尋找異常文件或破解文件加密等場景,vacb 也是重要的資料來源。 ::: 使用 file 指令查看檔案 ``` NOTEPAD.EXE.dat: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections NOTEPAD.EXE.vacb: data NOTEPAD.EXE.img: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections ``` 在此 dat 以及 img 兩個檔案都是 exe 檔案,隨便選擇一個使用逆向工具打開 ![image](https://hackmd.io/_uploads/HyzUbT8HJg.png) bi0s{M3m_l4B5_0VeR_!} ### envars 沒有看到特別的內容 ### consoles 沒有看到特別的內容 ### cmdscan 沒有看到特別的內容 ### cmdline 顯示 process cmd parameter ``` WinRAR.exe pid: 2924 Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\SmartNet\Documents\SW1wb3J0YW50.rar" ``` ### screenshot 嘗試看看截圖是否有資訊 可以看到 session_2.WinSta0.Default.png 開啟一個 Windows photo viewer ![session_1.WinSta0.Default](https://hackmd.io/_uploads/Hkpy338Skl.png) 正在打開一個檔名為 `ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfM19EMG4zXyEhfQ` 的圖片,嘗試將檔名以 base64 解碼 flag{!!\_w3LL\_d0n3\_St4g3-1\_0f\_L4B\_5\_D0n3\_!!} 將此當作密碼對 Stage2.png 解壓縮 得到 flag{W1th\_th1s\_$taGe\_2\_1s\_c0mPL3T3\_!!} # MemLabs Lab 6 - The Reckoning We received this memory dump from the Intelligence Bureau Department. They say this evidence might hold some secrets of the underworld gangster David Benjamin. This memory dump was taken from one of his workers whom the FBI busted earlier this week. Your job is to go through the memory dump and see if you can figure something out. FBI also says that David communicated with his workers via the internet so that might be a good place to start. 我們從情報局收到了這個記憶體轉儲。他們說,這些證據可能蘊藏黑社會黑幫大衛班傑明的一些秘密。這份內存轉儲是從本週早些時候被聯邦調查局抓獲的他的一名員工那裡獲得的。你的工作是檢查記憶體轉儲,看看是否能找出答案。聯邦調查局還表示,大衛透過網路與他的工作人員進行交流,因此這可能是一個很好的起點。 Note: This challenge is composed of 1 flag split into 2 parts. --- ## 開始解題 1. internet 2. David Benjamin 3. some secrets ### imageinfo ``` INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/data/MemoryDump_Lab6.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027fa0a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027fbd00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-08-19 14:41:58 UTC+0000 Image local date and time : 2019-08-19 20:11:58 +0530 ``` ### pslist ``` 0xfffffa800319a060 explorer.exe 1944 1844 35 894 1 0 2019-08-19 14:40:19 UTC+0000 0xfffffa8003227060 GoogleCrashHan 1292 1928 7 105 0 1 2019-08-19 14:40:19 UTC+0000 0xfffffa8003219060 GoogleCrashHan 924 1928 6 93 0 0 2019-08-19 14:40:19 UTC+0000 0xfffffa8003277810 VBoxTray.exe 1108 1944 14 139 1 0 2019-08-19 14:40:20 UTC+0000 0xfffffa8002324b30 cmd.exe 880 1944 1 21 1 0 2019-08-19 14:40:26 UTC+0000 0xfffffa800231e370 conhost.exe 916 396 3 50 1 0 2019-08-19 14:40:26 UTC+0000 0xfffffa8003315060 SearchIndexer. 