前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >OtterCTF 13道内存取证题目详细解析(中)

OtterCTF 13道内存取证题目详细解析(中)

作者头像
ChaMd5安全团队
发布2018-12-28 11:23:31
3K1
发布2018-12-28 11:23:31
举报
文章被收录于专栏:ChaMd5安全团队

5 - Name Game 2 150

question

From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What's rick's character's name? format: CTF{…}

solve

先看下进程

代码语言:javascript
复制
➜  Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 psscan  
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB                Time created                   Time exited                   
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007d403610 mscorsvw.exe        412    492 0x0000000040d28000 2018-08-04 19:28:42 UTC+0000                                 
0x000000007d686b30 Rick And Morty     3820   2728 0x000000000b59a000 2018-08-04 19:32:55 UTC+0000                                 
0x000000007d6a7b30 bittorrentie.e     2308   2836 0x0000000076ada000 2018-08-04 19:27:19 UTC+0000                                 
0x000000007d6c9b30 bittorrentie.e     2624   2836 0x00000000761f5000 2018-08-04 19:27:21 UTC+0000                                 
0x000000007d7cb740 LunarMS.exe         708   2728 0x00000000731cb000 2018-08-04 19:27:39 UTC+0000                                 
0x000000007d832060 sppsvc.exe         2500    492 0x000000000ae7b000 2018-08-04 19:26:58 UTC+0000                                 
0x000000007d87e060 explorer.exe       2728   2696 0x000000000873f000 2018-08-04 19:27:04 UTC+0000                                 
0x000000007d890b30 BitTorrent.exe     2836   2728 0x0000000006c2e000 2018-08-04 19:27:07 UTC+0000                                 
0x000000007d8f02e0 WebCompanion.e     2844   2728 0x0000000006619000 2018-08-04 19:27:07 UTC+0000   2018-08-04 19:33:33 UTC+0000  
0x000000007d9aab30 SearchIndexer.     3064    492 0x0000000079a02000 2018-08-04 19:27:14 UTC+0000                                 
0x000000007da8f060 sc.exe             3208   3880 0x000000006fe9a000 2018-08-04 19:33:47 UTC+0000   2018-08-04 19:33:48 UTC+0000  
0x000000007db12060 WmiPrvSE.exe       2136    604 0x0000000073b40000 2018-08-04 19:26:51 UTC+0000                                 
0x000000007db8f060 WebCompanionIn     3880   1484 0x0000000043242000 2018-08-04 19:33:07 UTC+0000                                 
0x000000007dbcdb30 vmtoolsd.exe       2804   2728 0x00000000074c6000 2018-08-04 19:27:06 UTC+0000                                 
0x000000007dbe9b30 taskhost.exe       2344    492 0x000000000b824000 2018-08-04 19:26:57 UTC+0000                                 
0x000000007dbfab30 dwm.exe            2704    844 0x0000000008a6d000 2018-08-04 19:27:04 UTC+0000                                 
0x000000007dbfd960 notepad.exe        3304   3132 0x000000007207d000 2018-08-04 19:34:10 UTC+0000                                 
0x000000007dc0f630 VGAuthService.     1356    492 0x0000000018f8b000 2018-08-04 19:26:25 UTC+0000                                 
0x000000007dc7f630 dllhost.exe        1324    492 0x000000001030d000 2018-08-04 19:26:42 UTC+0000                                 
0x000000007dc92920 vmtoolsd.exe       1428    492 0x0000000017f54000 2018-08-04 19:26:27 UTC+0000                                 
0x000000007dcb6890 sc.exe              452   3880 0x000000005f76a000 2018-08-04 19:33:48 UTC+0000   2018-08-04 19:33:48 UTC+0000  
0x000000007dce7b30 SearchFilterHo     2740   3064 0x000000002fa16000 2018-08-04 19:33:11 UTC+0000   2018-08-04 19:34:22 UTC+0000  
0x000000007dde7800 svchost.exe        1948    492 0x0000000076d80000 2018-08-04 19:26:42 UTC+0000                                 
0x000000007ddf3b30 msdtc.exe          1436    492 0x000000000fcd5000 2018-08-04 19:26:43 UTC+0000                                 
0x000000007de01060 sc.exe             2028   3880 0x0000000077e22000 2018-08-04 19:33:49 UTC+0000   2018-08-04 19:34:03 UTC+0000  
0x000000007de2e9e0 svchost.exe         808    492 0x000000001fe6a000 2018-08-04 19:26:18 UTC+0000                                 
0x000000007de31b30 svchost.exe         844    492 0x000000001ff36000 2018-08-04 19:26:18 UTC+0000                                 
0x000000007de4db30 svchost.exe         868    492 0x000000002027f000 2018-08-04 19:26:18 UTC+0000                                 
0x000000007de753a0 audiodg.exe         960    808 0x000000001f6df000 2018-08-04 19:26:19 UTC+0000                                 
0x000000007de97060 svchost.exe        1012    492 0x000000001f58e000 2018-08-04 19:26:20 UTC+0000                                 
0x000000007ded37e0 svchost.exe         620    492 0x000000001e7a0000 2018-08-04 19:26:21 UTC+0000                                 
