4ensiX

4ensiX

Forensics専門でなければ、CTFはDFIRの勉強にほとんど役立たないことをを知ったこの頃

Time Problems - Securinets CTF Quals 2020 Forensics writeup

最近急に教育コンテンツが充実したことで、無限の目移りを繰り返す日々を繰り返す。
引き続き、2020/03/22 2:00 - 03/32 2:00 JSTに行われた 「Securinets CTF Quals 2020」の「Time Problems」をお届け。

前回↓
Time matters - Securinets CTF Quals 2020 Forensics writeup - 4ensiX

Time Problems

More magic on this one too :)

なあ、このCTFもうちょいヒントあっても良くないか。
といったところで与えられたファイル「for2.zip」に関して。

# file for2.zip 
for2.zip: Zip archive data, at least v2.0 to extract
# unzip for2.zip 
Archive:  for2.zip
  inflating: for2.raw                
# file for2.raw 
for2.raw: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)

メモリダンプぽいのでvolatilityを利用。

# volatility -f for2.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/root/CTF/SecurinetsCTF2020/For/Time_Problems/for2.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x8273fb78L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x80b96000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2020-03-20 11:58:05 UTC+0000
     Image local date and time : 2020-03-20 12:58:05 +0100

profileは、Win7SP1x86で問題無いと判断。

# volatility --profile=Win7SP1x86 -f for2.raw pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x83a1ab10:wininit.exe                               388    344      3     76 2020-03-20 11:55:31 UTC+0000
. 0x853f5638:services.exe                             480    388      9    196 2020-03-20 11:55:31 UTC+0000
.. 0x83bf3a40:WmiApSrv.exe                           3308    480      7    116 2020-03-20 11:57:11 UTC+0000
.. 0x84c43d20:spoolsv.exe                            1304    480     17    301 2020-03-20 11:55:33 UTC+0000
.. 0x8557f030:VBoxService.ex                          664    480     14    127 2020-03-20 11:55:32 UTC+0000
.. 0x855a2c68:svchost.exe                             772    480     21    454 2020-03-20 11:55:32 UTC+0000
... 0x856062e0:audiodg.exe                           1028    772      5    115 2020-03-20 11:55:33 UTC+0000
.. 0x85634a48:svchost.exe                            1184    480     19    385 2020-03-20 11:55:33 UTC+0000
.. 0x855f7030:svchost.exe                             932    480     16    302 2020-03-20 11:55:33 UTC+0000
.. 0x8560d778:svchost.exe                            1064    480      5    115 2020-03-20 11:55:33 UTC+0000
.. 0x847c2b70:taskhost.exe                           1456    480     10    186 2020-03-20 11:55:34 UTC+0000
.. 0x849b9498:SearchIndexer.                          856    480     14    591 2020-03-20 11:55:41 UTC+0000
.. 0x83af9d20:mscorsvw.exe                           3680    480      6     78 2020-03-20 11:57:42 UTC+0000
.. 0x83bf7d20:sppsvc.exe                             3808    480      6    151 2020-03-20 11:57:43 UTC+0000
.. 0x84d58b00:svchost.exe                            1352    480     21    314 2020-03-20 11:55:33 UTC+0000
.. 0x855ff030:svchost.exe                             976    480     39    947 2020-03-20 11:55:33 UTC+0000
... 0x8488c4c8:taskeng.exe                           1776    976      6     83 2020-03-20 11:55:34 UTC+0000
.. 0x8481e030:svchost.exe                            1620    480     15    229 2020-03-20 11:55:34 UTC+0000
.. 0x8555f8b8:svchost.exe                             600    480     11    357 2020-03-20 11:55:32 UTC+0000
... 0x84874100:WmiPrvSE.exe                          3160    600     15    323 2020-03-20 11:57:08 UTC+0000
... 0x83b50030:WmiPrvSE.exe                          2724    600      9    148 2020-03-20 11:56:59 UTC+0000
.. 0x8558e250:svchost.exe                             720    480      7    259 2020-03-20 11:55:32 UTC+0000
.. 0x855d73e8:svchost.exe                             876    480     21    443 2020-03-20 11:55:32 UTC+0000
... 0x847d28c8:dwm.exe                               1528    876      4     75 2020-03-20 11:55:34 UTC+0000
. 0x854fa030:lsass.exe                                488    388      7    501 2020-03-20 11:55:31 UTC+0000
. 0x85501550:lsm.exe                                  496    388     10    151 2020-03-20 11:55:31 UTC+0000
 0x84abc030:csrss.exe                                 352    344      8    397 2020-03-20 11:55:31 UTC+0000
 0x83a1a308:csrss.exe                                 396    380      8    307 2020-03-20 11:55:31 UTC+0000
 0x84a37d20:winlogon.exe                              436    380      4    113 2020-03-20 11:55:31 UTC+0000
 0x847e09f8:explorer.exe                             1568   1520     22    670 2020-03-20 11:55:34 UTC+0000
. 0x8493bd20:chrome.exe                              2320   1568     34    894 2020-03-20 11:56:56 UTC+0000
.. 0x83b6dd20:chrome.exe                             2716   2320     11    200 2020-03-20 11:56:59 UTC+0000
.. 0x8bdfe960:chrome.exe                             3364   2320     15    296 2020-03-20 11:57:13 UTC+0000
.. 0x84853488:chrome.exe                             2496   2320     17    324 2020-03-20 11:56:57 UTC+0000
.. 0x85424d20:chrome.exe                             3344   2320     12    176 2020-03-20 11:57:12 UTC+0000
.. 0x8553d030:chrome.exe                             3300   2320     16    245 2020-03-20 11:57:11 UTC+0000
.. 0x849865c8:chrome.exe                             2352   2320      9     76 2020-03-20 11:56:56 UTC+0000
.. 0x84852590:chrome.exe                             2384   2320      3     55 2020-03-20 11:56:57 UTC+0000
.. 0x8554fc70:chrome.exe                             3196   2320     14    309 2020-03-20 11:57:09 UTC+0000
. 0x8490b030:VBoxTray.exe                            2036   1568     14    138 2020-03-20 11:55:35 UTC+0000
 0x839af9d0:System                                      4      0     82    507 2020-03-20 11:55:28 UTC+0000
. 0x848f6438:smss.exe                                 276      4      2     29 2020-03-20 11:55:28 UTC+0000

