Memory Analysis

問題概要

ジャンル

Forensic

点数

100 points

問題文

Memory Analysis
Where is the website that fake svchost is accessing?

memoryanalysis.zip
Challenge files is huge, please download it first. Password will release after 60min.
Hint1: http://www.volatilityfoundation.org/
Hint2: hosts file

フラグ

SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

挑戦者

PINKSAWTOOTH
mzyy94

解法

$ ./volatility_2.5_mac -f ../forensic_100.raw filescan | grep hosts
Volatility Foundation Volatility Framework 2.5
0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
$ ./volatility_2.5_mac -f ../forensic_100.raw dumpfiles --dump-dir extract2 -Q 0x000000000217b748

hostsとれた

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
153.127.200.178    crattack.tistory.com

偽のsvchost見つけた。

$ ./volatility_2.5_mac -f ../forensic_100.raw filescan | grep svchost
Volatility Foundation Volatility Framework 2.5
0x000000000201ef90      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
0x00000000020f0268      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\svchost.exe
0x00000000024a7a90      1      0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
$ ./volatility_2.5_mac -f ../forensic_100.raw dumpfiles --dump-dir extract3 -Q 0x00000000020f0268

偽のsvchostをstringsで見てさっきのhostsにあるドメインでgrep

$ strings extract3/file.None.0x81efa390.img | grep crattack.tistory.com
C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd

自分のhostsにさっきのドメインを登録してあげてアクセスしたらフラグが。

$  curl http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

議論

filescanしてみたけどhostfileどころかなにもない

linuxでやってたからTargetがWindowsになってなかった？
–profile=Win7SP1x86と試したけどダメ・・・

root@kali:~/Desktop# volatility -f ./forensic_100.raw filescan
Volatility Foundation Volatility Framework 2.5
No suitable address space mapping found

ポートスキャン結果

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-10 02:37 EST
Nmap scan report for 153.127.200.178
Host is up (1.1s latency).
Not shown: 994 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp filtered shell

pdb関係なかった