0x000000007df5ab30 spoolsv.exe        1120    492 0x000000001b0e7000 2018-08-04 19:26:22 UTC+0000                                 
0x000000007df718a0 svchost.exe        1164    492 0x000000001ac36000 2018-08-04 19:26:23 UTC+0000                                 
0x000000007e000a90 chrome.exe         3924   4076 0x00000000006ba000 2018-08-04 19:29:51 UTC+0000                                 
0x000000007e072b30 sc.exe             3504   3880 0x0000000040331000 2018-08-04 19:33:48 UTC+0000   2018-08-04 19:33:48 UTC+0000  
0x000000007e0d1060 Lavasoft.WCAss     3496    492 0x0000000078089000 2018-08-04 19:33:49 UTC+0000                                 
0x000000007e0f4060 winlogon.exe        432    380 0x00000000237dc000 2018-08-04 19:26:11 UTC+0000                                 
0x000000007e1377c0 services.exe        492    396 0x000000002257a000 2018-08-04 19:26:12 UTC+0000                                 
0x000000007e13f060 lsass.exe           500    396 0x000000002219a000 2018-08-04 19:26:12 UTC+0000                                 
0x000000007e1461a0 lsm.exe             508    396 0x00000000221a2000 2018-08-04 19:26:12 UTC+0000                                 
0x000000007e1bdb30 vmacthlp.exe        668    492 0x000000002120e000 2018-08-04 19:26:16 UTC+0000                                 
0x000000007e1ebb30 svchost.exe         712    492 0x0000000020d1c000 2018-08-04 19:26:17 UTC+0000                                 
0x000000007e4268b0 WebCompanion.e     3856   3880 0x000000003c956000 2018-08-04 19:34:05 UTC+0000                                 
0x000000007e435240 chrome.exe         3648   4076 0x0000000067df6000 2018-08-04 19:33:38 UTC+0000                                 
0x000000007e4643d0 conhost.exe        2420    348 0x0000000075907000 2018-08-04 19:34:22 UTC+0000   2018-08-04 19:34:22 UTC+0000  
0x000000007e4af9f0 svchost.exe         164    492 0x000000003ffbd000 2018-08-04 19:28:42 UTC+0000                                 
0x000000007e4c2700 mscorsvw.exe       3124    492 0x000000003fa08000 2018-08-04 19:28:43 UTC+0000                                 
0x000000007e4e4b30 svchost.exe        3196    492 0x000000003e5d5000 2018-08-04 19:28:44 UTC+0000                                 
0x000000007e5bfb30 ipconfig.exe       3788   3916 0x0000000039194000 2018-08-04 19:34:22 UTC+0000   2018-08-04 19:34:22 UTC+0000  
0x000000007e5f98f0 chrome.exe         2748   4076 0x0000000074a76000 2018-08-04 19:31:15 UTC+0000                                 
0x000000007e6c5b30 vmware-tray.ex     3720   3820 0x000000007653c000 2018-08-04 19:33:02 UTC+0000                                 
0x000000007e6e3870 chrome.exe         4076   2728 0x0000000033cdc000 2018-08-04 19:29:30 UTC+0000                                 
0x000000007e6eab30 chrome.exe         4084   4076 0x000000003338b000 2018-08-04 19:29:30 UTC+0000                                 
0x000000007e6f7b30 chrome.exe         1808   4076 0x000000003ae8a000 2018-08-04 19:29:32 UTC+0000                                 
0x000000007e702b30 chrome.exe          576   4076 0x0000000003f38000 2018-08-04 19:29:31 UTC+0000                                 
0x000000007e772b30 cmd.exe            3916   1428 0x00000000199c1000 2018-08-04 19:34:22 UTC+0000   2018-08-04 19:34:22 UTC+0000  
0x000000007e7ef1f0 chrome.exe         1796   4076 0x000000002b91a000 2018-08-04 19:33:41 UTC+0000                                 
0x000000007e7fe210 SearchProtocol     3428   3064 0x0000000010edf000 2018-08-04 19:33:11 UTC+0000   2018-08-04 19:34:22 UTC+0000  
0x000000007e8ed060 wininit.exe         396    336 0x00000000244f5000 2018-08-04 19:26:11 UTC+0000                                 
0x000000007eac8380 csrss.exe           348    336 0x00000000245af000 2018-08-04 19:26:10 UTC+0000                                 
0x000000007f28c2d0 PresentationFo      724    492 0x000000006541b000 2018-08-04 19:27:52 UTC+0000                                 
0x000000007f2d3b30 csrss.exe           388    380 0x0000000074a96000 2018-08-04 19:26:11 UTC+0000                                 
0x000000007f67e4d0 smss.exe            260      4 0x000000002abc9000 2018-08-04 19:26:03 UTC+0000                                 
0x000000007fb24b30 WmiPrvSE.exe       1800    604 0x00000000134a3000 2018-08-04 19:26:39 UTC+0000                                 
0x000000007fc3c890 svchost.exe         604    492 0x0000000021336000 2018-08-04 19:26:16 UTC+0000                                 
0x000000007fe83740 System                4      0 0x0000000000187000 2018-08-04 19:26:03 UTC+0000                                 

