Halo, Habr!
OtterCTF baru-baru ini berakhir (bagi mereka yang tertarik - tautan ke ctftime), yang tahun ini, sebagai orang yang cukup terhubung dengan besi, terus terang membuat saya senang - ada kategori terpisah dari Forensik Memori, yang, pada dasarnya, merupakan analisis dump RAM. Dialah yang ingin saya lihat di posting ini, untuk semua yang tertarik - selamat datang di kucing.
Pendahuluan
Mungkin, sudah ada artikel tentang Habré yang menggambarkan pekerjaan dengan Volatilitas, tetapi, sayangnya, saya tidak menemukannya. Jika Anda salah - berikan saya tautan di komentar. Artikel ini memiliki dua tujuan - untuk menunjukkan betapa tidak bergunanya semua upaya administrator untuk melindungi sistem jika penyerang memiliki dump RAM dan memperkenalkan pembaca dengan alat yang paling indah, menurut saya,. Baik dan, tentu saja, bertukar pengalaman. Cukup air, ayo kita mulai!
Mengenal alat ini
Volatilitas adalah kerangka kerja open-sorce yang dikembangkan oleh masyarakat. Ini ditulis pada python kedua dan bekerja dengan arsitektur modular - ada yang disebut. plugin yang dapat dihubungkan untuk analisis dan Anda bahkan dapat menulis sendiri yang hilang. Daftar lengkap plugin yang tersedia di luar kotak dapat dilihat menggunakan volatility -h .
Karena python, alat ini adalah cross-platform, jadi seharusnya tidak ada masalah dengan berjalan di bawah beberapa OS yang populer di mana ada python. Kerangka kerja ini mendukung sejumlah besar profil (dalam pemahaman Volatilitas - sistem dari mana dump diambil): dari Windows-Linux-MacO yang populer hingga "langsung" penghapusan dd-dump dan dump dari mesin virtual (baik QEMU dan VirtualBox). Menurut saya, set yang sangat bagus.
Kekuatan alat ini benar-benar luar biasa - saya menemukannya pada saat debugging kernel saya untuk ARM dan secara sempurna menganalisis apa yang saya berikan ke input
Sebagai bonus - dukungan untuk hampir semua ruang alamat yang dapat Anda bayangkan.
Tampaknya PR ternyata sedikit lebih dari yang semula direncanakan. Mari kita coba lakukan analisis sendiri.
Bagi mereka yang ingin melakukan semua manipulasi di seluruh artikel - tautan ke Mega dengan gambar atau dapat dilakukan menggunakan wget:
wget https://transfer.sh/AesNq/OtterCTF.7z
Jadi, gambar ada di tangan kita, kita bisa memulai analisis. Untuk memulai, Anda perlu memahami sistem mana yang membuang dump. Untuk ini, volatilitas memiliki plugin imageinfo sangat baik. Lari saja
$ volatility -f %_% imageinfo
Dalam kasus kami, knalpot akan kira-kira sebagai berikut:
Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (%%/%_%) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c430a0L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c44d00L KPCR for CPU 1 : 0xfffff880009ef000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-08-04 19:34:22 UTC+0000 Image local date and time : 2018-08-04 22:34:22 +0300
Jadi, kami mendapat informasi yang hampir lengkap tentang dump kami - mungkin OS itu dibuat (berdasarkan urutan probabilitas), tanggal dan waktu setempat pada saat dump diambil, menangani dan banyak lagi. Jadi, kami menyadari bahwa ini adalah dump Windows 7 Paket Layanan 1 x64. Anda bisa menggali lebih dalam!
Apa kata sandinya
Karena ini adalah semacam raiting, saya akan memberikan pernyataan masalah dan kemudian menjelaskan bagaimana menyelesaikannya dengan bantuan volatilitas.
