Time Problems - Securinets CTF Quals 2020 Forensics writeup
最近急に教育コンテンツが充実したことで、無限の目移りを繰り返す日々を繰り返す。
引き続き、2020/03/22 2:00 - 03/32 2:00 JSTに行われた 「Securinets CTF Quals 2020」の「Time Problems」をお届け。
前回↓
Time matters - Securinets CTF Quals 2020 Forensics writeup - 4ensiX
Time Problems
More magic on this one too :)
なあ、このCTFもうちょいヒントあっても良くないか。
といったところで与えられたファイル「for2.zip」に関して。
# file for2.zip for2.zip: Zip archive data, at least v2.0 to extract # unzip for2.zip Archive: for2.zip inflating: for2.raw # file for2.raw for2.raw: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
メモリダンプぽいのでvolatilityを利用。
# volatility -f for2.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/root/CTF/SecurinetsCTF2020/For/Time_Problems/for2.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x8273fb78L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x80b96000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-03-20 11:58:05 UTC+0000
Image local date and time : 2020-03-20 12:58:05 +0100
profileは、Win7SP1x86で問題無いと判断。
# volatility --profile=Win7SP1x86 -f for2.raw pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x83a1ab10:wininit.exe 388 344 3 76 2020-03-20 11:55:31 UTC+0000 . 0x853f5638:services.exe 480 388 9 196 2020-03-20 11:55:31 UTC+0000 .. 0x83bf3a40:WmiApSrv.exe 3308 480 7 116 2020-03-20 11:57:11 UTC+0000 .. 0x84c43d20:spoolsv.exe 1304 480 17 301 2020-03-20 11:55:33 UTC+0000 .. 0x8557f030:VBoxService.ex 664 480 14 127 2020-03-20 11:55:32 UTC+0000 .. 0x855a2c68:svchost.exe 772 480 21 454 2020-03-20 11:55:32 UTC+0000 ... 0x856062e0:audiodg.exe 1028 772 5 115 2020-03-20 11:55:33 UTC+0000 .. 0x85634a48:svchost.exe 1184 480 19 385 2020-03-20 11:55:33 UTC+0000 .. 0x855f7030:svchost.exe 932 480 16 302 2020-03-20 11:55:33 UTC+0000 .. 0x8560d778:svchost.exe 1064 480 5 115 2020-03-20 11:55:33 UTC+0000 .. 0x847c2b70:taskhost.exe 1456 480 10 186 2020-03-20 11:55:34 UTC+0000 .. 0x849b9498:SearchIndexer. 856 480 14 591 2020-03-20 11:55:41 UTC+0000 .. 0x83af9d20:mscorsvw.exe 3680 480 6 78 2020-03-20 11:57:42 UTC+0000 .. 0x83bf7d20:sppsvc.exe 3808 480 6 151 2020-03-20 11:57:43 UTC+0000 .. 0x84d58b00:svchost.exe 1352 480 21 314 2020-03-20 11:55:33 UTC+0000 .. 0x855ff030:svchost.exe 976 480 39 947 2020-03-20 11:55:33 UTC+0000 ... 0x8488c4c8:taskeng.exe 1776 976 6 83 2020-03-20 11:55:34 UTC+0000 .. 0x8481e030:svchost.exe 1620 480 15 229 2020-03-20 11:55:34 UTC+0000 .. 0x8555f8b8:svchost.exe 600 480 11 357 2020-03-20 11:55:32 UTC+0000 ... 0x84874100:WmiPrvSE.exe 3160 600 15 323 2020-03-20 11:57:08 UTC+0000 ... 0x83b50030:WmiPrvSE.exe 2724 600 9 148 2020-03-20 11:56:59 UTC+0000 .. 0x8558e250:svchost.exe 720 480 7 259 2020-03-20 11:55:32 UTC+0000 .. 0x855d73e8:svchost.exe 876 480 21 443 2020-03-20 11:55:32 UTC+0000 ... 0x847d28c8:dwm.exe 1528 876 4 75 2020-03-20 11:55:34 UTC+0000 . 0x854fa030:lsass.exe 488 388 7 501 2020-03-20 11:55:31 UTC+0000 . 0x85501550:lsm.exe 496 388 10 151 2020-03-20 11:55:31 UTC+0000 0x84abc030:csrss.exe 352 344 8 397 2020-03-20 11:55:31 UTC+0000 0x83a1a308:csrss.exe 396 380 8 307 2020-03-20 11:55:31 UTC+0000 0x84a37d20:winlogon.exe 436 380 4 113 2020-03-20 11:55:31 UTC+0000 0x847e09f8:explorer.exe 1568 1520 22 670 2020-03-20 11:55:34 UTC+0000 . 