856 480 13 689 0 0 2019-08-19 14:40:27 UTC+0000 0xfffffa800234eb30 chrome.exe 2124 1944 27 662 1 0 2019-08-19 14:40:46 UTC+0000 0xfffffa800234f780 chrome.exe 2132 2124 9 75 1 0 2019-08-19 14:40:46 UTC+0000 0xfffffa800314fab0 chrome.exe 2168 2124 3 55 1 0 2019-08-19 14:40:49 UTC+0000 0xfffffa80032d9060 WmiPrvSE.exe 2292 608 13 288 0 0 2019-08-19 14:40:52 UTC+0000 0xfffffa80032f9a70 chrome.exe 2340 2124 12 282 1 0 2019-08-19 14:40:52 UTC+0000 0xfffffa8003741b30 chrome.exe 2440 2124 13 263 1 0 2019-08-19 14:40:54 UTC+0000 0xfffffa800374bb30 chrome.exe 2452 2124 14 167 1 0 2019-08-19 14:40:54 UTC+0000 0xfffffa8002b74060 WmiApSrv.exe 2800 480 6 115 0 0 2019-08-19 14:40:57 UTC+0000 0xfffffa8002d9eab0 WmiPrvSE.exe 2896 608 7 124 0 0 2019-08-19 14:40:57 UTC+0000 0xfffffa80032d4380 chrome.exe 2940 2124 9 172 1 0 2019-08-19 14:41:06 UTC+0000 0xfffffa8003905b30 firefox.exe 2080 3060 59 970 1 1 2019-08-19 14:41:08 UTC+0000 0xfffffa80021fa630 firefox.exe 2860 2080 11 210 1 1 2019-08-19 14:41:09 UTC+0000 0xfffffa80013a4580 firefox.exe 3016 2080 31 413 1 1 2019-08-19 14:41:10 UTC+0000 0xfffffa8001415b30 firefox.exe 2968 2080 22 323 1 1 2019-08-19 14:41:11 UTC+0000 0xfffffa8001454b30 firefox.exe 3316 2080 21 307 1 1 2019-08-19 14:41:13 UTC+0000 0xfffffa80035e71e0 WinRAR.exe 3716 1944 7 201 1 0 2019-08-19 14:41:43 UTC+0000 ``` 有 cmd firefox chrome winrar 等程式 ### cmdscan ``` CommandProcess: conhost.exe Pid: 916 CommandHistory: 0x1feab0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 2 LastAdded: 1 LastDisplayed: 1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 @ 0x1fd530: whoami Cmd #1 @ 0x1fdde0: env Cmd #15 @ 0x1c0158: Cmd #16 @ 0x1fdc20: ``` 可以看到執行了 whoami 以及 env 指令,這通常是入侵到主機後會執行的初步操作 ### filescan 有使用到 winrar,因此搜尋 rar 檔案 `0x000000005fcfc4b0 16 0 R--rwd \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar` ### dumpfiles 取得 pr0t3ct3d\flag.rar 後裡面有 flag2.png 需要密碼 ### netscan 題目有提到網路,使用 netscan 查看是否有可疑連線 ``` Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x53f2010 TCPv4 127.0.0.1:49171 127.0.0.1:49170 ESTABLISHED 2968 firefox.exe 0x53f2a90 TCPv4 127.0.0.1:49170 127.0.0.1:49171 ESTABLISHED 2968 firefox.exe 0x5d80d9f0 UDPv4 127.0.0.1:58500 *:* 1308 svchost.exe 2019-08-19 14:42:39 UTC+0000 0x5d8c3360 UDPv4 0.0.0.0:5353 *:* 2124 chrome.exe 2019-08-19 14:40:55 UTC+0000 0x5d8c3360 UDPv6 :::5353 *:* 2124 chrome.exe 2019-08-19 14:40:55 UTC+0000 0x5d8c3ec0 UDPv4 0.0.0.0:5353 *:* 2124 chrome.exe 2019-08-19 14:40:55 UTC+0000 0x5d8d8500 TCPv4 10.0.2.15:49232 172.217.160.131:80 ESTABLISHED 2080 firefox.exe 0x5d8e7b90 TCPv4 127.0.0.1:49166 127.0.0.1:49165 ESTABLISHED 2080 firefox.exe 0x5d8e9010 TCPv4 10.0.2.15:49235 172.217.194.189:443 ESTABLISHED 2080 firefox.exe 0x5d9705f0 TCPv4 10.0.2.15:49196 172.217.160.133:443 ESTABLISHED 2080 firefox.exe 0x5dadd860 TCPv4 10.0.2.15:49198 216.58.197.67:443 ESTABLISHED 2080 firefox.exe 0x5daeb850 TCPv4 127.0.0.1:49165 127.0.0.1:49166 ESTABLISHED 2080 firefox.exe 0x5dafccf0 TCPv4 10.0.2.15:49224 172.217.163.205:443 ESTABLISHED 2080 firefox.exe 0x5e06b010 UDPv4 