読者です 読者をやめる 読者になる 読者になる

Writeup memo Memory Analysis (Forensics100) [SECCON 2016 Online CTF]

CTF

SECCON 2016 Online CTF の Forensics100点の「Memory Analysis」のWriteupメモ score-quals.seccon.jp

*問題文

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!
memoryanalysis.zip (http://files.quals.seccon.jp/memoryanalysis.zip)

The challenge files are huge, please download it first.

Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file 

password: fjliejflsjiejlsiejee33cnc

メモリ解析をやりましょうという問題。

  • メモリダンプのイメージ情報を出力
volatility.exe imageinfo -f forensic_100.raw
-----------------------------------------------------------------------------------------------------------
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (D:\hogehoge\memoryanalysis\forensic_100.raw)
                      PAE type : PAE
                           DTB : 0x34c000L
                          KDBG : 0x80545ce0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-12-06 05:28:47 UTC+0000
     Image local date and time : 2016-12-06 14:28:47 +0900
-----------------------------------------------------------------------------------------------------------

⇒ 「WinXPSP2x86」or 「WinXPSP3x86」らしい。

  • ヒントにあるhostsファイルの格納位置を調査
volatility.exe --profile=WinXPSP3x86 -f forensic_100.raw filescan
-----------------------------------------------------------------------------------------------------------
(略)
0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
(略)
-----------------------------------------------------------------------------------------------------------
  • ファイルを指定して出力
volatility.exe --profile=WinXPSP3x86 -f   forensic_100.raw dumpfiles -Q 0x000000000217b748 --name -D .\
-----------------------------------------------------------------------------------------------------------
=> file.None.0x819a3008.hosts.dat
-----------------------------------------------------------------------------------------------------------
  • hostsファイルの中身を確認
type file.None.0x819a3008.hosts.dat
-----------------------------------------------------------------------------------------------------------
(略)
127.0.0.1       localhost
153.127.200.178 crattack.tistory.com
-----------------------------------------------------------------------------------------------------------
  • IEのヒストリでそれらしいサイトを確認
volatility.exe -f forensic_100.raw --profile=WinXPSP2x86 iehistory 
-----------------------------------------------------------------------------------------------------------
(略)
Process: 380 IEXPLORE.EXE
Cache type "URL " at 0x76be00
Record length: 0x180
Location: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Last modified: 2016-12-06 03:39:11 UTC+0000
Last accessed: 2016-12-06 05:28:40 UTC+0000
File Offset: 0x180, Data Offset: 0xac, Data Length: 0xd0
File: Data-Science-import-pandas-as-pd[1]
Data: HTTP/1.1 200 OK

Content-Type: application/octet-stream
Content-Length: 42
ETag: "584632df-2a"

~U:system
(略)
-----------------------------------------------------------------------------------------------------------
  • 上記URLをIP指定でアクセス
curl -H "Host:crattack.tistory.com" "http://153.127.200.178/entry/Data-Science-import-pandas-as-pd"
-----------------------------------------------------------------------------------------------------------
SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}
-----------------------------------------------------------------------------------------------------------

タイムライン整理していろいろ眺めるともっと面白い何かもあるのかも。