文章目录
Memory Forensics
1 - What the password?
you got a sample of rick’s PC’s memory. can you get his user password?
volatility -f OtterCTF.vmem imageinfo
查看rick的hash密码值然后拿去cmd5解密发现解不出来
volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump
518172d012f97d3a8fcc089615283940
没解出来,用lsadump
这个也是用来提取hash的
volatility -f OtterCTF.vmem --profile=Win7SP1x64 lsadum
rick的密码是
MortyIsReallyAnOtter
2 - General Info
Let’s start easy - whats the PC’s name and IP address?
这个命令是查看注册表的
hivelist
内存镜像的主机名是在注册表的\REGISTRY\MACHINE\SYSTEM
volatility -f OtterCTF.vmem --profile=Win7SP1x64 hivelist
-o 0xfffff8a000024010
指定输出的内存地址
printkey
常常是用来列举用户及密码、查看获取最后登陆系统的用户。
volatility -f OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey
PC name : WIN-LO6FAF3DTFE
printkey -K 'ControlSet001\Control\ComputerName\ComputerName'
可以输出层级目录里的东西
volatility -f OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K 'ControlSet001\Control\ComputerName\ComputerName'
PC IP : 192.168.202.131
netscan
是用来查看网络连接既然是主机IP
大部分都是一个内网地址
volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan
3 - Play Time
Rick just loves to play some good old videogames. can you tell which
game is he playing? whats the IP address of the server?
IP address of the server : 77.102.199.102
Game Name : LunarMS
volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan
4 - Name Game
We know that the account was logged in to a channel called Lunar-3. what is the
account name
?
Account Name :
0tt3r8r33z3
grep Lunar-3 -A 5 -B 5
grep是查找命令显示找到的字符 -A 后面多少行 -B 前面多少行
strings OtterCTF.vmem| grep Lunar-3 -A 5 -B 5
5 - Name Game 2
From a little research we found that the username of the logged on
character is always after this signature: 0x64 0x??{6-8} 0x40 0x06
0x??{18} 0x5a 0x0c 0x00{2} What’s rick’s character’s name?
先用
memdump
把这个进程导出-p
进程pid
-D
导出的目录(./ = 当前目录)
volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D ./
根据给出题目给出的16进制字节找出角色名
hexdump -C 708.dmp| grep '5a 0c 00 00' -A 10 -B 10
6 - Silly Rick
Silly rick always forgets his email’s password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick’s email password?
copy and paste the password
描述说他总是粘贴密码所以我们查看剪切板clipboard
volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
7 - Hide And Seek
The reason that we took rick’s PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)
我们发现
Rick And Morty
子进程有个vmware-tray.exe
这个进程是VMwareWorkstation虚拟机软件的托盘程序
这个非常不正常,可以猜测这就是恶意程序感染
volatility -f OtterCTF.vmem --profile=Win7SP1x64 pstree
而且在查看
dlllist
的时候看到一个shell32.dll
的程序 这个vmware-tray
运行的时候是有没有这个dll的
volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720
8 - Path To Glory
How did the malware got to rick’s PC? It must be one of rick old illegal habits…
题目问恶意程序是怎么进入rick的pc的,无非两种,一是下载,二是插u盘弄进来的
搜索Rick And Morty
文件扫描
发现了一些exe文件和torrent文件,exe的来源不好找,我们分析种子文件
volatility -f OtterCTF.vmem --profile=Win7SP1x64 filescan | grep 'Rick And Morty'
在第二个种子文件里找到一个
website19:M3an_T0rren7_4_R!cke%
volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D ./
经过尝试恶意程序的来源网址是
M3an_T0rren7_4_R!ck
9 - Path To Glory 2
Continue the search after the way that malware got in.
把chrome.exe的dump下来,然后查找关键字
Rick And Morty season 1 download.exe
volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -n chrome.exe -D ./chrome
strings ./chrome/* | grep 'Rick And Morty season 1 download.exe' -C 10
正确答案是
Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in
Yaer不知道为什么不算在里面
10 - Bit 4 Bit
We’ve found out that the malware is a ransomware. Find the attacker’s
bitcoin address.
procdump
导出直接将原文件格式
导出
memdump
导出的文件为dmp格式
放入IDA里寻找bitcoin address
11 - Graphic’s For The Weak
There’s something fishy in the malware’s graphics.
把恶意程序导出,然后
foremost
可以分离出png
volatility -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./
12 - Recovery
Rick got to have his files recovered! What is the random password used
to encrypt the files?
IDA查看恶意程序在sendpassword中看到C