Tugas pertama adalah mendapatkan kata sandi pengguna
Untuk memulainya, kita akan memahami apa yang ada di sistem dan, pada saat yang sama, mencoba untuk mendapatkan kata sandi mereka. Lebih sulit untuk mendapatkan kata sandinya sendiri, dan oleh karena itu kami berharap kami tidak mendapatkan orang yang sangat pintar dan akan mungkin untuk membuka hash dari kata sandinya. Masih harus mendapatkannya! Untuk melakukan ini, cobalah untuk melihat _CMHIVE - sebagai aturan, Anda selalu dapat menemukan sesuatu yang menarik di sana saat Windows bekerja. Untuk melakukan ini, cukup tancapkan plugin hivelist , sambil menentukan Win7 di profil:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00377d2d0 0x00000000624162d0 \??\C:\System Volume Information\Syscache.hve 0xfffff8a00000f010 0x000000002d4c1010 [no name] 0xfffff8a000024010 0x000000002d50c010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a000053320 0x000000002d5bb320 \REGISTRY\MACHINE\HARDWARE 0xfffff8a000109410 0x0000000029cb4410 \SystemRoot\System32\Config\SECURITY 0xfffff8a00033d410 0x000000002a958410 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a0005d5010 0x000000002a983010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a001495010 0x0000000024912010 \SystemRoot\System32\Config\DEFAULT 0xfffff8a0016d4010 0x00000000214e1010 \SystemRoot\System32\Config\SAM 0xfffff8a00175b010 0x00000000211eb010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a00176e410 0x00000000206db410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xfffff8a002090010 0x000000000b92b010 \??\C:\Users\Rick\ntuser.dat 0xfffff8a0020ad410 0x000000000db41410 \??\C:\Users\Rick\AppData\Local\Microsoft\Windows\UsrClass.dat
Hebat! Kami seharusnya mendapatkan nama pengguna dan, pada saat yang sama, memastikan bahwa SISTEM dan SAM yang kami butuhkan sudah dimuat ke dalam memori. Sekarang ambil hash dan lanjutkan memilah-milah:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0016d4010 Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
Akibatnya, kami memiliki tiga pengguna - Administrator(31d6cfe0d16ae931b73c59d7e0c089c0) , Guest(31d6cfe0d16ae931b73c59d7e0c089c0) dan Rick(518172d012f97d3a8fcc089615283940) kami Rick(518172d012f97d3a8fcc089615283940) . Hash dari Windows 7 adalah NTLM dan mengulanginya untuk waktu yang sangat lama. Saya dapat mengatakan bahwa saya telah melakukan ini selama hampir satu hari di kartu video game dan belum melakukan apa pun. Karena itu, Anda dapat pergi dengan cara yang lebih sederhana dan mencoba menerobos dengan mimikatz . Itu tidak selalu merupakan obat mujarab dan tidak selalu berhasil, tetapi, jika berhasil, itu selalu memberikan hasil. Di sinilah fleksibilitas sangat volatilitas - ada plugin mimikatz kustom. Unduh ke folder yang nyaman dan kemudian pada saat startup tentukan path ke folder ini:
$ volatility --plugins=%____% -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz
Dan segera dapatkan kata sandi pengguna:
Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter wdigest WIN-LO6FAF3DTFE$ WORKGROUP
Info umum
Tugasnya adalah mendapatkan alamat IP dan nama komputer
Sekarang kita tahu siapa kita, kita perlu memahami di mana kita berada. Artinya, alangkah baiknya mengetahui alamat IP dan nama mesin kami. Dalam hal alamat IP, semuanya sederhana - kita melihat daftar koneksi pada saat dump menggunakan netscan :
Daftar $ volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000 0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000 0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System 0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System 0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System 0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System 0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe 0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe 0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe 0x7d634350 TCPv6 -:0 38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED 2836 BitTorrent.exe 0x7d6f27f0 TCPv4 192.168.202.131:50381 71.198.155.180:34674 CLOSED 2836 BitTorrent.exe 0x7d704010 TCPv4 192.168.202.131:50382 92.251.23.204:6881 CLOSED 2836 BitTorrent.exe 0x7d708cf0 TCPv4 192.168.202.131:50364 91.140.89.116:31847 CLOSED 2836 BitTorrent.exe 0x7d729620 TCPv4 -:50034 142.129.37.27:24578 CLOSED 2836 BitTorrent.exe 0x7d72cbe0 TCPv4 192.168.202.131:50340 23.37.43.27:80 CLOSED 3496 Lavasoft.WCAss 0x7d7365a0 TCPv4 192.168.202.131:50358 23.37.43.27:80 CLOSED 3856 WebCompanion.e 0x7d81c890 TCPv4 192.168.202.131:50335 185.154.111.20:60405 CLOSED 2836 BitTorrent.exe 0x7d8fd530 TCPv4 192.168.202.131:50327 23.37.43.27:80 CLOSED 3496 Lavasoft.WCAss 0x7d9cecf0 TCPv4 192.168.202.131:50373 173.239.232.46:2997 CLOSED 2836 BitTorrent.exe 0x7d9d7cf0 TCPv4 192.168.202.131:50371 191.253.122.149:59163 CLOSED 2836 BitTorrent.exe 