TryHackMe Memory Forensics writeup
Task1
Here are some resources I used, check them out for more information:
Volatility: https://github.com/volatilityfoundation/volatility/
Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki
Cheatsheet: https://book.hacktricks.xyz/forensics/volatility-examples
Room icon credit: https://book.cyberyozh.com/counter-forensics-anti-computer-forensics
Task 2
今回はTask 2,3,4通してprofileはWin7SP1x64を利用する。
$ vol.py -f Snapshot6.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/ensix/vmems/Snapshot6.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4a0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4bd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 06:20:05 UTC+0000
Image local date and time : 2020-12-26 22:20:05 -0800
What is John's password?
メモリダンプが渡されてpasswordを聞かれれば、ほとんどの場合windows login passwordである。
SYSTEMとSAMを探す。
$ vol.py -f Snapshot6.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6.1 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a001453010 0x000000003b039010 \??\C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat 0xfffff8a00000f010 0x0000000027324010 [no name] 0xfffff8a000024010 0x00000000271af010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a000061010 0x00000000272ee010 \REGISTRY\MACHINE\HARDWARE 0xfffff8a000790010 0x00000000211b5010 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a0007f1010 0x0000000021368010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a000a8e010 0x000000001b1e8010 \SystemRoot\System32\Config\DEFAULT 0xfffff8a000cce010 0x00000000172b1010 \SystemRoot\System32\Config\SECURITY 0xfffff8a000cf8010 0x0000000016ce6010 \SystemRoot\System32\Config\SAM 0xfffff8a000d81010 0x00000000162d5010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a000e0e010 0x0000000016073010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xfffff8a0013ee010 0x000000003bc0d010 \??\C:\Users\John\ntuser.dat
見つかれば、hashdump
volatility@deb-vol:~$ vol.py -f Snapshot6.vmem --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a000cf8010 Volatility Foundation Volatility Framework 2.6.1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: John:1001:aad3b435b51404eeaad3b435b51404ee:47fbd6536d7868c873d5ea455f2fc0c9::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:91c34c06b7988e216c3bfeb9530cabfb:::
47fbd6536d7868c873d5ea455f2fc0c9 -> charmander999
charmander999
Task3
When was the machine last shutdown?
シャットダウンの時間は、「HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Control\Windows」で見つかる。
まずは、SYSTEMを探す。
$ vol.py -f Snapshot19.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6.1 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00196c010 0x00000000318a5010 \??\C:\Users\John\ntuser.dat 0xfffff8a00197f010 0x00000000070da010 \??\C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat 0xfffff8a0024e4010 0x000000001b29b010 \??\C:\System Volume Information\Syscache.hve 0xfffff8a00000f010 0x0000000027264010 [no name] 0xfffff8a000024010 0x00000000271ef010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a000061010 0x000000002732e010 \REGISTRY\MACHINE\HARDWARE 0xfffff8a0000f7010 0x0000000018a47010 \SystemRoot\System32\Config\DEFAULT 0xfffff8a0007ac010 0x000000001b146010 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a001502010 0x00000000206c5010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a001674410 0x00000000117e5410 \SystemRoot\System32\Config\SECURITY 0xfffff8a0016dc410 0x0000000010426410 \SystemRoot\System32\Config\SAM 0xfffff8a0016f7010 0x000000000108a010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a0017a9010 0x0000000001803010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
SYSTEMのアドレスが分かったので、
$ vol.py -f Snapshot19.vmem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K "ControlSet00 1\Control\Windows" Volatility Foundation Volatility Framework 2.6.1 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: Windows (S) Last updated: 2020-12-27 22:50:12 UTC+0000 Subkeys: Values: REG_DWORD ErrorMode : (S) 0 REG_EXPAND_SZ Directory : (S) %SystemRoot% REG_DWORD NoInteractiveServices : (S) 0 REG_EXPAND_SZ SystemDirectory : (S) %SystemRoot%\system32 REG_DWORD ShellErrorMode : (S) 1 REG_DWORD CSDVersion : (S) 256 REG_DWORD CSDReleaseType : (S) 0 REG_DWORD CSDBuildNumber : (S) 17514 REG_DWORD ComponentizedBuild : (S) 1 REG_BINARY ShutdownTime : (S) 0x00000000 d2 e3 50 a2 a2 dc d6 01 ..P.....
しかし、実は
Last updated: 2020-12-27 22:50:12 UTC+0000
これも一緒だし、volatilityだとshutdowntimeという便利な機能があったりする。
$ vol.py -f Snapshot19.vmem --profile=Win7SP1x64 shutdowntime Volatility Foundation Volatility Framework 2.6.1 Registry: SYSTEM Key Path: ControlSet001\Control\Windows Key Last updated: 2020-12-27 22:50:12 UTC+0000 Value Name: ShutdownTime Value: 2020-12-27 22:50:12 UTC+0000
What did John write?
コンソール操作の記録、つまりコマンド操作の記録はcmdscan,consolesがある。
どちらもcmdの履歴が探れるが、consolesであればコマンドの出力まで確認できる。
しかし、両方覚えておいて損はない。cmdlineというのもある。
$ vol.py -f Snapshot19.vmem --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 2488
Console: 0xffa66200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\cmd.exe
Title: Administrator: C:\Windows\System32\cmd.exe
AttachedProcess: cmd.exe Pid: 1920 Handle: 0x60
----
CommandHistory: 0x21e9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 7 LastAdded: 6 LastDisplayed: 6
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1fe3a0: cd /
Cmd #1 at 0x1f78b0: echo THM{You_found_me} > test.txt
Cmd #2 at 0x21dcf0: cls
Cmd #3 at 0x1fe3c0: cd /Users
Cmd #4 at 0x1fe3e0: cd /John
Cmd #5 at 0x21db30: dir
Cmd #6 at 0x1fe400: cd John
----
Screen 0x200f70 X:80 Y:300
Dump:
C:\>cd /Users
C:\Users>cd /John
The system cannot find the path specified.
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 1602-421F
Directory of C:\Users
12/27/2020 02:20 AM <DIR> .
12/27/2020 02:20 AM <DIR> ..
12/27/2020 02:21 AM <DIR> John
04/12/2011 08:45 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 54,565,433,344 bytes free
C:\Users>cd John
C:\Users\John>
THM{You_found_me}
Task4
truecryptがメモリにpassphraseを暗号化せずに展開する仕組みを解析するモチベーションは無かったのでvolatilityのコマンド頼り
$ vol.py -h | grep truecrypt
Volatility Foundation Volatility Framework 2.6.1
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
$ vol.py -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase
Volatility Foundation Volatility Framework 2.6.1
Found at 0xfffff8800512bee4 length 11: forgetmenot
forgetmenot
