OtterCTF 13道内存取证题目详细解析(中)
OtterCTF 13道内存取证题目详细解析(中)
ChaMd5安全团队
发布于 2018-12-28 11:23:31
发布于 2018-12-28 11:23:31
文章被收录于专栏:ChaMd5安全团队
5 - Name Game 2 150
question
From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What's rick's character's name? format: CTF{…}
solve
先看下进程
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007d403610 mscorsvw.exe 412 492 0x0000000040d28000 2018-08-04 19:28:42 UTC+0000
0x000000007d686b30 Rick And Morty 3820 2728 0x000000000b59a000 2018-08-04 19:32:55 UTC+0000
0x000000007d6a7b30 bittorrentie.e 2308 2836 0x0000000076ada000 2018-08-04 19:27:19 UTC+0000
0x000000007d6c9b30 bittorrentie.e 2624 2836 0x00000000761f5000 2018-08-04 19:27:21 UTC+0000
0x000000007d7cb740 LunarMS.exe 708 2728 0x00000000731cb000 2018-08-04 19:27:39 UTC+0000
0x000000007d832060 sppsvc.exe 2500 492 0x000000000ae7b000 2018-08-04 19:26:58 UTC+0000
0x000000007d87e060 explorer.exe 2728 2696 0x000000000873f000 2018-08-04 19:27:04 UTC+0000
0x000000007d890b30 BitTorrent.exe 2836 2728 0x0000000006c2e000 2018-08-04 19:27:07 UTC+0000
0x000000007d8f02e0 WebCompanion.e 2844 2728 0x0000000006619000 2018-08-04 19:27:07 UTC+0000 2018-08-04 19:33:33 UTC+0000
0x000000007d9aab30 SearchIndexer. 3064 492 0x0000000079a02000 2018-08-04 19:27:14 UTC+0000
0x000000007da8f060 sc.exe 3208 3880 0x000000006fe9a000 2018-08-04 19:33:47 UTC+0000 2018-08-04 19:33:48 UTC+0000
0x000000007db12060 WmiPrvSE.exe 2136 604 0x0000000073b40000 2018-08-04 19:26:51 UTC+0000
0x000000007db8f060 WebCompanionIn 3880 1484 0x0000000043242000 2018-08-04 19:33:07 UTC+0000
0x000000007dbcdb30 vmtoolsd.exe 2804 2728 0x00000000074c6000 2018-08-04 19:27:06 UTC+0000
0x000000007dbe9b30 taskhost.exe 2344 492 0x000000000b824000 2018-08-04 19:26:57 UTC+0000
0x000000007dbfab30 dwm.exe 2704 844 0x0000000008a6d000 2018-08-04 19:27:04 UTC+0000
0x000000007dbfd960 notepad.exe 3304 3132 0x000000007207d000 2018-08-04 19:34:10 UTC+0000
0x000000007dc0f630 VGAuthService. 1356 492 0x0000000018f8b000 2018-08-04 19:26:25 UTC+0000
0x000000007dc7f630 dllhost.exe 1324 492 0x000000001030d000 2018-08-04 19:26:42 UTC+0000
0x000000007dc92920 vmtoolsd.exe 1428 492 0x0000000017f54000 2018-08-04 19:26:27 UTC+0000
0x000000007dcb6890 sc.exe 452 3880 0x000000005f76a000 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000
0x000000007dce7b30 SearchFilterHo 2740 3064 0x000000002fa16000 2018-08-04 19:33:11 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007dde7800 svchost.exe 1948 492 0x0000000076d80000 2018-08-04 19:26:42 UTC+0000
0x000000007ddf3b30 msdtc.exe 1436 492 0x000000000fcd5000 2018-08-04 19:26:43 UTC+0000
0x000000007de01060 sc.exe 2028 3880 0x0000000077e22000 2018-08-04 19:33:49 UTC+0000 2018-08-04 19:34:03 UTC+0000
0x000000007de2e9e0 svchost.exe 808 492 0x000000001fe6a000 2018-08-04 19:26:18 UTC+0000
0x000000007de31b30 svchost.exe 844 492 0x000000001ff36000 2018-08-04 19:26:18 UTC+0000
0x000000007de4db30 svchost.exe 868 492 0x000000002027f000 2018-08-04 19:26:18 UTC+0000
0x000000007de753a0 audiodg.exe 960 808 0x000000001f6df000 2018-08-04 19:26:19 UTC+0000
0x000000007de97060 svchost.exe 1012 492 0x000000001f58e000 2018-08-04 19:26:20 UTC+0000
0x000000007ded37e0 svchost.exe 620 492 0x000000001e7a0000 2018-08-04 19:26:21 UTC+0000
0x000000007df5ab30 spoolsv.exe 1120 492 0x000000001b0e7000 2018-08-04 19:26:22 UTC+0000
0x000000007df718a0 svchost.exe 1164 492 0x000000001ac36000 2018-08-04 19:26:23 UTC+0000