把LunarMS.exe 也就是708 dump出来

代码语言:javascript
复制
➜  Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D ./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing LunarMS.exe [   708] to 708.dmp

然后就在里面找0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2}

代码语言:javascript
复制
strings 708.dmp|grep Z |grep d |grep @

发现太多了,只能换hashdump了

代码语言:javascript
复制
➜  Desktop hexdump -C 708.dmp |grep "5a 0c 00" -A 3 -B 3 
......
0b04ac30  10 00 00 00 00 35 c1 50  00 00 00 00 ec 0f 00 00  |.....5.P........|
0b04ac40  84 c7 b6 1c 10 00 00 00  00 35 c1 50 64 0f c9 1c  |.........5.Pd...|
0b04ac50  14 18 00 00 98 5a 6e 46  10 00 00 00 00 35 c1 50  |.....ZnF.....5.P|
0b04ac60  00 00 00 00 5a 0c 00 00  64 c5 22 1e 10 00 00 00  |....Z...d.".....|
0b04ac70  00 35 c1 50 6c 77 f8 1c  d3 a5 18 00 50 f5 04 1e  |.5.Plw......P...|
0b04ac80  10 00 00 00 00 35 c1 50  48 b9 28 1f bd 1f 00 00  |.....5.PH.(.....|
0b04ac90  fc 13 6f 46 10 00 00 00  00 35 c1 50 00 00 00 00  |..oF.....5.P....|
--
0c33a470  55 44 81 ab 55 44 81 ab  5c 4d ef a3 44 e7 fa 08  |UD..UD..\M..D...|
0c33a480  dc 2d de 08 f6 e7 22 08  f6 e7 22 08 5c 4d 98 d4  |.-...."...".\M..|
0c33a490  db 68 8a 0c 00 00 00 80  92 06 00 00 ac 00 00 00  |.h..............|
0c33a4a0  9a 23 32 23 0b 00 00 01  5a 0c 00 00 4d 30 72 74  |.#2#....Z...M0rt|
0c33a4b0  79 4c 30 4c 00 00 00 00  00 00 00 21 4e 00 00 55  |yL0L.......!N..U|
0c33a4c0  75 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |u...............|
0c33a4d0  00 00 00 00 00 00 00 00  00 00 00 a4 00 00 3b 03  |..............;.|
--
0d4348e0  d0 f2 4c ce 31 15 f7 28  46 11 21 0f 86 15 a5 e5  |..L.1..(F.!.....|
0d4348f0  0d 52 30 69 48 06 c7 9f  2d ae 6e e7 78 44 7b 53  |.R0iH...-.n.xD{S|
0d434900  ba 7d bc c2 b8 f9 74 7d  45 f5 64 6b 77 aa e3 70  |.}....t}E.dkw..p|
0d434910  ff e9 d3 5d 10 88 84 de  01 1e 96 48 9c 5a 0c 00  |...].......H.Z..|
0d434920  58 22 7c c5 0d 09 7b 51  21 f7 ce 48 1b 97 81 33  |X"|...{Q!..H...3|
0d434930  00 f2 4d 3b 59 d5 e4 b5  ac ef 11 1d ba 47 ee ba  |..M;Y........G..|
0d434940  4e ff 95 4e d2 b9 60 0c  f3 99 e4 fd c9 04 6c 79  |N..N..`.......ly|
......

flag

代码语言:javascript
复制
CTF{M0rtyL0L}

6 - Silly Rick 100

question

Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?

format: CTF{flag}

solve

都说了copy了,直接看粘贴板

代码语言:javascript
复制
➜  Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                         Handle Object             Data                                              
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
         1 WinSta0       CF_UNICODETEXT                0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs                                    
         1 WinSta0       CF_TEXT                          0x10 ------------------                                                   
         1 WinSta0       0x150133L              0x200000000000 ------------------                                                   
         1 WinSta0       CF_TEXT                           0x1 ------------------                                                   
         1 ------------- ------------------           0x150133 0xfffff900c1c1adc0                                                   

flag

代码语言:javascript
复制
CTF{M@il_Pr0vid0rs}
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2018-12-16,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 ChaMd5安全团队 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 5 - Name Game 2 150
    • question
      • solve
        • flag
        • 6 - Silly Rick 100
          • question
            • solve
              • flag
              领券
              问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档