0x7daefec0 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7daefec0 UDPv6 :::0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7db83b90 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000 0x7db83b90 UDPv6 :::0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000 0x7db9cdd0 UDPv4 0.0.0.0:0 *:* 2844 WebCompanion.e 2018-08-04 19:30:05 UTC+0000 0x7db9cdd0 UDPv6 :::0 *:* 2844 WebCompanion.e 2018-08-04 19:30:05 UTC+0000 0x7dc2dc30 UDPv4 0.0.0.0:50879 *:* 4076 chrome.exe 2018-08-04 19:30:41 UTC+0000 0x7dc2dc30 UDPv6 :::50879 *:* 4076 chrome.exe 2018-08-04 19:30:41 UTC+0000 0x7dc83810 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dc83810 UDPv6 :::5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dd82c30 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000 0x7df00980 UDPv4 0.0.0.0:0 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7df00980 UDPv6 :::0 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7df04cc0 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000 0x7df04cc0 UDPv6 :::5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000 0x7df5f010 UDPv4 0.0.0.0:55175 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dfab010 UDPv4 0.0.0.0:58383 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dfab010 UDPv6 :::58383 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7e12c1c0 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000 0x7e163a40 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000 0x7e163a40 UDPv6 :::0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000 0x7e1cf010 UDPv4 192.168.202.131:137 *:* 4 System 2018-08-04 19:26:35 UTC+0000 0x7e1da010 UDPv4 192.168.202.131:138 *:* 4 System 2018-08-04 19:26:35 UTC+0000 0x7dc4ad30 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 lsass.exe 0x7dc4ad30 TCPv6 :::49155 :::0 LISTENING 500 lsass.exe 0x7dc4b370 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 lsass.exe 0x7dd71010 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System 0x7dd71010 TCPv6 :::445 :::0 LISTENING 4 System 0x7ddca6b0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe 0x7ddcbc00 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe 0x7ddcbc00 TCPv6 :::49156 :::0 LISTENING 492 services.exe 0x7de09c30 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe 0x7de09c30 TCPv6 :::49152 :::0 LISTENING 396 wininit.exe 0x7de0d7b0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe 0x7de424e0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 808 svchost.exe 0x7de45ef0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 808 svchost.exe 0x7de45ef0 TCPv6 :::49153 :::0 LISTENING 808 svchost.exe 0x7df3d270 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 868 svchost.exe 0x7df3eef0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 868 svchost.exe 0x7df3eef0 TCPv6 :::49154 :::0 LISTENING 868 svchost.exe 0x7e1f6010 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 712 svchost.exe 0x7e1f6010 TCPv6 :::135 :::0 LISTENING 712 svchost.exe 0x7e1f8ef0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 712 svchost.exe 0x7db000a0 TCPv4 -:50091 93.142.197.107:32645 CLOSED 2836 BitTorrent.exe 0x7db132e0 TCPv4 192.168.202.131:50280 72.55.154.81:80 CLOSED 3880 WebCompanionIn 0x7dbc3010 TCPv6 -:0 4847:d418:80fa:ffff:4847:d418:80fa:ffff:0 CLOSED 4076 chrome.exe 0x7dc4bcf0 TCPv4 -:0 104.240.179.26:0 CLOSED 3 ?4???? 0x7dc83080 TCPv4 192.168.202.131:50377 179.108.238.10:19761 CLOSED 2836 BitTorrent.exe 0x7dd451f0 TCPv4 192.168.202.131:50321 45.27.208.145:51414 CLOSED 2836 BitTorrent.exe 0x7ddae890 TCPv4 -:50299 212.92.105.227:8999 CLOSED 2836 BitTorrent.exe 0x7ddff010 TCPv4 192.168.202.131:50379 23.37.43.27:80 CLOSED 3856 WebCompanion.e 0x7e0057d0 TCPv4 192.168.202.131:50353 85.242.139.158:51413 CLOSED 2836 BitTorrent.exe 0x7e0114b0 TCPv4 192.168.202.131:50339 77.65.111.216:8306 CLOSED 2836 BitTorrent.exe 0x7e042cf0 TCPv4 192.168.202.131:50372 83.44.27.35:52103 CLOSED 2836 BitTorrent.exe 0x7e08a010 TCPv4 192.168.202.131:50374 89.46.49.163:20133 CLOSED 2836 BitTorrent.exe 0x7e092010 TCPv4 192.168.202.131:50378 120.29.114.41:13155 CLOSED 2836 BitTorrent.exe 0x7e094b90 TCPv4 192.168.202.131:50365 52.91.1.182:55125 CLOSED 2836 BitTorrent.exe 0x7e09ba90 TCPv6 -:0 68f0:181b:80fa:ffff:68f0:181b:80fa:ffff:0 CLOSED 2836 BitTorrent.exe 0x7e0a8b90 TCPv4 192.168.202.131:50341 72.55.154.81:80 CLOSED 3880 WebCompanionIn 0x7e0d6180 TCPv4 192.168.202.131:50349 196.250.217.22:32815 CLOSED 2836 BitTorrent.exe 0x7e108100 TCPv4 192.168.202.131:50360 174.0.234.77:31240 CLOSED 2836 BitTorrent.exe 0x7e124910 TCPv4 192.168.202.131:50366 89.78.106.196:51413 CLOSED 2836 BitTorrent.exe 0x7e14dcf0 TCPv4 192.168.202.131:50363 122.62.218.159:11627 CLOSED 2836 BitTorrent.exe 0x7e18bcf0 TCPv4 192.168.202.131:50333 191.177.124.34:21011 CLOSED 2836 BitTorrent.exe 0x7e1f7ab0 TCPv4 -:0 56.187.190.26:0 CLOSED 3 ?4???? 