0x000000007e000a90 chrome.exe 3924 4076 0x00000000006ba000 2018-08-04 19:29:51 UTC+0000
0x000000007e072b30 sc.exe 3504 3880 0x0000000040331000 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000
0x000000007e0d1060 Lavasoft.WCAss 3496 492 0x0000000078089000 2018-08-04 19:33:49 UTC+0000
0x000000007e0f4060 winlogon.exe 432 380 0x00000000237dc000 2018-08-04 19:26:11 UTC+0000
0x000000007e1377c0 services.exe 492 396 0x000000002257a000 2018-08-04 19:26:12 UTC+0000
0x000000007e13f060 lsass.exe 500 396 0x000000002219a000 2018-08-04 19:26:12 UTC+0000
0x000000007e1461a0 lsm.exe 508 396 0x00000000221a2000 2018-08-04 19:26:12 UTC+0000
0x000000007e1bdb30 vmacthlp.exe 668 492 0x000000002120e000 2018-08-04 19:26:16 UTC+0000
0x000000007e1ebb30 svchost.exe 712 492 0x0000000020d1c000 2018-08-04 19:26:17 UTC+0000
0x000000007e4268b0 WebCompanion.e 3856 3880 0x000000003c956000 2018-08-04 19:34:05 UTC+0000
0x000000007e435240 chrome.exe 3648 4076 0x0000000067df6000 2018-08-04 19:33:38 UTC+0000
0x000000007e4643d0 conhost.exe 2420 348 0x0000000075907000 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e4af9f0 svchost.exe 164 492 0x000000003ffbd000 2018-08-04 19:28:42 UTC+0000
0x000000007e4c2700 mscorsvw.exe 3124 492 0x000000003fa08000 2018-08-04 19:28:43 UTC+0000
0x000000007e4e4b30 svchost.exe 3196 492 0x000000003e5d5000 2018-08-04 19:28:44 UTC+0000
0x000000007e5bfb30 ipconfig.exe 3788 3916 0x0000000039194000 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e5f98f0 chrome.exe 2748 4076 0x0000000074a76000 2018-08-04 19:31:15 UTC+0000
0x000000007e6c5b30 vmware-tray.ex 3720 3820 0x000000007653c000 2018-08-04 19:33:02 UTC+0000
0x000000007e6e3870 chrome.exe 4076 2728 0x0000000033cdc000 2018-08-04 19:29:30 UTC+0000
0x000000007e6eab30 chrome.exe 4084 4076 0x000000003338b000 2018-08-04 19:29:30 UTC+0000
0x000000007e6f7b30 chrome.exe 1808 4076 0x000000003ae8a000 2018-08-04 19:29:32 UTC+0000
0x000000007e702b30 chrome.exe 576 4076 0x0000000003f38000 2018-08-04 19:29:31 UTC+0000
0x000000007e772b30 cmd.exe 3916 1428 0x00000000199c1000 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e7ef1f0 chrome.exe 1796 4076 0x000000002b91a000 2018-08-04 19:33:41 UTC+0000
0x000000007e7fe210 SearchProtocol 3428 3064 0x0000000010edf000 2018-08-04 19:33:11 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e8ed060 wininit.exe 396 336 0x00000000244f5000 2018-08-04 19:26:11 UTC+0000
0x000000007eac8380 csrss.exe 348 336 0x00000000245af000 2018-08-04 19:26:10 UTC+0000
0x000000007f28c2d0 PresentationFo 724 492 0x000000006541b000 2018-08-04 19:27:52 UTC+0000
0x000000007f2d3b30 csrss.exe 388 380 0x0000000074a96000 2018-08-04 19:26:11 UTC+0000
0x000000007f67e4d0 smss.exe 260 4 0x000000002abc9000 2018-08-04 19:26:03 UTC+0000
0x000000007fb24b30 WmiPrvSE.exe 1800 604 0x00000000134a3000 2018-08-04 19:26:39 UTC+0000
0x000000007fc3c890 svchost.exe 604 492 0x0000000021336000 2018-08-04 19:26:16 UTC+0000
0x000000007fe83740 System 4 0 0x0000000000187000 2018-08-04 19:26:03 UTC+0000 把LunarMS.exe 也就是708 dump出来
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D ./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing LunarMS.exe [ 708] to 708.dmp然后就在里面找0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2}
strings 708.dmp|grep Z |grep d |grep @发现太多了,只能换hashdump了
➜ Desktop hexdump -C 708.dmp |grep "5a 0c 00" -A 3 -B 3
......
