OtterCTF 13道記憶體取證題目詳細解析(上)
1. What the password? 100
question
you got a sample of rick's PC's memory. can you get his user password? format: CTF{…}
Alternative download link:
https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ
solve
看到Memory_Forensics,無腦上volatility
先在國外伺服器起docker-kali,發現沒有volatility
apt-get update&& apt-get install volatility -y
首先看imageinfo
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/root/Desktop/OtterCTF.vmem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c430a0L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c44d00L KPCR for CPU 1 : 0xfffff880009ef000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-08-04 19:34:22 UTC+0000 Image local date and time : 2018-08-04 22:34:22 +0300
由於要密碼,很簡單,直接dumphash
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
拿518172d012f97d3a8fcc089615283940
去解hash發現不對,hash解出來是空密碼,flag不對。大佬說是兩段hash,後面的沒出來,就用python原始碼的Volatility+mimikatz吧
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip unzip volatility-2.6.zip wget https://github.com/volatilityfoundation/community/raw/master/FrancescoPicasso/mimikatz.py cp mimikatz.py ./volatility-master/volatility/plugins/ ➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6 *** Failed to import volatility.plugins.mimikatz (AttributeError: 'module' object has no attribute 'ULInt32') ERROR : volatility.debug : You must specify something to do (try -h)
發現有錯誤,單獨跑下mimakatz
➜ volatility-master python ./plugin/mimikatz.pyc Traceback (most recent call last): File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 171, in <module> File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 182, in LsaDecryptor AttributeError: 'module' object has no attribute 'ULInt32'
mimikatz的鍋,找到方法
sudo pip uninstall construct sudo pip install construct==2.5.5-reupload
走起
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter wdigest WIN-LO6FAF3DTFE$ WORKGROUP
flag
第一關flag:CTF{MortyIsReallyAnOtter}
2 - General Info 75
question
Let's start easy - whats the PC's name and IP address?
format: CTF{flag}
solve
要ip地址,netscan走一波吧
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
主機名,先看登錄檔
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00377d2d0 0x00000000624162d0 ??C:System Volume InformationSyscache.hve 0xfffff8a00000f010 0x000000002d4c1010 [no name] 0xfffff8a000024010 0x000000002d50c010 REGISTRYMACHINESYSTEM 0xfffff8a000053320 0x000000002d5bb320 REGISTRYMACHINEHARDWARE 0xfffff8a000109410 0x0000000029cb4410 SystemRootSystem32ConfigSECURITY 0xfffff8a00033d410 0x000000002a958410 DeviceHarddiskVolume1BootBCD 0xfffff8a0005d5010 0x000000002a983010 SystemRootSystem32ConfigSOFTWARE 0xfffff8a001495010 0x0000000024912010 SystemRootSystem32ConfigDEFAULT 0xfffff8a0016d4010 0x00000000214e1010 SystemRootSystem32ConfigSAM 0xfffff8a00175b010 0x00000000211eb010 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT 0xfffff8a00176e410 0x00000000206db410 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT 0xfffff8a002090010 0x000000000b92b010 ??C:UsersRickntuser.dat 0xfffff8a0020ad410 0x000000000db41410 ??C:UsersRickAppDataLocalMicrosoftWindowsUsrClass.dat
看到system。。。不用想了,接著幹
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} (S) Last updated: 2018-08-04 19:25:54 UTC+0000 Subkeys: (S) ControlSet001 (S) ControlSet002 (S) MountedDevices (S) RNG (S) Select (S) Setup (S) Software (S) WPA (V) CurrentControlSet Values:
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: ControlSet001 (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: (S) Control (S) Enum (S) Hardware Profiles (S) Policies (S) services Values:
就這樣一個一個解析登錄檔,到最後
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001ControlComputerNameComputerName" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: ComputerName (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: Values: REG_SZ : (S) mnmsrvc REG_SZ ComputerName : (S) WIN-LO6FAF3DTFE
flag
CTF{WIN-LO6FAF3DTFE} CTF{192.168.202.131}
3 - Play Time 50
question
Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?
format: CTF{flag}
solve
netscan 中發現有個程序不認識,google下LunarMS,是個遊戲,over
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000 0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000 0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System 0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System 0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System 0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System 0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe 0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe 0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe 0x7d634350 TCPv6 -:0 38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED 2836 BitTorrent.exe
flag
CTF{LunarMS} CTF{77.102.199.102}
4 - Name Game 100
question
We know that the account was logged in to a channel called Lunar-3. what is the account name?
format: CTF{flag}
solve
如果他登陸了,必定存入了Lunar到vmem中,嘗試找找Lunar-3
➜ Desktop strings OtterCTF.vmem|grep Lunar-3 Lunar-3 Lunar-3
顯示找到的前三行後三行
➜ Desktop strings OtterCTF.vmem|grep Lunar-3 -A 3 -B 3 disabled mouseOver keyFocused Lunar-3 0tt3r8r33z3 Sound/UI.img/ BtMouseClick -- c+Yt tb+Y4c+Y b+YLc+Y Lunar-3 Lunar-4 L(dNVxdNV L|eNV
flag
CTF{0tt3r8r33z3}