0x7e48d9c0 UDPv6 fe80::b06b:a531:ec88:457f:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7e4ad870 UDPv4 127.0.0.1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7e511bb0 UDPv4 0.0.0.0:60005 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7e5dc3b0 UDPv6 fe80::b06b:a531:ec88:457f:546 *:* 808 svchost.exe 2018-08-04 19:33:28 UTC+0000 0x7e7469c0 UDPv4 0.0.0.0:50878 *:* 4076 chrome.exe 2018-08-04 19:30:39 UTC+0000 0x7e7469c0 UDPv6 :::50878 *:* 4076 chrome.exe 2018-08-04 19:30:39 UTC+0000 0x7e77cb00 UDPv4 0.0.0.0:50748 *:* 4076 chrome.exe 2018-08-04 19:30:07 UTC+0000 0x7e77cb00 UDPv6 :::50748 *:* 4076 chrome.exe 2018-08-04 19:30:07 UTC+0000 0x7e79f3f0 UDPv4 0.0.0.0:5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000 0x7e7a0ec0 UDPv4 0.0.0.0:5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000 0x7e7a0ec0 UDPv6 :::5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000 0x7e7a3960 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000 0x7e7dd010 UDPv6 ::1:58340 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7e413a40 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe 0x7e415010 TCPv4 192.168.202.131:50346 89.64.10.176:10589 CLOSED 2836 BitTorrent.exe 0x7e4202d0 TCPv4 192.168.202.131:50217 104.18.21.226:80 CLOSED 3880 WebCompanionIn 0x7e45f110 TCPv4 192.168.202.131:50211 104.18.20.226:80 CLOSED 3880 WebCompanionIn 0x7e4cc910 TCPv4 192.168.202.131:50228 104.18.20.226:80 CLOSED 3880 WebCompanionIn 0x7e512950 TCPv4 192.168.202.131:50345 77.126.30.221:13905 CLOSED 2836 BitTorrent.exe 0x7e521b50 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe 0x7e5228d0 TCPv4 192.168.202.131:50075 70.65.116.120:52700 CLOSED 2836 BitTorrent.exe 0x7e52f010 TCPv4 192.168.202.131:50343 86.121.4.189:46392 CLOSED 2836 BitTorrent.exe 0x7e563860 TCPv4 192.168.202.131:50170 103.232.25.44:25384 CLOSED 2836 BitTorrent.exe 0x7e572cf0 TCPv4 192.168.202.131:50125 122.62.218.159:11627 CLOSED 2836 BitTorrent.exe 0x7e5d6cf0 TCPv4 192.168.202.131:50324 54.197.8.177:49420 CLOSED 2836 BitTorrent.exe 0x7e71b010 TCPv4 192.168.202.131:50344 70.27.98.75:6881 CLOSED 2836 BitTorrent.exe 0x7e71d010 TCPv4 192.168.202.131:50351 99.251.199.160:1045 CLOSED 2836 BitTorrent.exe 0x7e74b010 TCPv4 192.168.202.131:50385 209.236.6.89:56500 CLOSED 2836 BitTorrent.exe 0x7e78b7f0 TCPv4 192.168.202.131:50238 72.55.154.82:80 CLOSED 3880 WebCompanionIn 0x7e7ae380 TCPv4 192.168.202.131:50361 5.34.21.181:8999 CLOSED 2836 BitTorrent.exe 0x7e7b0380 TCPv6 -:0 4847:d418:80fa:ffff:4847:d418:80fa:ffff:0 CLOSED 2836 BitTorrent.exe 0x7e7b9010 TCPv4 192.168.202.131:50334 188.129.94.129:25128 CLOSED 2836 BitTorrent.exe 0x7e94b010 TCPv4 192.168.202.131:50356 77.126.30.221:13905 CLOSED 2836 BitTorrent.exe 0x7e9ad840 TCPv4 192.168.202.131:50380 84.52.144.29:56299 CLOSED 2836 BitTorrent.exe 0x7e9bacf0 TCPv4 192.168.202.131:50350 77.253.242.0:5000 CLOSED 2836 BitTorrent.exe 0x7eaac5e0 TCPv4 192.168.202.131:50387 93.184.220.29:80 CLOSED 3856 WebCompanion.e 0x7eab4cf0 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7fb9cec0 UDPv4 192.168.202.131:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7fb9d430 UDPv4 127.0.0.1:58341 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+000
IP 192.168.202.131 ditemukan. Tentu saja, ini adalah IP pada jaringan lokal, tetapi, sayangnya, Anda tidak akan bisa keluar dari dump lagi - untuk mendapatkan IP eksternal Anda membutuhkan lebih dari sekadar dump. Sekarang dapatkan nama komputernya. Untuk melakukan ini, cukup baca cabang registri SISTEM:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName' Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: ComputerName (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: Values: REG_SZ : (S) mnmsrvc REG_SZ ComputerName : (S) WIN-LO6FAF3DTFE
Super, kami mendapat nama komputer WIN-LO6FAF3DTFE .
Waktu bermain
Pengguna suka memainkan video game lama. Temukan nama permainan favoritnya dan alamat IP servernya
Lihat saja knalpot netscan pada langkah sebelumnya dan lihat LunarMS.exe aneh - LunarMS.exe . Google benar-benar permainan video. Di sana Anda juga dapat menemukan alamat IP yang digunakan untuk membuka koneksi - 77.102.199.102
Game nama
Kami tahu bahwa pengguna masuk ke saluran Lunar-3. Tapi apa nama akunnya?
Karena pengguna masuk ke saluran ini, namanya harus berupa teks biasa di dump. Kami membuat strings dan mendapatkan bendera:
$ strings OtterCTF.vmem | grep Lunar-3 -A 2 -B 3 disabled mouseOver keyFocused Lunar-3 0tt3r8r33z3 Sound/UI.img/ -- c+Yt tb+Y4c+Y b+YLc+Y Lunar-3 Lunar-4 L(dNVxdNV
Dari semua lini, flag 0tt3r8r33z3 paling menyerupai. Kami mencoba dan sungguh - ini dia!
Rick konyol
Pengguna kami selalu lupa kata sandinya, jadi ia menggunakan pengelola kata sandi dan cukup menyalin kata sandi yang ia butuhkan saat ia perlu masuk. Mungkin Anda bisa menemukan sesuatu?