0.0.0.0:64930 *:* 1308 svchost.exe 2019-08-19 14:40:13 UTC+0000 0x5e06b620 UDPv4 0.0.0.0:64931 *:* 1308 svchost.exe 2019-08-19 14:40:13 UTC+0000 0x5e06b620 UDPv6 :::64931 *:* 1308 svchost.exe 2019-08-19 14:40:13 UTC+0000 0x5e07c670 UDPv4 0.0.0.0:3702 *:* 1308 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e07c670 UDPv6 :::3702 *:* 1308 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e0dbcb0 UDPv4 127.0.0.1:56645 *:* 1052 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e10ab80 UDPv4 10.0.2.15:137 *:* 4 System 2019-08-19 14:40:17 UTC+0000 0x5e10baa0 UDPv4 10.0.2.15:138 *:* 4 System 2019-08-19 14:40:17 UTC+0000 0x5e114010 UDPv4 0.0.0.0:3702 *:* 1308 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e12c5d0 UDPv4 0.0.0.0:0 *:* 1052 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e12c5d0 UDPv6 :::0 *:* 1052 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e135c40 UDPv4 0.0.0.0:3702 *:* 1308 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e135c40 UDPv6 :::3702 *:* 1308 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e135dc0 UDPv4 0.0.0.0:3702 *:* 1308 svchost.exe 2019-08-19 14:40:17 UTC+0000 0x5e1379c0 UDPv4 0.0.0.0:5355 *:* 1052 svchost.exe 2019-08-19 14:40:20 UTC+0000 0x5e1379c0 UDPv6 :::5355 *:* 1052 svchost.exe 2019-08-19 14:40:20 UTC+0000 0x5e2be2e0 UDPv4 0.0.0.0:5355 *:* 1052 svchost.exe 2019-08-19 14:40:20 UTC+0000 0x5de48b50 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 496 lsass.exe 0x5e0663e0 TCPv4 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 System 0x5e0663e0 TCPv6 :::5357 :::0 LISTENING 4 System 0x5e08e2d0 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System 0x5e08e2d0 TCPv6 :::445 :::0 LISTENING 4 System 0x5e0a85d0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 480 services.exe 0x5e0a85d0 TCPv6 :::49155 :::0 LISTENING 480 services.exe 0x5e109890 TCPv4 10.0.2.15:139 0.0.0.0:0 LISTENING 4 System 0x5e2beb30 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 948 svchost.exe 0x5e3037b0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 948 svchost.exe 0x5e3037b0 TCPv6 :::49154 :::0 LISTENING 948 svchost.exe 0x5e31f900 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 480 services.exe 0x5e51fd20 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 384 wininit.exe 0x5e559ef0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 724 svchost.exe 0x5e55cef0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 724 svchost.exe 0x5e55cef0 TCPv6 :::135 :::0 LISTENING 724 svchost.exe 0x5e56a3c0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 384 wininit.exe 0x5e56a3c0 TCPv6 :::49152 :::0 LISTENING 384 wininit.exe 0x5e5add20 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 496 lsass.exe 0x5e5add20 TCPv6 :::49156 :::0 LISTENING 496 lsass.exe 0x5e5d2e30 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 