目录
基本信息
Resume.eml文件
┌──(root㉿ru)-[~/…/ctf_quzheng_tools/timu/hackthebox/reminiscent]
└─# cat Resume.eml
Return-Path: <bloodworm@madlab.lcl>
Delivered-To: madlab.lcl-flounder@madlab.lcl
Received: (qmail 2609 invoked by uid 105); 3 Oct 2017 02:30:24 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_a8ebc8b42c157d88c1096632aeae0559"
Date: Mon, 02 Oct 2017 22:30:24 -0400
From: Brian Loodworm <bloodworm@madlab.lcl>
To: flounder@madlab.lcl
Subject: Resume
Organization: HackTheBox
Message-ID: <add77ed2ac38c3ab639246956c25b2c2@madlab.lcl>
X-Sender: bloodworm@madlab.lcl
Received: from mail.madlab.lcl (HELO mail.madlab.lcl) (127.0.0.1)
by mail.madlab.lcl (qpsmtpd/0.96) with ESMTPSA (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Mon, 02 Oct 2017 22:30:24 -0400
--=_a8ebc8b42c157d88c1096632aeae0559
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Hi Frank, someone told me you would be great to review my resume..
Could you have a look?
resume.zip [1]
Links:
------
[1] http://10.10.99.55:8080/resume.zip
--=_a8ebc8b42c157d88c1096632aeae0559
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<div class=3D"pre" style=3D"margin: 0; padding: 0; font-family: monospace">=
<br /> Hi Frank, someone told me you would be great to review my resume.. c=
uold you have a look?<br /> <br /><a href=3D"http://10.10.99.55:8080/resume=
=2Ezip">resume.zip</a></div>
</body></html>
--=_a8ebc8b42c157d88c1096632aeae0559--
imageinfo.txt
┌──(root㉿ru)-[~/…/ctf_quzheng_tools/timu/hackthebox/reminiscent]
└─# cat imageinfo.txt
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/infosec/dumps/mem_dumps/01/flounder-pc-memdump.elf)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800027fe0a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff800027ffd00L
KPCR for CPU 1 : 0xfffff880009eb000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-10-04 18:07:30 UTC+0000
Image local date and time : 2017-10-04 11:07:30 -0700
flounder-pc-memdump.elf
┌──(root㉿ru)-[~/…/ctf_quzheng_tools/timu/hackthebox/reminiscent]
└─# file flounder-pc-memdump.elf
flounder-pc-memdump.elf: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
解压出来压缩包,发现有三个文件。其中有一个是说明文件
elf文件是一个 x86-64架构设计的64位ELF核心转储文件 !
eml文件是一个邮件文件!
检查内存镜像
进程
在邮件中,可以看到关键字
resume.zip
┌──(root㉿ru)-[~/Tools/ctf_quzheng_tools/volatility]
└─# python2 vol.py -f ~/Tools/ctf_quzheng_tools/timu/hackthebox/reminiscent/flounder-pc-memdump.elf --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.__pycache__.__init__.cpython-311 (ImportError: No module named __pycache__.__init__.cpython-311)
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80006b7040 System 4 0 83 477 ------ 0 2017-10-04 18:04:27 UTC+0000
0xfffffa8001a63b30 smss.exe 272 4 2 30 ------ 0 2017-10-04 18:04:27 UTC+0000
0xfffffa800169bb30 csrss.exe 348 328 9 416 0 0 2017-10-04 18:04:29 UTC+0000
0xfffffa8001f63b30 wininit.exe 376 328 3 77 0 0 2017-10-04 18:04:29 UTC+0000
0xfffffa8001efa500 csrss.exe 396 384 9 283 1 0 2017-10-04 18:04:29 UTC+0000
0xfffffa8001f966d0 winlogon.exe 432 384 4 112 1 0 2017-10-04 18:04:29 UTC+0000
0xfffffa8001fcdb30 services.exe 476 376 11 201 0 0 2017-10-04 18:04:29 UTC+0000