Menilai dari kata-katanya, Anda hanya perlu mendapatkan isi dari clipboard. Volatilitas punya jawaban untuk ini - plugin clipboard . Periksa dan lihat kata sandi:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard Volatility Foundation Volatility Framework 2.6 Session WindowStation Format Handle Object Data ---------- ------------- ------------------ ------------------ ------------------ -------------------------------------------------- 1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs 1 WinSta0 CF_TEXT 0x10 ------------------ 1 WinSta0 0x150133L 0x200000000000 ------------------ 1 WinSta0 CF_TEXT 0x1 ------------------ 1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0
Sembunyikan dan cari
Penyebab rem komputer adalah virus yang telah lama duduk di sistem. Mungkin Anda bisa menemukannya? Hati-hati, Anda hanya memiliki tiga upaya untuk melewati bendera ini!
Nah, jika kita memiliki tiga upaya, maka kita akan berhati-hati, seperti yang kita sarankan =)
Pertama, dapatkan daftar semua proses menggunakan pslist :
Daftar $ volatility -f OtterCTF.vmem --profile=Win7SP1x64 pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa8018d44740 System 4 0 95 411 ------ 0 2018-08-04 19:26:03 UTC+0000 0xfffffa801947e4d0 smss.exe 260 4 2 30 ------ 0 2018-08-04 19:26:03 UTC+0000 0xfffffa801a0c8380 csrss.exe 348 336 9 563 0 0 2018-08-04 19:26:10 UTC+0000 0xfffffa80198d3b30 csrss.exe 388 380 11 460 1 0 2018-08-04 19:26:11 UTC+0000 0xfffffa801a2ed060 wininit.exe 396 336 3 78 0 0 2018-08-04 19:26:11 UTC+0000 0xfffffa801aaf4060 winlogon.exe 432 380 3 113 1 0 2018-08-04 19:26:11 UTC+0000 0xfffffa801ab377c0 services.exe 492 396 11 242 0 0 2018-08-04 19:26:12 UTC+0000 0xfffffa801ab3f060 lsass.exe 500 396 7 610 0 0 2018-08-04 19:26:12 UTC+0000 0xfffffa801ab461a0 lsm.exe 508 396 10 148 0 0 2018-08-04 19:26:12 UTC+0000 0xfffffa8018e3c890 svchost.exe 604 492 11 376 0 0 2018-08-04 19:26:16 UTC+0000 0xfffffa801abbdb30 vmacthlp.exe 668 492 3 56 0 0 2018-08-04 19:26:16 UTC+0000 0xfffffa801abebb30 svchost.exe 712 492 8 301 0 0 2018-08-04 19:26:17 UTC+0000 0xfffffa801ac2e9e0 svchost.exe 808 492 22 508 0 0 2018-08-04 19:26:18 UTC+0000 0xfffffa801ac31b30 svchost.exe 844 492 17 396 0 0 2018-08-04 19:26:18 UTC+0000 0xfffffa801ac4db30 svchost.exe 868 492 45 1114 0 0 2018-08-04 19:26:18 UTC+0000 0xfffffa801ac753a0 audiodg.exe 960 808 7 151 0 0 2018-08-04 19:26:19 UTC+0000 0xfffffa801ac97060 svchost.exe 1012 492 12 554 0 0 2018-08-04 19:26:20 UTC+0000 0xfffffa801acd37e0 svchost.exe 620 492 19 415 0 0 2018-08-04 19:26:21 UTC+0000 0xfffffa801ad5ab30 spoolsv.exe 1120 492 14 346 0 0 2018-08-04 19:26:22 UTC+0000 0xfffffa801ad718a0 svchost.exe 1164 492 18 312 0 0 2018-08-04 19:26:23 UTC+0000 0xfffffa801ae0f630 VGAuthService. 1356 492 3 85 0 0 2018-08-04 19:26:25 UTC+0000 0xfffffa801ae92920 vmtoolsd.exe 1428 492 9 313 0 0 2018-08-04 19:26:27 UTC+0000 0xfffffa8019124b30 WmiPrvSE.exe 1800 604 9 222 0 0 2018-08-04 19:26:39 UTC+0000 0xfffffa801afe7800 svchost.exe 1948 492 6 96 0 0 2018-08-04 19:26:42 UTC+0000 0xfffffa801ae7f630 dllhost.exe 1324 492 15 207 0 0 2018-08-04 19:26:42 UTC+0000 0xfffffa801aff3b30 msdtc.exe 1436 492 14 155 0 0 2018-08-04 19:26:43 UTC+0000 0xfffffa801b112060 WmiPrvSE.exe 2136 604 12 324 0 0 2018-08-04 19:26:51 UTC+0000 0xfffffa801b1e9b30 taskhost.exe 2344 492 8 193 1 0 2018-08-04 19:26:57 UTC+0000 0xfffffa801b232060 sppsvc.exe 2500 492 4 149 0 0 2018-08-04 19:26:58 UTC+0000 0xfffffa801b1fab30 dwm.exe 2704 844 4 97 1 0 2018-08-04 19:27:04 UTC+0000 0xfffffa801b27e060 explorer.exe 2728 2696 33 854 1 0 2018-08-04 19:27:04 UTC+0000 0xfffffa801b1cdb30 vmtoolsd.exe 2804 2728 6 190 1 0 2018-08-04 19:27:06 UTC+0000 0xfffffa801b290b30 BitTorrent.exe 2836 2728 24 471 1 1 2018-08-04 19:27:07 UTC+0000 0xfffffa801b2f02e0 WebCompanion.e 2844 2728 0 -------- 1 0 2018-08-04 19:27:07 UTC+0000 2018-08-04 19:33:33 UTC+0000 0xfffffa801b3aab30 SearchIndexer. 