780 svchost.exe 0x5e5d3950 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 780 svchost.exe 0x5e5d3950 TCPv6 :::49153 :::0 LISTENING 780 svchost.exe 0x5dde8680 TCPv4 10.0.2.15:49234 172.217.163.106:443 ESTABLISHED 2080 firefox.exe 0x5ddf9010 TCPv4 10.0.2.15:49202 216.58.196.163:443 ESTABLISHED 2080 firefox.exe 0x5e2fc550 TCPv4 10.0.2.15:49231 172.217.160.131:80 ESTABLISHED 2080 firefox.exe 0x5e575ba0 TCPv6 -:0 38bb:d402:80fa:ffff:38bb:d402:80fa:ffff:0 CLOSED 6 ????? 0x5ee7fcf0 TCPv4 10.0.2.15:49240 172.217.167.138:443 ESTABLISHED 2080 firefox.exe 0x5fcf6010 UDPv6 fe80::6dfd:18d9:71ed:3522:1900 *:* 1308 svchost.exe 2019-08-19 14:42:39 UTC+0000 0x5fd0eec0 UDPv4 0.0.0.0:0 *:* 668 VBoxService.ex 2019-08-19 14:42:51 UTC+0000 0x5fd6a010 UDPv4 0.0.0.0:0 *:* 668 VBoxService.ex 2019-08-19 14:42:43 UTC+0000 0x5fe17550 UDPv4 127.0.0.1:1900 *:* 1308 svchost.exe 2019-08-19 14:42:39 UTC+0000 0x5fe18270 UDPv4 10.0.2.15:1900 *:* 1308 svchost.exe 2019-08-19 14:42:39 UTC+0000 0x5fe4f490 UDPv6 ::1:58499 *:* 1308 svchost.exe 2019-08-19 14:42:39 UTC+0000 0x5ff6b6d0 UDPv6 ::1:1900 *:* 1308 svchost.exe 2019-08-19 14:42:39 UTC+0000 0x5fc0dcf0 TCPv4 10.0.2.15:49172 54.149.112.164:443 ESTABLISHED 2080 firefox.exe 0x5fc13010 TCPv4 10.0.2.15:49182 117.18.237.29:80 ESTABLISHED 2080 firefox.exe 0x5fc13cf0 TCPv4 10.0.2.15:49241 52.24.89.101:443 ESTABLISHED 2080 firefox.exe 0x5fc24010 TCPv4 10.0.2.15:49200 172.217.163.33:443 ESTABLISHED 2080 firefox.exe 0x5fc2e300 TCPv4 127.0.0.1:49167 127.0.0.1:49168 ESTABLISHED 3016 firefox.exe 0x5fc303d0 TCPv4 127.0.0.1:49168 127.0.0.1:49167 ESTABLISHED 3016 firefox.exe 0x5fc3a010 TCPv4 10.0.2.15:49169 23.195.74.19:80 ESTABLISHED 2080 firefox.exe 0x5fc43640 TCPv6 -:0 381b:de02:80fa:ffff:381b:de02:80fa:ffff:0 CLOSED 2080 firefox.exe 0x5fc49700 TCPv4 -:0 56.27.222.2:0 CLOSED 2080 firefox.exe 0x5fc4e810 TCPv4 10.0.2.15:49178 117.18.237.29:80 ESTABLISHED 2080 firefox.exe 0x5fc52940 TCPv4 10.0.2.15:49179 117.18.237.29:80 ESTABLISHED 2080 firefox.exe 0x5fc81810 TCPv4 127.0.0.1:49186 127.0.0.1:49185 ESTABLISHED 3316 firefox.exe 0x5fc869e0 TCPv4 127.0.0.1:49185 127.0.0.1:49186 ESTABLISHED 3316 firefox.exe 0x5fc94770 TCPv4 10.0.2.15:49195 172.217.160.131:80 ESTABLISHED 2080 firefox.exe 0x5fc989d0 TCPv4 10.0.2.15:49193 172.217.160.131:80 ESTABLISHED 2080 firefox.exe 0x5fca7cf0 TCPv4 10.0.2.15:49191 172.217.163.100:443 ESTABLISHED 2080 firefox.exe 0x5fcbe5b0 TCPv4 10.0.2.15:49214 172.217.160.131:80 FIN_WAIT2 2080 firefox.exe 0x5fcbeb30 TCPv4 10.0.2.15:49228 172.217.163.106:443 ESTABLISHED 2080 firefox.exe 0x5fccd010 TCPv4 10.0.2.15:49203 172.217.160.131:80 ESTABLISHED 2080 firefox.exe 0x5fccd5e0 TCPv4 10.0.2.15:49225 172.217.163.110:443 ESTABLISHED 2080 firefox.exe 0x5fcceb30 TCPv4 10.0.2.15:49239 172.217.167.138:443 ESTABLISHED 2080 firefox.exe 