Writeup memo Memory Analysis (Forensics100) [SECCON 2016 Online CTF]
SECCON 2016 Online CTF の Forensics100点の「Memory Analysis」のWriteupメモ score-quals.seccon.jp
*問題文
Memory Analysis Find the website that the fake svchost is accessing. You can get the flag if you access the website!! memoryanalysis.zip (http://files.quals.seccon.jp/memoryanalysis.zip) The challenge files are huge, please download it first. Hint1: http://www.volatilityfoundation.org/ Hint2: Check the hosts file password: fjliejflsjiejlsiejee33cnc
メモリ解析をやりましょうという問題。
- メモリダンプのイメージ情報を出力
volatility.exe imageinfo -f forensic_100.raw ----------------------------------------------------------------------------------------------------------- Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (D:\hogehoge\memoryanalysis\forensic_100.raw) PAE type : PAE DTB : 0x34c000L KDBG : 0x80545ce0L Number of Processors : 1 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2016-12-06 05:28:47 UTC+0000 Image local date and time : 2016-12-06 14:28:47 +0900 -----------------------------------------------------------------------------------------------------------
⇒ 「WinXPSP2x86」or 「WinXPSP3x86」らしい。
- ヒントにあるhostsファイルの格納位置を調査
volatility.exe --profile=WinXPSP3x86 -f forensic_100.raw filescan ----------------------------------------------------------------------------------------------------------- (略) 0x000000000217b748 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts (略) -----------------------------------------------------------------------------------------------------------
- ファイルを指定して出力
volatility.exe --profile=WinXPSP3x86 -f forensic_100.raw dumpfiles -Q 0x000000000217b748 --name -D .\ ----------------------------------------------------------------------------------------------------------- => file.None.0x819a3008.hosts.dat -----------------------------------------------------------------------------------------------------------
- hostsファイルの中身を確認
type file.None.0x819a3008.hosts.dat
-----------------------------------------------------------------------------------------------------------
(略)
127.0.0.1 localhost
153.127.200.178 crattack.tistory.com
-----------------------------------------------------------------------------------------------------------
- IEのヒストリでそれらしいサイトを確認
volatility.exe -f forensic_100.raw --profile=WinXPSP2x86 iehistory ----------------------------------------------------------------------------------------------------------- (略) Process: 380 IEXPLORE.EXE Cache type "URL " at 0x76be00 Record length: 0x180 Location: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd Last modified: 2016-12-06 03:39:11 UTC+0000 Last accessed: 2016-12-06 05:28:40 UTC+0000 File Offset: 0x180, Data Offset: 0xac, Data Length: 0xd0 File: Data-Science-import-pandas-as-pd[1] Data: HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 42 ETag: "584632df-2a" ~U:system (略) -----------------------------------------------------------------------------------------------------------
- 上記URLをIP指定でアクセス
curl -H "Host:crattack.tistory.com" "http://153.127.200.178/entry/Data-Science-import-pandas-as-pd" ----------------------------------------------------------------------------------------------------------- SECCON{_h3110_w3_h4ve_fun_w4rg4m3_} -----------------------------------------------------------------------------------------------------------
タイムライン整理していろいろ眺めるともっと面白い何かもあるのかも。