3064 492 11 610 0 0 2018-08-04 19:27:14 UTC+0000 0xfffffa801b4a7b30 bittorrentie.e 2308 2836 15 337 1 1 2018-08-04 19:27:19 UTC+0000 0xfffffa801b4c9b30 bittorrentie.e 2624 2836 13 316 1 1 2018-08-04 19:27:21 UTC+0000 0xfffffa801b5cb740 LunarMS.exe 708 2728 18 346 1 1 2018-08-04 19:27:39 UTC+0000 0xfffffa801988c2d0 PresentationFo 724 492 6 148 0 0 2018-08-04 19:27:52 UTC+0000 0xfffffa801b603610 mscorsvw.exe 412 492 7 86 0 1 2018-08-04 19:28:42 UTC+0000 0xfffffa801a6af9f0 svchost.exe 164 492 12 147 0 0 2018-08-04 19:28:42 UTC+0000 0xfffffa801a6c2700 mscorsvw.exe 3124 492 7 77 0 0 2018-08-04 19:28:43 UTC+0000 0xfffffa801a6e4b30 svchost.exe 3196 492 14 352 0 0 2018-08-04 19:28:44 UTC+0000 0xfffffa801a4e3870 chrome.exe 4076 2728 44 1160 1 0 2018-08-04 19:29:30 UTC+0000 0xfffffa801a4eab30 chrome.exe 4084 4076 8 86 1 0 2018-08-04 19:29:30 UTC+0000 0xfffffa801a502b30 chrome.exe 576 4076 2 58 1 0 2018-08-04 19:29:31 UTC+0000 0xfffffa801a4f7b30 chrome.exe 1808 4076 13 229 1 0 2018-08-04 19:29:32 UTC+0000 0xfffffa801aa00a90 chrome.exe 3924 4076 16 228 1 0 2018-08-04 19:29:51 UTC+0000 0xfffffa801a7f98f0 chrome.exe 2748 4076 15 181 1 0 2018-08-04 19:31:15 UTC+0000 0xfffffa801b486b30 Rick And Morty 3820 2728 4 185 1 1 2018-08-04 19:32:55 UTC+0000 0xfffffa801a4c5b30 vmware-tray.ex 3720 3820 8 147 1 1 2018-08-04 19:33:02 UTC+0000 0xfffffa801b18f060 WebCompanionIn 3880 1484 15 522 0 1 2018-08-04 19:33:07 UTC+0000 0xfffffa801a635240 chrome.exe 3648 4076 16 207 1 0 2018-08-04 19:33:38 UTC+0000 0xfffffa801a5ef1f0 chrome.exe 1796 4076 15 170 1 0 2018-08-04 19:33:41 UTC+0000 0xfffffa801b08f060 sc.exe 3208 3880 0 -------- 0 0 2018-08-04 19:33:47 UTC+0000 2018-08-04 19:33:48 UTC+0000 0xfffffa801aeb6890 sc.exe 452 3880 0 -------- 0 0 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000 0xfffffa801aa72b30 sc.exe 3504 3880 0 -------- 0 0 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000 0xfffffa801ac01060 sc.exe 2028 3880 0 -------- 0 0 2018-08-04 19:33:49 UTC+0000 2018-08-04 19:34:03 UTC+0000 0xfffffa801aad1060 Lavasoft.WCAss 3496 492 14 473 0 0 2018-08-04 19:33:49 UTC+0000 0xfffffa801a6268b0 WebCompanion.e 3856 3880 15 386 0 1 2018-08-04 19:34:05 UTC+0000 0xfffffa801b1fd960 notepad.exe 3304 3132 2 79 1 0 2018-08-04 19:34:10 UTC+0000 0xfffffa801a572b30 cmd.exe 3916 1428 0 -------- 0 0 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000 0xfffffa801a6643d0 conhost.exe 2420 348 0 30 0 0 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
Hmm. Entah bagaimana itu tidak mudah dianalisis. Kami memiliki plugin lain - pstree , yang menampilkan proses dalam bentuk pohon (yang, secara umum, logis):
Daftar $ volatility -f OtterCTF.vmem --profile=Win7SP1x64 pstree Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa801b27e060:explorer.exe 2728 2696 33 854 2018-08-04 19:27:04 UTC+0000 . 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000 .. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000 . 0xfffffa801b2f02e0:WebCompanion.e 2844 2728 0 ------ 2018-08-04 19:27:07 UTC+0000 . 0xfffffa801a4e3870:chrome.exe 4076 2728 44 1160 2018-08-04 19:29:30 UTC+0000 .. 0xfffffa801a4eab30:chrome.exe 4084 4076 8 86 2018-08-04 19:29:30 UTC+0000 .. 0xfffffa801a5ef1f0:chrome.exe 1796 4076 15 170 2018-08-04 19:33:41 UTC+0000 .. 0xfffffa801aa00a90:chrome.exe 3924 4076 16 228 2018-08-04 19:29:51 UTC+0000 .. 0xfffffa801a635240:chrome.exe 3648 4076 16 207 2018-08-04 19:33:38 UTC+0000 .. 0xfffffa801a502b30:chrome.exe 576 4076 2 58 2018-08-04 19:29:31 UTC+0000 .. 0xfffffa801a4f7b30:chrome.exe 1808 4076 13 229 2018-08-04 19:29:32 UTC+0000 .. 0xfffffa801a7f98f0:chrome.exe 2748 4076 15 181 2018-08-04 19:31:15 UTC+0000 . 0xfffffa801b5cb740:LunarMS.exe 708 2728 18 346 2018-08-04 19:27:39 UTC+0000 . 0xfffffa801b1cdb30:vmtoolsd.exe 2804 2728 6 190 2018-08-04 19:27:06 UTC+0000 . 