0x5fcdb460 TCPv4 10.0.2.15:49216 172.217.167.142:443 ESTABLISHED 2080 firefox.exe 0x5fcebcf0 TCPv4 10.0.2.15:49218 216.58.200.142:443 ESTABLISHED 2080 firefox.exe 0x5fcf5cf0 TCPv4 10.0.2.15:49217 216.58.200.142:443 ESTABLISHED 2080 firefox.exe 0x5fcf8010 TCPv4 10.0.2.15:49226 172.217.163.170:443 ESTABLISHED 2080 firefox.exe 0x5fcfe010 TCPv4 10.0.2.15:49209 172.217.163.67:443 ESTABLISHED 2080 firefox.exe 0x5fd03010 TCPv4 10.0.2.15:49219 172.217.163.110:443 ESTABLISHED 2080 firefox.exe 0x5fd039d0 TCPv4 10.0.2.15:49213 172.217.160.131:80 FIN_WAIT2 2080 firefox.exe 0x5fd03cf0 TCPv4 10.0.2.15:49227 172.217.163.170:443 ESTABLISHED 2080 firefox.exe 0x5fd058d0 TCPv4 10.0.2.15:49222 172.217.31.206:443 ESTABLISHED 2080 firefox.exe 0x5fe4fcf0 TCPv4 10.0.2.15:49177 13.224.25.60:443 ESTABLISHED 2080 firefox.exe 0x5fe61010 TCPv4 10.0.2.15:49174 35.167.81.14:443 CLOSED 2080 firefox.exe 0x5fe67cf0 TCPv4 10.0.2.15:49181 117.18.237.29:80 ESTABLISHED 2080 firefox.exe ``` 可以看到多數連線都是 firefox 以及 chrome ### chromehistory `docker run --rm -v .:/workspace sk4la/volatility --plugins /workspace/volatility-plugins -f /workspace/MemoryDump_Lab6.raw chromehistory` ``` 169 https://pastebin.com/RSGSi1hk Private Paste ID: RSGSi1hk 1 0 2019-08-18 10:32:18.061245 N/A ``` 此網站有一個 google 文件連結,但裡面都是拉丁文 不過裡面有一句話或許是線索 `But David sent the key in mail.` ### firefoxhistory `docker run --rm -v .:/workspace sk4la/volatility --plugins /workspace/volatility-plugins -f /workspace/MemoryDump_Lab6.raw firefoxhistory` 沒有顯示紀錄 ### envars 因為上面的 cmdscan 中得知有執行過 env 指令 所以查看是否有設定變數 `1812 taskhost.exe 0x0000000000231320 RAR password easypeasyvirus` 取得 rar 密碼 圖片內容為 `aN_Am4zINg_!_i_gU3Ss???_}`,看來是 flag 後半部分 到這裡卡了很久,偷偷去翻 writeup,可以發現 google 文件內藏了一個 mega 連結 ![image](https://hackmd.io/_uploads/HJtc6TLB1e.png) ![image](https://hackmd.io/_uploads/BkQjpaUSJg.png) 此檔案需要密碼才能開啟,上面有提到藏在 email 中 ### strings `strings -a MemoryDump_Lab6.raw > mem6.txt` 我們將 memory 中的字串提取出來 -a 為搜索全部 嘗試搜尋 mail,可以看到很多字串,其中很多 gmail 所以使用 gmail 搜尋,可以看到一些似乎是郵件內容的字串 結合這句線索 `But David sent the key in mail.`,可以猜測是 David Benjamin 傳送 email 搜尋 `David Benjamin`,可以看到更清楚的 email 資訊,但還是太多資訊了 直接搜尋 email `davidbenjamin939@gmail.com`,還是太多 想到既然是 mega 的檔案,email 內容可能會寫到,搜尋 mega,可以看到 `Mega Drive Key` 繼續搜尋 `grep -C 2 -i "Mega Drive Key"` 可以看到有許多段是 email 內容,找到一段是 html 格式的 ``` <table cellpadding="0" id=":2y" class="F cf zt"><col class="k0vOLb"><col class="Ci"><col class="y5"><col class="yF"><col class="yY"><col class="null"><col class="eSDBXb"><col class="yg"><col class="xX"><col class="bq4"><tbody><tr class="zA yO" jscontroller="ZdOxDb" jsaction="Tnvr6c:RNc9jf;PG1zDd:eyrEaf;WGbBt:UL4Ddb;nVvxM:UL4Ddb;" jsmodel="nXDxbd" id=":2z" tabIndex="-1" aria-labelledby=":30" draggable="true"><td class="PF xY"></td><td id=":31" class="oZ-x3 xY" style=""><div id=":32" class="oZ-jc T-Jo