0b04ac30 10 00 00 00 00 35 c1 50 00 00 00 00 ec 0f 00 00 |.....5.P........|
0b04ac40 84 c7 b6 1c 10 00 00 00 00 35 c1 50 64 0f c9 1c |.........5.Pd...|
0b04ac50 14 18 00 00 98 5a 6e 46 10 00 00 00 00 35 c1 50 |.....ZnF.....5.P|
0b04ac60 00 00 00 00 5a 0c 00 00 64 c5 22 1e 10 00 00 00 |....Z...d.".....|
0b04ac70 00 35 c1 50 6c 77 f8 1c d3 a5 18 00 50 f5 04 1e |.5.Plw......P...|
0b04ac80 10 00 00 00 00 35 c1 50 48 b9 28 1f bd 1f 00 00 |.....5.PH.(.....|
0b04ac90 fc 13 6f 46 10 00 00 00 00 35 c1 50 00 00 00 00 |..oF.....5.P....|
--
0c33a470 55 44 81 ab 55 44 81 ab 5c 4d ef a3 44 e7 fa 08 |UD..UD..\M..D...|
0c33a480 dc 2d de 08 f6 e7 22 08 f6 e7 22 08 5c 4d 98 d4 |.-...."...".\M..|
0c33a490 db 68 8a 0c 00 00 00 80 92 06 00 00 ac 00 00 00 |.h..............|
0c33a4a0 9a 23 32 23 0b 00 00 01 5a 0c 00 00 4d 30 72 74 |.#2#....Z...M0rt|
0c33a4b0 79 4c 30 4c 00 00 00 00 00 00 00 21 4e 00 00 55 |yL0L.......!N..U|
0c33a4c0 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |u...............|
0c33a4d0 00 00 00 00 00 00 00 00 00 00 00 a4 00 00 3b 03 |..............;.|
--
0d4348e0 d0 f2 4c ce 31 15 f7 28 46 11 21 0f 86 15 a5 e5 |..L.1..(F.!.....|
0d4348f0 0d 52 30 69 48 06 c7 9f 2d ae 6e e7 78 44 7b 53 |.R0iH...-.n.xD{S|
0d434900 ba 7d bc c2 b8 f9 74 7d 45 f5 64 6b 77 aa e3 70 |.}....t}E.dkw..p|
0d434910 ff e9 d3 5d 10 88 84 de 01 1e 96 48 9c 5a 0c 00 |...].......H.Z..|
0d434920 58 22 7c c5 0d 09 7b 51 21 f7 ce 48 1b 97 81 33 |X"|...{Q!..H...3|
0d434930 00 f2 4d 3b 59 d5 e4 b5 ac ef 11 1d ba 47 ee ba |..M;Y........G..|
0d434940 4e ff 95 4e d2 b9 60 0c f3 99 e4 fd c9 04 6c 79 |N..N..`.......ly|
......flag
CTF{M0rtyL0L}6 - Silly Rick 100
question
Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?
format: CTF{flag}
solve
都说了copy了,直接看粘贴板
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0x150133L 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0 flag
CTF{M@il_Pr0vid0rs}本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2018-12-16,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
