ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/c/Users/HT/Desktop/OtterCTF/OtterCTF.vmem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c430a0L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c44d00L KPCR for CPU 1 : 0xfffff880009ef000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-08-04 19:34:22 UTC+0000 Image local date and time : 2018-08-04 22:34:22 +0300
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.5 *** Failed to import volatility.plugins.registry.mimikatz (ImportError: No module named construct) ERROR : volatility.debug : You must specify something to do (try -h) ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ sudo pip install construct==2.5.5-reupload
What’s the password
question:
1
you got a sample of rick's PC's memory. can you get his user password?
1 2 3 4 5 6
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.5 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter wdigest WIN-LO6FAF3DTFE$ WORKGROUP
General Info
question:
1
Let's start easy - whats the PC's name and IP address?
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win 7SP1x64 -o 0xfffff8a000024010 printkey Volatility Foundation Volatility Framework 2.5 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} (S) Last updated: 2018-08-04 19:25:54 UTC+0000 Subkeys: (S) ControlSet001 (S) ControlSet002 (S) MountedDevices (S) RNG (S) Select (S) Setup (S) Software (S) WPA (V) CurrentControlSet Values: ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win 7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001" Volatility Foundation Volatility Framework 2.5 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: ControlSet001 (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: (S) Control (S) Enum (S) Hardware Profiles (S) Policies (S) services Values: ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control" Volatility Foundation Volatility Framework 2.5 Legend: (S) = Stable (V) = Volatile
---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: Control (S) Last updated: 2018-08-04 19:26:03 UTC+0000
Subkeys: (S) ACPI (S) AGP (S) AppID (S) Arbiters (S) BackupRestore (S) Class (S) CMF (S) CoDeviceInstallers (S) COM Name Arbiter (S) ComputerName ......................................... ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control\ComputerName" Volatility Foundation Volatility Framework 2.5 Legend: (S) = Stable (V) = Volatile
---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: ComputerName (S) Last updated: 2018-08-04 19:26:11 UTC+0000
From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What's rick's character's name? format: CTF{...}
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 yarascan -Y "/\x64(.{6,8})\x40\x06(.{18})\x5a\x0c\x00\x00/i" -p 708 Volatility Foundation Volatility Framework 2.5 Rule: r1 Owner: Process LunarMS.exe Pid 708 0x5ab4dfa8 44 64 00 00 00 00 00 00 40 06 00 00 b4 e5 af 00 Dd......@....... 0x5ab4dfb8 01 00 00 00 00 00 00 00 b0 e5 af 00 5a 0c 00 00 ............Z... 0x5ab4dfc8 4d 30 72 74 79 4c 30 4c 00 00 00 00 00 00 00 21 M0rtyL0L.......! 0x5ab4dfd8 4e 00 00 55 75 00 00 00 00 00 00 00 00 00 00 00 N..Uu........... 0x5ab4dfe8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 ................ 0x5ab4dff8 10 95 6f d5 cd 66 36 66 36 b4 ab ee fa a4 73 9f ..o..f6f6.....s. 0x5ab4e008 70 f2 ab 6e ba 3a c4 3f c4 3c ac ee 25 ac d9 a8 p..n.:.?.<..%... 0x5ab4e018 d9 60 ac 6e a0 d6 25 d2 25 a8 ab ee ee e1 aa d2 .`.n..%.%....... 0x5ab4e028 a2 29 ac 2e 9b d1 5e f4 57 d8 ab 2e 27 86 01 7c .)....^.W...'..| 0x5ab4e038 07 87 ab ee 0a e8 5f 12 59 d7 ab 6e 31 96 49 96 ......_.Y..n1.I. 0x5ab4e048 49 cb ab ee 9e dd e6 dd e6 6a ac 2e 2c 12 bd 3e I........j..,..> 0x5ab4e058 25 1f 03 6d 29 87 9d 69 26 f8 4a f8 4a cb ab 6e %..m)..i&.J.J..n 0x5ab4e068 ad 60 35 ef a2 01 c2 38 65 2c d8 fa cd e4 f8 90 .`5....8e,...... 0x5ab4e078 31 c7 87 8c 21 0e 70 e6 6d 78 20 af 00 00 00 00 1...!.p.mx...... 0x5ab4e088 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 81 ee .............^.. 0x5ab4e098 8f 7c 6a 4e 74 06 86 f8 0d 06 00 00 00 00 00 00 .|jNt........... Rule: r1
结果: M0rtyL0L
Silly Rick
1
Silly rick always forgets his email’s password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick’s email password?