J-J5-Ji " role="checkbox" aria-labelledby=":30" dir="ltr" aria-checked="false" tabindex="-1"><div class="T-Jo-auh"></div></div></td><td class="apU xY"><span id=":33" class="aXw T-KT" title="Not starred" aria-label="Not starred" role="button"><img class="T-KT-JX" src="images/cleardot.gif" alt="Not starred"></span></td><td class="xY bnk byv"></td><td class="yX xY " ><div id=":30" class="afn"><span class="bA4"><span class="yP" email="danielbenjamin683@gmail.com" name="Daniel Benjamin" data-hovercard-id="danielbenjamin683@gmail.com">Daniel Benjamin</span></span>, <span data-thread-id="#thread-f:1642300656742870683" data-legacy-thread-id="16ca9fbefb8cae9b" data-legacy-last-message-id="16ca9fbefb8cae9b" data-legacy-last-non-draft-message-id="16ca9fbefb8cae9b">Mega Drive Key</span>, <span>6:35 PM</span>, THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU.</div><div id=":34" class="yW"><span class="bA4"><span class="yP" email="danielbenjamin683@gmail.com" name="Daniel Benjamin" data-hovercard-id="danielbenjamin683@gmail.com">Daniel Benjamin</span></span></div></td><td id=":35" tabindex="-1" class="xY a4W"><div class="xS" role="link"><div class="xT"><div class="y6"><span id=":37" class="bog" ><span data-thread-id="#thread-f:1642300656742870683" data-legacy-thread-id="16ca9fbefb8cae9b" data-legacy-last-message-id="16ca9fbefb8cae9b" data-legacy-last-non-draft-message-id="16ca9fbefb8cae9b">Mega Drive Key</span></span></div><span class="y2" ><span class="Zt">&nbsp;-&nbsp;</span>THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU</span></div></div></td><td class="byZ xY" ></td><td class="yf xY ">&nbsp;</td><td class="xW xY " ><span title="Mon, Aug 19, 2019, 6:35 PM" id=":39" aria-label="Mon, Aug 19, 2019, 6:35 PM"><span>6:35 PM</span></span></td><td class="bq4 xY"><ul class="bqY" id=":3a" role="toolbar"><li class="bqX brq" data-tooltip="Archive" jsaction="JqEhuc" jscontroller="pk1i4d" ></li><li class="bqX bru" data-tooltip="Delete" jsaction="zM6fo" jscontroller="pmCKac" ></li><li class="bqX brs" data-tooltip="Mark as unread" jsaction="XdlY1e" jscontroller="VtSflc" ></li><li class="bqX brv" data-tooltip="Snooze" jsaction="u4Fnue" jscontroller="PKSrle"></li></ul></td></tr></tbody></table> ``` 裡面有 `THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU.` 拿去解開 mega 檔案,裡面是一個 flag.png,但無法打開 ![image](https://hackmd.io/_uploads/ByiGSCIByx.png) 可以看到 png 有損毀,需要修復他 使用 010 editor 打開,套用 templates 幫助我們檢查 ![image](https://hackmd.io/_uploads/H1qeIR8Byx.png) ![image](https://hackmd.io/_uploads/BJOu8AUB1g.png) 可以看到判斷出來的格式只有前面,後面的資料無法讀取到 正確的 png 開頭應該是 ``` 0000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR ``` 而此檔案為 `iHDR`,將 `i` 改為 `I`,便可發現能夠成功辨識到後面的資料 ![image](https://hackmd.io/_uploads/H1dIuRUSyl.png) 存檔後圖片便恢復正常了 `inctf{thi5_cH4LL3Ng3_!s_g0nn4_b3_aN_Am4zINg_!_i_gU3Ss???_}`