03_Memory Analysis
- Title
Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!The challenge files are huge, please download it first.
Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts filepassword: fjliejflsjiejlsiejee33cnc
- write up
参考サイト:
http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf
1.OS調査
$ vol.py -f forensic_100.raw imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/Users/Tk/Hack/SECCON2016/03_Memory Analysis/forensic_100.raw) PAE type : PAE DTB : 0x34c000L KDBG : 0x80545ce0L Number of Processors : 1 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2016-12-06 05:28:47 UTC+0000 Image local date and time : 2016-12-06 14:28:47 +0900
2.通信内容確認
$ vol.py -f forensic_100.raw --profile=WinXPSP2x86 connections Volatility Foundation Volatility Framework 2.5 Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x8213bbe8 192.168.88.131:1034 153.127.200.178:80 1080
3.hostsファイル取得
$ vol.py -f forensic_100.raw --profile=WinXPSP2x86 filescan | grep hosts Volatility Foundation Volatility Framework 2.5 0x000000000217b748 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts $ vol.py -f forensic_100.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000217b748 --name -D ./ Volatility Foundation Volatility Framework 2.5 DataSectionObject 0x0217b748 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
4.hostsファイル確認
$ cat file.None.0x819a3008.hosts.dat # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 153.127.200.178 crattack.tistory.com
5.接続サイト調査
$ vol.py -f forensic_100.raw --profile=WinXPSP2x86 iehistory -p 1080 --output=csv Volatility Foundation Volatility Framework 2.5 URL ,2016-12-06 05:22:04 UTC+0000,2016-12-06 05:22:38 UTC+0000,Cookie:system@tiara.daum.net/ URL ,2016-12-06 05:21:55 UTC+0000,2016-12-06 05:22:04 UTC+0000,Cookie:system@daum.net/ URL ,2016-12-06 05:22:04 UTC+0000,2016-12-06 05:22:04 UTC+0000,Cookie:system@daum.net/ URL ,2016-12-01 05:53:52 UTC+0000,2016-12-06 05:22:04 UTC+0000,http://s1.daumcdn.net/cfs.tistory/blog/skin/tis_tickTalk/images/bg_counter.gif URL ,2016-12-01 05:53:52 UTC+0000,2016-12-06 05:22:04 UTC+0000,http://s1.daumcdn.net/cfs.tistory/blog/skin/tis_tickTalk/images/txt_total.gif URL ,2016-12-01 05:53:52 UTC+0000,2016-12-06 05:22:04 UTC+0000,http://s1.daumcdn.net/cfs.tistory/blog/skin/tis_tickTalk/images/txt_today.gif URL ,2016-12-01 05:53:52 UTC+0000,2016-12-06 05:22:04 UTC+0000,http://s1.daumcdn.net/cfs.tistory/blog/skin/tis_tickTalk/images/txt_yesterday.gif URL ,2016-12-01 05:53:52 UTC+0000,2016-12-06 05:22:04 UTC+0000,http://s1.daumcdn.net/cfs.tistory/blog/skin/tis_tickTalk/images/tistory.gif URL ,2016-12-01 05:53:52 UTC+0000,2016-12-06 05:22:04 UTC+0000,http://s1.daumcdn.net/cfs.tistory/resource/d7d52300d7e0e43711a4493fa749b587f1ee6971/blog/script/copyTrackback.swf URL ,2014-06-30 07:24:47 UTC+0000,2016-12-06 05:15:02 UTC+0000,http://i1.daumcdn.net/cfs.tistory/static/top/favicon_0630.ico URL ,2016-12-06 03:39:11 UTC+0000,2016-12-06 05:28:40 UTC+0000,http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd URL ,2016-12-06 05:22:04 UTC+0000,2016-12-06 05:22:04 UTC+0000,Visited: SYSTEM@http://crattack.tistory.com/rss URL ,2016-12-06 05:28:40 UTC+0000,2016-12-06 05:28:40 UTC+0000,Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd URL ,2016-12-06 05:28:40 UTC+0000,2016-12-06 05:28:40 UTC+0000,Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd URL ,2016-12-06 14:28:40 UTC+0000,2016-12-06 05:28:40 UTC+0000,:2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd URL ,2016-12-06 14:15:02 UTC+0000,2016-12-06 05:15:02 UTC+0000,:2016120620161207: SYSTEM@:Host: crattack.tistory.com URL ,2016-12-06 14:28:05 UTC+0000,2016-12-06 05:28:05 UTC+0000,:2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
6.サイトに接続してみる
$ curl http://153.127.200.178/entry/Data-Science-import-pandas-as-pd SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}