0xfffffa801b290b30:BitTorrent.exe 2836 2728 24 471 2018-08-04 19:27:07 UTC+0000 .. 0xfffffa801b4c9b30:bittorrentie.e 2624 2836 13 316 2018-08-04 19:27:21 UTC+0000 .. 0xfffffa801b4a7b30:bittorrentie.e 2308 2836 15 337 2018-08-04 19:27:19 UTC+0000 0xfffffa8018d44740:System 4 0 95 411 2018-08-04 19:26:03 UTC+0000 . 0xfffffa801947e4d0:smss.exe 260 4 2 30 2018-08-04 19:26:03 UTC+0000 0xfffffa801a2ed060:wininit.exe 396 336 3 78 2018-08-04 19:26:11 UTC+0000 . 0xfffffa801ab377c0:services.exe 492 396 11 242 2018-08-04 19:26:12 UTC+0000 .. 0xfffffa801afe7800:svchost.exe 1948 492 6 96 2018-08-04 19:26:42 UTC+0000 .. 0xfffffa801ae92920:vmtoolsd.exe 1428 492 9 313 2018-08-04 19:26:27 UTC+0000 ... 0xfffffa801a572b30:cmd.exe 3916 1428 0 ------ 2018-08-04 19:34:22 UTC+0000 .. 0xfffffa801ae0f630:VGAuthService. 1356 492 3 85 2018-08-04 19:26:25 UTC+0000 .. 0xfffffa801abbdb30:vmacthlp.exe 668 492 3 56 2018-08-04 19:26:16 UTC+0000 .. 0xfffffa801aad1060:Lavasoft.WCAss 3496 492 14 473 2018-08-04 19:33:49 UTC+0000 .. 0xfffffa801a6af9f0:svchost.exe 164 492 12 147 2018-08-04 19:28:42 UTC+0000 .. 0xfffffa801ac2e9e0:svchost.exe 808 492 22 508 2018-08-04 19:26:18 UTC+0000 ... 0xfffffa801ac753a0:audiodg.exe 960 808 7 151 2018-08-04 19:26:19 UTC+0000 .. 0xfffffa801ae7f630:dllhost.exe 1324 492 15 207 2018-08-04 19:26:42 UTC+0000 .. 0xfffffa801a6c2700:mscorsvw.exe 3124 492 7 77 2018-08-04 19:28:43 UTC+0000 .. 0xfffffa801b232060:sppsvc.exe 2500 492 4 149 2018-08-04 19:26:58 UTC+0000 .. 0xfffffa801abebb30:svchost.exe 712 492 8 301 2018-08-04 19:26:17 UTC+0000 .. 0xfffffa801ad718a0:svchost.exe 1164 492 18 312 2018-08-04 19:26:23 UTC+0000 .. 0xfffffa801ac31b30:svchost.exe 844 492 17 396 2018-08-04 19:26:18 UTC+0000 ... 0xfffffa801b1fab30:dwm.exe 2704 844 4 97 2018-08-04 19:27:04 UTC+0000 .. 0xfffffa801988c2d0:PresentationFo 724 492 6 148 2018-08-04 19:27:52 UTC+0000 .. 0xfffffa801b603610:mscorsvw.exe 412 492 7 86 2018-08-04 19:28:42 UTC+0000 .. 0xfffffa8018e3c890:svchost.exe 604 492 11 376 2018-08-04 19:26:16 UTC+0000 ... 0xfffffa8019124b30:WmiPrvSE.exe 1800 604 9 222 2018-08-04 19:26:39 UTC+0000 ... 0xfffffa801b112060:WmiPrvSE.exe 2136 604 12 324 2018-08-04 19:26:51 UTC+0000 .. 0xfffffa801ad5ab30:spoolsv.exe 1120 492 14 346 2018-08-04 19:26:22 UTC+0000 .. 0xfffffa801ac4db30:svchost.exe 868 492 45 1114 2018-08-04 19:26:18 UTC+0000 .. 0xfffffa801a6e4b30:svchost.exe 3196 492 14 352 2018-08-04 19:28:44 UTC+0000 .. 0xfffffa801acd37e0:svchost.exe 620 492 19 415 2018-08-04 19:26:21 UTC+0000 .. 0xfffffa801b1e9b30:taskhost.exe 2344 492 8 193 2018-08-04 19:26:57 UTC+0000 .. 0xfffffa801ac97060:svchost.exe 1012 492 12 554 2018-08-04 19:26:20 UTC+0000 .. 0xfffffa801b3aab30:SearchIndexer. 3064 492 11 610 2018-08-04 19:27:14 UTC+0000 .. 0xfffffa801aff3b30:msdtc.exe 1436 492 14 155 2018-08-04 19:26:43 UTC+0000 . 0xfffffa801ab3f060:lsass.exe 500 396 7 610 2018-08-04 19:26:12 UTC+0000 . 0xfffffa801ab461a0:lsm.exe 508 396 10 148 2018-08-04 19:26:12 UTC+0000 0xfffffa801a0c8380:csrss.exe 348 336 9 563 2018-08-04 19:26:10 UTC+0000 . 0xfffffa801a6643d0:conhost.exe 2420 348 0 30 2018-08-04 19:34:22 UTC+0000 0xfffffa80198d3b30:csrss.exe 388 380 11 460 2018-08-04 19:26:11 UTC+0000 0xfffffa801aaf4060:winlogon.exe 432 380 3 113 2018-08-04 19:26:11 UTC+0000 0xfffffa801b18f060:WebCompanionIn 3880 1484 15 522 2018-08-04 19:33:07 UTC+0000 . 0xfffffa801aa72b30:sc.exe 3504 3880 0 ------ 2018-08-04 19:33:48 UTC+0000 . 0xfffffa801aeb6890:sc.exe 452 3880 0 ------ 2018-08-04 19:33:48 UTC+0000 . 0xfffffa801a6268b0:WebCompanion.e 3856 3880 15 386 2018-08-04 19:34:05 UTC+0000 . 0xfffffa801b08f060:sc.exe 3208 3880 0 ------ 2018-08-04 19:33:47 UTC+0000 . 0xfffffa801ac01060:sc.exe 2028 3880 0 ------ 2018-08-04 19:33:49 UTC+0000 0xfffffa801b1fd960:notepad.exe 3304 3132 2 79 2018-08-04 19:34:10 UTC+0000
!
0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000 .. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