こりゃまた微妙なの来たな。どうすればいいのだろうか。とりあえずmimikatzしたが......

# volatility --profile=Win7SP1x86 -f for2.raw mimikatz
Volatility Foundation Volatility Framework 2.6
Module   User             Domain           Password                                
-------- ---------------- ---------------- ----------------------------------------
wdigest  home             home-PC                                                  
wdigest  HOME-PC$         WORKGROUP                                  

結果は御覧のあり様。
Time Matters」と同じようにchromeの履歴から探っていくことに。

# volatility --profile=Win7SP1x86 -f for2.raw filescan | grep "History"
Volatility Foundation Volatility Framework 2.6
0x000000001e3d5f80      5      1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
0x000000001ec096a8     17      1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History-journal
# volatility --profile=Win7SP1x86 -f for2.raw dumpfiles -Q 0x000000001e3d5f80 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1e3d5f80   None   \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x1e3d5f80   None   \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
# mv file.None.0x84a3f558.dat History
root@kali:~/CTF/SecurinetsCTF2020/For/Time_Problems# strings History | less
(snip)
neymar santosneymar santos!
corona neymarcorona neymar
corona italycorona italy#
corona tunisiecorona tunisie
corona mapcorona map+
        neymar best skillsneymar best skills'
neymar instagramneymar instagram
neymarneymar
https://www.youtube.com/watch?v=wQoVjMMYWJ4
https://twitter.com/neymarjr/status/1217902956475047937
https://www.youtube.com/watch?v=BPi3ePVFRik
https://www.youtube.com/results?search_query=neymar+santos
http://52.205.164.112/
(snip)
https://www.google.com/search?q=neymar&oq=neymar&aqs=chrome..69i57j46j0l6.1797j0j7&sourceid=chrome&ie=UTF-8
https://www.youtube.com/results?search_query=neymar+santosneymar santos - YouTube
https://www.youtube.com/watch?v=BPi3ePVFRikNeymar JR 
 Ultimate Skills 2013 - Part 01 
 Santos | HD - YouTube
http://52.205.164.112/

何か「http[:]//52.205.164.112/」という怪しいサイトへ接続してる。てか、neymar大好きですね。
じゃあ見てみるか。

# ping 52.205.164.112
PING 52.205.164.112 (52.205.164.112) 56(84) bytes of data.
^C
--- 52.205.164.112 ping statistics ---
23 packets transmitted, 0 received, 100% packet loss, time 22857ms

残念。希望を持ってwebアーカイブで探してみよう。
色々見ているとここが優秀と聞きまして↓
http://timetravel.mementoweb.org/list/20090108113335/http://52.205.164.112
ちゃんと引っかかってくれたので、この業界では信頼のアツいwaybackmachineの方のリンクへ行くと。

f:id:Zarat:20200421221110p:plain
https://web.archive.org/web/20200318121831/http://52.205.164.112/
左下にflagぽいものが、

Securinets{█████_1s_my_f4vorit3_Pl4yer}

そんなの知るかぁと思ったが、検索履歴にneymar多めだったな。とうことで。
flag: Securinets{neymar_1s_my_f4vorit3_Pl4yer}

Unicode的には5文字だったけど、実際は6文字だったようで。