0xfffffa8001ff2b30 lsass.exe 492 376 8 590 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa8001fffb30 lsm.exe 500 376 11 150 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa8002001b30 svchost.exe 600 476 12 360 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa800209bb30 VBoxService.ex 664 476 12 118 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa80020b5b30 svchost.exe 728 476 7 270 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa80021044a0 svchost.exe 792 476 21 443 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa8002166b30 svchost.exe 868 476 21 429 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa800217cb30 svchost.exe 900 476 41 977 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa80021ccb30 svchost.exe 988 476 13 286 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa8002204960 svchost.exe 384 476 17 386 0 0 2017-10-04 18:04:30 UTC+0000
0xfffffa8002294b30 spoolsv.exe 1052 476 13 277 0 0 2017-10-04 18:04:31 UTC+0000
0xfffffa80022bbb30 svchost.exe 1092 476 19 321 0 0 2017-10-04 18:04:31 UTC+0000
0xfffffa8002390620 svchost.exe 1196 476 28 333 0 0 2017-10-04 18:04:31 UTC+0000
0xfffffa8002245060 taskhost.exe 1720 476 8 148 1 0 2017-10-04 18:04:36 UTC+0000
0xfffffa8002122060 sppsvc.exe 1840 476 4 145 0 0 2017-10-04 18:04:37 UTC+0000
0xfffffa80022c8060 dwm.exe 2020 868 4 72 1 0 2017-10-04 18:04:41 UTC+0000
0xfffffa80020bb630 explorer.exe 2044 2012 36 926 1 0 2017-10-04 18:04:41 UTC+0000
0xfffffa80022622e0 VBoxTray.exe 1476 2044 13 146 1 0 2017-10-04 18:04:42 UTC+0000
0xfffffa80021b4060 SearchIndexer. 1704 476 16 734 0 0 2017-10-04 18:04:47 UTC+0000
0xfffffa80023ed550 SearchFilterHo 812 1704 4 92 0 0 2017-10-04 18:04:48 UTC+0000
0xfffffa80024f4b30 SearchProtocol 1960 1704 6 311 0 0 2017-10-04 18:04:48 UTC+0000
0xfffffa80007e0b30 thunderbird.ex 2812 2044 50 534 1 1 2017-10-04 18:06:24 UTC+0000
0xfffffa8000801b30 WmiPrvSE.exe 2924 600 10 204 0 0 2017-10-04 18:06:26 UTC+0000
0xfffffa8000945060 svchost.exe 2120 476 12 335 0 0 2017-10-04 18:06:32 UTC+0000
0xfffffa800096eb30 wmpnetwk.exe 2248 476 18 489 0 0 2017-10-04 18:06:33 UTC+0000
0xfffffa8000930b30 WmiPrvSE.exe 592 600 9 127 0 0 2017-10-04 18:06:35 UTC+0000
0xfffffa800224e060 powershell.exe 496 2044 12 300 1 0 2017-10-04 18:06:58 UTC+0000
0xfffffa8000e90060 conhost.exe 2772 396 2 55 1 0 2017-10-04 18:06:58 UTC+0000
0xfffffa8000839060 powershell.exe 2752 496 20 396 1 0 2017-10-04 18:07:00 UTC+0000
目前也看不出来什么!
我们把那个邮件找出来
文件
┌──(root㉿ru)-[~/Tools/ctf_quzheng_tools/volatility]
└─# python2 vol.py -f ~/Tools/ctf_quzheng_tools/timu/hackthebox/reminiscent/flounder-pc-memdump.elf --profile=Win7SP1x64 dumpfiles -Q 0x000000001e1f6200 --dump-dir=/root/kali/rx_test
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.__pycache__.__init__.cpython-311 (ImportError: No module named __pycache__.__init__.cpython-311)
DataSectionObject 0x1e1f6200 None \Device\HarddiskVolume2\Users\user\Desktop\resume.pdf.lnk
SharedCacheMap 0x1e1f6200 None \Device\HarddiskVolume2\Users\user\Desktop\resume.pdf.lnk
把第一个文件转存出来!
发现东西了!base64!!
get flag
base64解码
第二次解码就可以得到flag
HTB{$_j0G_y0uR_M3m0rY_$}
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