使用clipboard查看粘贴板即可。
1 2 3 4 5 6 7 8 9 10 11 12 13
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard Volatility Foundation Volatility Framework 2.5 Session WindowStation Format Handle Object Data
可以看到可疑进程vmware-tray.exe,它的ppid3820对应着Rick And Morty,很奇怪。
查看该进程的命令:
1 2 3 4 5
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 cmdline -p 3820 Volatility Foundation Volatility Framework 2.5 ************************************************************************ Rick And Morty pid: 3820 Command line : "C:\Torrents\Rick And Morty season 1 download.exe"
下载该程序:
memdump: 提取进程在内存中的信息保存到文件中 –D 指定保存的目录
procdump: 提取进程的可执行文件
1 2 3 4 5
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./ Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe
立马报毒。。。。。
Path To Glory
1
How did the malware got to rick's PC? It must be one of rick old illigal habits...
猜测应该是通过torrent下载的病毒。
搜索torrent 文件
1 2 3 4 5 6 7 8
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 filescan | grep "Rick And Morty" Volatility Foundation Volatility Framework 2.5 0x000000007d63dbc0 10 0 R--r-d \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe 0x000000007d8813c0 2 0 RW-rwd \Device\HarddiskVolume1\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent 0x000000007da56240 2 0 RW-rwd \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe 0x000000007dae9350 2 0 RWD--- \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent 0x000000007dcbf6f0 2 0 RW-rwd \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent 0x000000007e710070 8 0 R--rwd \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
提取0x000000007dae9350对应文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D . Volatility Foundation Volatility Framework 2.5 DataSectionObject 0x7dae9350 None \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ strings file.None.0xfffffa801b42c9e0.dat d8:announce44:udp://tracker.openbittorrent.com:80/announce13:announce-listll44:udp://tracker.openbittorrent.com:80/announceel42:udp://tracker.opentrackr.org:1337/announceee10:created by17:BitTorrent/7.10.313:creation datei1533150595e8:encoding5:UTF-84:infod6:lengthi456670e4:name36:Rick And Morty season 1 download.exe12:piece lengthi16384e6:pieces560:\I !PC<^X B.k_Rk 0<;O87o !4^" 3hq, &iW1| K68:o w~Q~YT $$o9p bwF:u e7:website19:M3an_T0rren7_4_R!cke
发现可以字符串M3an_T0rren7_4_R!cke
Path To Glory 2
1
Continue the search after the the way that malware got in.
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 3648,576 -D ./dumps/ Volatility Foundation Volatility Framework 2.5 ************************************************************************ Writing chrome.exe [ 576] to 576.dmp ************************************************************************ Writing chrome.exe [ 3648] to 3648.dmp 。。。。。。。。。。。。。。。。。
搜索字符串:
1 2 3 4 5 6 7 8 9 10 11 12
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ strings ./dumps/* | grep "download\.exe\.torrent" Rick And Morty season 1 download.exe.torrent ==e1f778b7-adf6-48f2-816d-740c99c5f9a4C:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrentC:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent ==de371043-340d-42e5-8e16-90e6fbfbc509C:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrentC:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent Visited: Rick@file:///C:/Users/Rick/Downloads/Rick%20And%20Morty%20season%201%20download.exe.torrent Rick And Morty season 1 download.exe.torrent Rick And Morty season 1 download.exe.torrent Rick And Morty season 1 download.exe.torrent Rick And Morty season 1 download.exe.torrent Content-Disposition: attachment; filename="Rick And Morty season 1 download.exe.torrent" attachment; filename="Rick And Morty season 1 download.exe.torrent" Download complete: Rick And Morty season 1 download.exe.torrent. Press Shift+F6 to cycle to the downloads bar area.
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007d660500 -D . Volatility Foundation Volatility Framework 2.5 DataSectionObject 0x7d660500 None \Device\HarddiskVolume1\Users\Rick\Desktop\READ_IT.txt ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ ls file.None.0xfffffa801b2def10.dat OtterCTF.vmem sift-files ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ cat file.None.0xfffffa801b2def10.dat Your files have been encrypted. Read the Program for more information read program for more information.
There’s something fishy in the malware’s graphics.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
ht@TIANJI:/mnt/c/Users/HT/Desktop/OtterCTF$ foremost executable.3720.exe -v Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File
Foremost started at Sun Dec 16 15:27:39 2018 Invocation: foremost executable.3720.exe -v Output directory: /mnt/c/Users/HT/Desktop/OtterCTF/output Configuration file: /etc/foremost.conf Processing: executable.3720.exe |------------------------------------------------------------------ File: executable.3720.exe Start: Sun Dec 16 15:27:39 2018 Length: 414 KB (424448 bytes)