, PID' 3820 PID' 3720. . dll-, :
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3820 Volatility Foundation Volatility Framework 2.6 ************************************************************************ Rick And Morty pid: 3820 Command line : "C:\Torrents\Rick And Morty season 1 download.exe" Note: use ldrmodules for listing DLLs in Wow64 processes Base Size LoadCount Path ------------------ ------------------ ------------------ ---- 0x0000000000400000 0x56000 0xffff C:\Torrents\Rick And Morty season 1 download.exe 0x00000000776f0000 0x1a9000 0xffff C:\Windows\SYSTEM32\ntdll.dll 0x0000000075210000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll 0x00000000751b0000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll 0x00000000751a0000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
. Exe ? - . ntdll.dll . dll, 3720:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720 Volatility Foundation Volatility Framework 2.6 ************************************************************************ vmware-tray.ex pid: 3720 Command line : "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe" Note: use ldrmodules for listing DLLs in Wow64 processes Base Size LoadCount Path ------------------ ------------------ ------------------ ---- 0x0000000000ec0000 0x6e000 0xffff C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe 0x00000000776f0000 0x1a9000 0xffff C:\Windows\SYSTEM32\ntdll.dll 0x0000000075210000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll 0x00000000751b0000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll 0x00000000751a0000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
. . , , , . memdump :
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 3720 --dump-dir=%___% Volatility Foundation Volatility Framework 2.6 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe
, , , , .NET, . — , . . .
Bit by Bit Graphics is for the weak
- , !
1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M , . ,
Recovery
. !
, , , . CreatePassword . -, "" :
public string CreatePassword(int length) { StringBuilder stringBuilder = new StringBuilder(); Random random = new Random(); while (0 < length--) { stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/".Length)]); } return stringBuilder.ToString(); }
, . abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/ , . , , - :D
, :
public void startAction() { string password = this.CreatePassword(15); string str = "\\Desktop\\"; string location = this.userDir + this.userName + str; this.SendPassword(password); this.encryptDirectory(location, password); this.messageCreator(); }
- , , 15 . , :`
$ strings 3720.dmp > analyze.txt && wc -l 1589147 analyze.txt
. , , , - . !
$ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|NID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory|Window|Loader|Manage|Class|Sink|Sys|Wow|MM|Create' | uniq | wc -l 2915
, . — - , . , - . , :
$ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|NID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory|Window|Loader|Manage|Class|Sink|Sys|Wow|MM|Create' | uniq | less 444444440444444 66666FFFFFFFFFF 444444444444433 CLIPBRDWNDCLASS utav4823DF041B0 aDOBofVYUNVnmp7 444444440444444 66666FFFFFFFFFF 444444444444433 ffnLffnLffnpffm lemeneoepeqerep .........
, . b03f5f7f11d50a3a . , 3K . :) :
$ $ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{15}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|ID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory' | uniq | less ssssssssssssssss b03f5f7f11d50a3a CryptoStreamMode ContainerControl ICryptoTransform encryptDirectory MSTaskListWClass ssssssssssssssss `ubugukupuvuxuzu PAQARASATAUAVAWA MRNRORPRQRRRSRTR D!E!F!G!H!I!J!K! ......
, - . , BruteForce
, — , . . aDOBofVYUNVnmp7 , .
Alih-alih sebuah kesimpulan
, . - — , . , . . , - . , , , , - — . :3