Memory Analysis

--- lang: ja-jp breaks: true --- Memory Analysis === ## 問題概要 ### ジャンル Forensic ### 点数 100 points ### 問題文 Memory Analysis Where is the website that fake svchost is accessing? memoryanalysis.zip Challenge files is huge, please download it first. Password will release after 60min. Hint1: http://www.volatilityfoundation.org/ Hint2: hosts file ### フラグ SECCON{\_h3110_w3_h4ve_fun_w4rg4m3_} ### 挑戦者 PINKSAWTOOTH mzyy94 ## 解法 ``` $ ./volatility_2.5_mac -f ../forensic_100.raw filescan | grep hosts Volatility Foundation Volatility Framework 2.5 0x000000000217b748 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts $ ./volatility_2.5_mac -f ../forensic_100.raw dumpfiles --dump-dir extract2 -Q 0x000000000217b748 ``` hostsとれた ``` # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 153.127.200.178 crattack.tistory.com ``` 偽のsvchost見つけた。 ``` $ ./volatility_2.5_mac -f ../forensic_100.raw filescan | grep svchost Volatility Foundation Volatility Framework 2.5 0x000000000201ef90 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe 0x00000000020f0268 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\svchost.exe 0x00000000024a7a90 1 0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe $ ./volatility_2.5_mac -f ../forensic_100.raw dumpfiles --dump-dir extract3 -Q 0x00000000020f0268 ``` 偽のsvchostをstringsで見てさっきのhostsにあるドメインでgrep ``` $ strings extract3/file.None.0x81efa390.img | grep crattack.tistory.com C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd ``` 自分のhostsにさっきのドメインを登録してあげてアクセスしたらフラグが。 ``` $ curl http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd SECCON{_h3110_w3_h4ve_fun_w4rg4m3_} ``` ## 議論 filescanしてみたけどhostfileどころかなにもない * linuxでやってたからTargetがWindowsになってなかった？ * --profile=Win7SP1x86と試したけどダメ・・・ ``` root@kali:~/Desktop# volatility -f ./forensic_100.raw filescan Volatility Foundation Volatility Framework 2.5 No suitable address space mapping found ``` ポートスキャン結果 ``` Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-10 02:37 EST Nmap scan report for 153.127.200.178 Host is up (1.1s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 514/tcp filtered shell ``` pdb関係なかった ![](https://i.imgur.com/cGfUFp6.png)