0x8493bd20:chrome.exe 2320 1568 34 894 2020-03-20 11:56:56 UTC+0000 .. 0x83b6dd20:chrome.exe 2716 2320 11 200 2020-03-20 11:56:59 UTC+0000 .. 0x8bdfe960:chrome.exe 3364 2320 15 296 2020-03-20 11:57:13 UTC+0000 .. 0x84853488:chrome.exe 2496 2320 17 324 2020-03-20 11:56:57 UTC+0000 .. 0x85424d20:chrome.exe 3344 2320 12 176 2020-03-20 11:57:12 UTC+0000 .. 0x8553d030:chrome.exe 3300 2320 16 245 2020-03-20 11:57:11 UTC+0000 .. 0x849865c8:chrome.exe 2352 2320 9 76 2020-03-20 11:56:56 UTC+0000 .. 0x84852590:chrome.exe 2384 2320 3 55 2020-03-20 11:56:57 UTC+0000 .. 0x8554fc70:chrome.exe 3196 2320 14 309 2020-03-20 11:57:09 UTC+0000 . 0x8490b030:VBoxTray.exe 2036 1568 14 138 2020-03-20 11:55:35 UTC+0000 0x839af9d0:System 4 0 82 507 2020-03-20 11:55:28 UTC+0000 . 0x848f6438:smss.exe 276 4 2 29 2020-03-20 11:55:28 UTC+0000
こりゃまた微妙なの来たな。どうすればいいのだろうか。とりあえずmimikatzしたが......
# volatility --profile=Win7SP1x86 -f for2.raw mimikatz Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest home home-PC wdigest HOME-PC$ WORKGROUP
結果は御覧のあり様。
「Time Matters」と同じようにchromeの履歴から探っていくことに。
# volatility --profile=Win7SP1x86 -f for2.raw filescan | grep "History" Volatility Foundation Volatility Framework 2.6 0x000000001e3d5f80 5 1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History 0x000000001ec096a8 17 1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History-journal # volatility --profile=Win7SP1x86 -f for2.raw dumpfiles -Q 0x000000001e3d5f80 -D ./ Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x1e3d5f80 None \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History SharedCacheMap 0x1e3d5f80 None \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History # mv file.None.0x84a3f558.dat History root@kali:~/CTF/SecurinetsCTF2020/For/Time_Problems# strings History | less
(snip)
neymar santosneymar santos!
corona neymarcorona neymar
corona italycorona italy#
corona tunisiecorona tunisie
corona mapcorona map+
neymar best skillsneymar best skills'
neymar instagramneymar instagram
neymarneymar
https://www.youtube.com/watch?v=wQoVjMMYWJ4
https://twitter.com/neymarjr/status/1217902956475047937
https://www.youtube.com/watch?v=BPi3ePVFRik
https://www.youtube.com/results?search_query=neymar+santos
http://52.205.164.112/
(snip)
https://www.google.com/search?q=neymar&oq=neymar&aqs=chrome..69i57j46j0l6.1797j0j7&sourceid=chrome&ie=UTF-8
https://www.youtube.com/results?search_query=neymar+santosneymar santos - YouTube
https://www.youtube.com/watch?v=BPi3ePVFRikNeymar JR
Ultimate Skills 2013 - Part 01
Santos | HD - YouTube
http://52.205.164.112/
何か「http[:]//52.205.164.112/」という怪しいサイトへ接続してる。てか、neymar大好きですね。
じゃあ見てみるか。
# ping 52.205.164.112 PING 52.205.164.112 (52.205.164.112) 56(84) bytes of data. ^C --- 52.205.164.112 ping statistics --- 23 packets transmitted, 0 received, 100% packet loss, time 22857ms
残念。希望を持ってwebアーカイブで探してみよう。
色々見ているとここが優秀と聞きまして↓
http://timetravel.mementoweb.org/list/20090108113335/http://52.205.164.112
ちゃんと引っかかってくれたので、この業界では信頼のアツいwaybackmachineの方のリンクへ行くと。
Securinets{█████_1s_my_f4vorit3_Pl4yer}
そんなの知るかぁと思ったが、検索履歴にneymar多めだったな。とうことで。
flag: Securinets{neymar_1s_my_f4vorit3_Pl4yer}
Unicode的には5文字だったけど、実際は6文字だったようで。
