OtterCTF 13道内存取证题目详细解析(上)

2019-02-13 10,398

1. What the password? 100

question

you got a sample of rick's PC's memory. can you get his user password? format: CTF{…}

Alternative download link: 

https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ

solve

看到Memory_Forensics,无脑上volatility
先在国外服务器起docker-kali,发现没有volatility

apt-get update&& apt-get install volatility -y

首先看imageinfo

➜  Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 imageinfo                                                
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/Desktop/OtterCTF.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c430a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c44d00L
                KPCR for CPU 1 : 0xfffff880009ef000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2018-08-04 19:34:22 UTC+0000
     Image local date and time : 2018-08-04 22:34:22 +0300

由于要密码,很简单,直接dumphash

➜  Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump                                                         
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::

518172d012f97d3a8fcc089615283940去解hash发现不对,hash解出来是空密码,flag不对。大佬说是两段hash,后面的没出来,就用python源码的Volatility+mimikatz吧

wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
unzip volatility-2.6.zip
wget https://github.com/volatilityfoundation/community/raw/master/FrancescoPicasso/mimikatz.py
cp mimikatz.py ./volatility-master/volatility/plugins/
➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz 
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.mimikatz (AttributeError: 'module' object has no attribute 'ULInt32')
ERROR   : volatility.debug    : You must specify something to do (try -h)

发现有错误,单独跑下mimakatz

➜  volatility-master python ./plugin/mimikatz.pyc 
Traceback (most recent call last):
  File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 171, in <module>
  File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 182, in LsaDecryptor
AttributeError: 'module' object has no attribute 'ULInt32'

mimikatz的锅,找到方法

sudo pip uninstall construct
sudo pip install construct==2.5.5-reupload

走起

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz
Volatility Foundation Volatility Framework 2.6
Module   User             Domain           Password                                
-------- ---------------- ---------------- ----------------------------------------
wdigest  Rick             WIN-LO6FAF3DTFE  MortyIsReallyAnOtter                    
wdigest  WIN-LO6FAF3DTFE$ WORKGROUP                                                

flag

第一关flag:CTF{MortyIsReallyAnOtter}


2 - General Info 75

question

Let's start easy - whats the PC's name and IP address?
format: CTF{flag}

solve

要ip地址,netscan走一波吧

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan 
Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x7d60f010         UDPv4    0.0.0.0:1900                   *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62b3f0         UDPv4    192.168.202.131:6771           *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d62f4c0         UDPv4    127.0.0.1:62307                *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62f920         UDPv4    192.168.202.131:62306          *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:17 UTC+0000

主机名,先看注册表

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a00377d2d0x00000000624162d0 ??C:System Volume InformationSyscache.hve
0xfffff8a00000f010 0x000000002d4c1010 [no name]
0xfffff8a000024010 0x000000002d50c010 REGISTRYMACHINESYSTEM
0xfffff8a000053320 0x000000002d5bb320 REGISTRYMACHINEHARDWARE
0xfffff8a000109410 0x0000000029cb4410 SystemRootSystem32ConfigSECURITY
0xfffff8a00033d410 0x000000002a958410 DeviceHarddiskVolume1BootBCD
0xfffff8a0005d5010 0x000000002a983010 SystemRootSystem32ConfigSOFTWARE
0xfffff8a001495010 0x0000000024912010 SystemRootSystem32ConfigDEFAULT
0xfffff8a0016d4010 0x00000000214e1010 SystemRootSystem32ConfigSAM
0xfffff8a00175b010 0x00000000211eb010 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT
0xfffff8a00176e410 0x00000000206db410 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT
0xfffff8a002090010 0x000000000b92b010 ??C:UsersRickntuser.dat
0xfffff8a0020ad410 0x000000000db41410 ??C:UsersRickAppDataLocalMicrosoftWindowsUsrClass.dat

看到system。。。不用想了,接着干

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: REGISTRYMACHINESYSTEM
Key name: CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} (S)
Last updated: 2018-08-04 19:25:54 UTC+0000

Subkeys:
  (S) ControlSet001
  (S) ControlSet002
  (S) MountedDevices
  (S) RNG
  (S) Select
  (S) Setup
  (S) Software
  (S) WPA
  (V) CurrentControlSet

Values:

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: REGISTRYMACHINESYSTEM
Key name: ControlSet001 (S)
Last updated: 2018-06-02 19:23:00 UTC+0000

Subkeys:
  (S) Control
  (S) Enum
  (S) Hardware Profiles
  (S) Policies
  (S) services

Values:

就这样一个一个解析注册表,到最后

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001ControlComputerNameComputerName"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: REGISTRYMACHINESYSTEM
Key name: ComputerName (S)
Last updated: 2018-06-02 19:23:00 UTC+0000

Subkeys:

Values:
REG_SZ                        : (S) mnmsrvc
REG_SZ        ComputerName    : (S) WIN-LO6FAF3DTFE

flag

CTF{WIN-LO6FAF3DTFE}
CTF{192.168.202.131}


3 - Play Time 50

question

Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?

format: CTF{flag}

solve

netscan 中发现有个进程不认识,google下LunarMS,是个游戏,over

➜  volatility-master python vol.py  -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan                                        
Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x7d60f010         UDPv4    0.0.0.0:1900                   *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62b3f0         UDPv4    192.168.202.131:6771           *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d62f4c0         UDPv4    127.0.0.1:62307                *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62f920         UDPv4    192.168.202.131:62306          *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d6424c0         UDPv4    0.0.0.0:50762                  *:*                                   4076     chrome.exe     2018-08-04 19:33:37 UTC+0000
0x7d6b4250         UDPv6    ::1:1900                       *:*                                   164      svchost.exe    2018-08-04 19:28:42 UTC+0000
0x7d6e3230         UDPv4    127.0.0.1:6771                 *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d6ed650         UDPv4    0.0.0.0:5355                   *:*                                   620      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d71c8a0         UDPv4    0.0.0.0:0                      *:*                                   868      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d71c8a0         UDPv6    :::0                           *:*                                   868      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d74a390         UDPv4    127.0.0.1:52847                *:*                                   2624     bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d7602c0         UDPv4    127.0.0.1:52846                *:*                                   2308     bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d787010         UDPv4    0.0.0.0:65452                  *:*                                   4076     chrome.exe     2018-08-04 19:33:42 UTC+0000
0x7d789***         UDPv4    0.0.0.0:50523                  *:*                                   620      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d789***         UDPv6    :::50523                       *:*                                   620      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d92a230         UDPv4    0.0.0.0:0                      *:*                                   868      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d92a230         UDPv6    :::0                           *:*                                   868      svchost.exe    2018-08-04 19:34:22 UTC+0000
0x7d9e8***         UDPv4    0.0.0.0:20830                  *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d9f4560         UDPv4    0.0.0.0:0                      *:*                                   3856     WebCompanion.e 2018-08-04 19:34:22 UTC+0000
0x7d9f8cb0         UDPv4    0.0.0.0:20830                  *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d9f8cb0         UDPv6    :::20830                       *:*                                   2836     BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d8bb390         TCPv4    0.0.0.0:9008                   0.0.0.0:0            LISTENING        4        System         
0x7d8bb390         TCPv6    :::9008                        :::0                 LISTENING        4        System         
0x7d9a9240         TCPv4    0.0.0.0:8733                   0.0.0.0:0            LISTENING        4        System         
0x7d9a9240         TCPv6    :::8733                        :::0                 LISTENING        4        System         
0x7d9e19e0         TCPv4    0.0.0.0:20830                  0.0.0.0:0            LISTENING        2836     BitTorrent.exe 
0x7d9e19e0         TCPv6    :::20830                       :::0                 LISTENING        2836     BitTorrent.exe 
0x7d9e1c90         TCPv4    0.0.0.0:20830                  0.0.0.0:0            LISTENING        2836     BitTorrent.exe 
0x7d42ba90         TCPv4    -:0                            56.219.196.26:0      CLOSED           2836     BitTorrent.exe 
0x7d6124d0         TCPv4    192.168.202.131:49530          77.102.199.102:7575  CLOSED           708      LunarMS.exe    
0x7d62d690         TCPv4    192.168.202.131:49229          169.1.143.215:8999   CLOSED           2836     BitTorrent.exe 
0x7d634350         TCPv6    -:0                            38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED           2836     BitTorrent.exe   

flag

CTF{LunarMS}
CTF{77.102.199.102}


4 - Name Game 100

question

We know that the account was logged in to a channel called Lunar-3. what is the account name?

format: CTF{flag}

solve

如果他登陆了,必定存入了Lunar到vmem中,尝试找找Lunar-3

➜  Desktop strings OtterCTF.vmem|grep Lunar-3          
Lunar-3
Lunar-3

显示找到的前三行后三行

➜  Desktop strings OtterCTF.vmem|grep Lunar-3 -A 3 -B 3
disabled
mouseOver
keyFocused
Lunar-3
0tt3r8r33z3
Sound/UI.img/
BtMouseClick
--
c+Yt
tb+Y4c+Y
b+YLc+Y
Lunar-3
Lunar-4
L(dNVxdNV
L|eNV

flag

CTF{0tt3r8r33z3}



本文作者:ChaMd5安全团队

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/97212.html

Tags:
评论  (0)
快来写下你的想法吧!

ChaMd5安全团队

文章数:54 积分: 181

www.chamd5.org 专注解密MD5、Mysql5、SHA1等

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号