Memory Forensics
https://download.csdn.net/download/qq_38626043/87211342
1 - What the password?
you got a sample of rick’s PC’s memory. can you get his user password? format: CTF{…}
Alternative download link: https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/wp_mac/Downloads/tmp/OtterCTF.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c430a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c44d00L
KPCR for CPU 1 : 0xfffff880009ef000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-08-04 19:34:22 UTC+0000
Image local date and time : 2018-08-04 22:34:22 +0300
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 lsadump
通过lsadump读取,通过mimikatz插件读取
另外还可以尝试通过Passware Kit Forensic 进行读取密码
CTF{MortyIsReallyAnOtter}
2 - General Info
Let’s start easy - whats the PC’s name and IP address?
format: CTF{flag}
提取主机名方法1:
通过注册表提取系统名
控制系统启动的有三个注册表项,在HKEY_LOCAL_MACHINE/SYSTEM下,存在着 CurrentControlSet、ControlSet001、ControlSet002这三个子键,其中,ControlSet001,ControlSet002这两个子键中包含主机名。
可以通过注册表固定路径读取主机名
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 printkey -K "ControlSet002\Control\ComputerName\ComputerName"
也可通过注册表键打印主机名
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey
选择ControlSet001,或者ControlSet002
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K ControlSet001
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control"
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet002\Control\ComputerName\ComputerName"
主机名:WIN-LO6FAF3DTFE
提取主机名方法二:
通过环境变量grep匹配COMPUTERNAME 输出主机名
提取本地IP
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 netscan
内网地址
IP:192.168.202.131
3 - Play Time
Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?
format: CTF{flag}
排除系统进程与常见的软件进程,百度不常见进程得出
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 netscan
CTF{LunarMS}, CTF{77.102.199.102}
4 - Name Game
We know that the account was logged in to a channel called Lunar-3. what is the account name?
format: CTF{flag}
可以通过转储LunarMS的内存提取用户名,也可以通过关键字提取用户名
通过关键字提取可以得到用户名
$ strings /Users/wp_mac/Downloads/tmp/OtterCTF.vmem |grep Lunar-3 -C 10
通过转储进程提取用户名
列出进程名
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 pslist
找到LunarMS.exe进程,得到pid为708
转储
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 memdump -p 708 -D ./
通过16进制分析 0tt3r8r33z3 可能为密码
CTF{0tt3r8r33z3}
5 - Name Game 2
From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What’s rick’s character’s name? format: CTF{…}
通过hexedit+grep匹配
hexedit 708.dmp | grep "0x5a 0x0c"
通过yarascan插件匹配
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 yarascan -Y "/\x64(.{6,8})\x40\x06(.{18})\x5a\x0c\x00\x00/i" -p 708
通过xxd+grep匹配
$ xxd 708.dmp | grep "5a0c 0000"
CTF{M0rtyL0L}
6 - Silly Rick
100
Silly rick always forgets his email’s password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick’s email password?
format: CTF{flag}
剪贴板
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 clipboard
CTF{M@il_Pr0vid0rs}
7 - Hide And Seek
100
The reason that we took rick’s PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)
BEAWARE! There are only 3 attempts to get the right flag!
format: CTF{flag}
查看进程发现一个名为Rick And Morty的进程与题目对应
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 pslist
查看该进程进程树,发现它还有一个字进程vmware-tray.ex
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 pstree | grep Rick
查看该进程的进程命令参数,发现Rick And Morty下载了vmware-tray.exe,默认下载路径在RarSFX目录下,并执行了它
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 cmdline
CTF{vmware-tray.exe}
8 - Path To Glory
150
How did the malware got to rick’s PC? It must be one of rick old illegal habits…
format: CTF{…}
通过文件搜索相关关键字,分析来源,发现下载 BitTorrent协议的种子文件 ,在第7题的进程中也发现了相关进程,转储该文件进行分析
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 filescan | grep "Rick And Morty"
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D ./
CTF{M3an_T0rren7_4_R!ck}
9 - Path To Glory 2
200
Continue the search after the way that malware got in.
format: CTF{…}
根据前面的信息推测,torrent文件是通过web浏览器下载的,在前面进程中出现了谷歌浏览器的进程
转储该文件
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 filescan | grep -i "chrome.*history"
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007d45dcc0 -D ./
使用sqlitebrowser客户端打开sqlit数据库文件发现确实是通过google浏览器下载的种子文件,但是没有找到相关flag
sqlitebrowser file.None.0xfffffa801a5193d0.dat
接着发现该种子文件来源为一个mail地址
通过关键字搜索,找到两个邮箱用户
$ strings /Users/wp_mac/Downloads/tmp/OtterCTF.vmem |grep -E "mail.com"
rickypinky@mail.com
rickopicko@mail.com
继续匹配发现rickypinky@mail.com用户没有可以行为
$ strings /Users/wp_mac/Downloads/tmp/OtterCTF.vmem |grep -E "rickypinky@mail.com" -C 10
分析rickopicko@mail.com发现该用户内存文件中包含了一部分类型邮件源数据的字符,猜测e0wumo+6qbbc5zrnw7kk@guerrillamail.comc
n为hack邮箱,该邮件元数据包下有一串字符为flag
$ strings /Users/wp_mac/Downloads/tmp/OtterCTF.vmem |grep -E "rickopicko@mail.com" -C 20
CTF{Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in}
10 - Bit 4 Bit
100
We’ve found out that the malware is a ransomware. Find the attacker’s bitcoin address.
format: CTF{…}
方法一:
回到第七个问题,回头在看勒索病毒,以可执行文件转储3720进程
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 procdump -p 3720 -D ./
打开ILSpy进行反编译分析
方法二:
通过匹配
strings -e l OtterCTF.vmem | grep -i -A 5 "ransomware"
11 - Graphic’s For The Weak
150
There’s something fishy in the malware’s graphics.
format: CTF{…}
通过foremost直接分离图片
CTF{S0_Just_M0v3_Socy}
12 - Recovery
300
Rick got to have his files recovered! What is the random password used to encrypt the files?
format: CTF{…}
通过 ILSpy 得知密码长度为15个字符,格式为computerName+“-”+userName+“”+密码
因为.NET字符串类使用UTF16对字符串进行编码,所以在strings进行匹配是加上-e b 或者 -e l
CTF{aDOBofVYUNVnmp7}
13 - Closure
400
Now that you extracted the password from the memory, could you decrypt rick’s files?
在“.exe”中查找 pdb 信息
$ strings executable.3720.exe| grep pdb
C:\Users\Tyler\Desktop\hidden-tear-master\hidden-tear\hidden-tear\obj\Debug\VapeHacksLoader.pdb
仔细观察目录,会发现hidden-tear指https://github.com/goliate/hidden-tear这个项目,这个项目自带解密程序,我们只需要研究下怎么使用。
输入密码直接解密,但是我们并没有被加密的文件
回到dump文件找到对应被加密的文件
转储该文件
$ ./volatility_2.6_mac64_standalone -f /Users/wp_mac/Downloads/tmp/OtterCTF.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007e410890 -D ./
删除填充的空字节
tr < flag.txt -d '\000' > flag2.txt
https://www.bleepingcomputer.com/download/hidden-tear-decrypter/
其它
https://twitter.com/malwrhunterteam/status/871813819915436032
https://malwiki.org/index.php?title=HiddenTear
https://www.youtube.com/watch?v=LtiRISepIfs
https://medium.com/@vostiar.patrik