search

tiwanari / seccon16

http://2016.seccon.jp/news/#124
0 stars 2 forks source link

Memory Analysis #7

Open tiwanari opened 7 years ago

tiwanari commented 7 years ago

Find the website that the fake svchost is accessing. You can get the flag if you access the website!!

memoryanalysis.zip The challenge files are huge, please download it first. Hint1: http://www.volatilityfoundation.org/ Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc

grapswiz commented 7 years ago 
[volatility_2.5.mac.standalone] ./volatility_2.5_mac raw2dmp -f ../forensic_100.raw --output-image=forensic_100                             0:59:22
Volatility Foundation Volatility Framework 2.5
Writing data (5.00 MB chunks): |........................................................................................................|
[volatility_2.5.mac.standalone] file forensic_100                                                                                           0:59:54
forensic_100: MS Windows 32bit crash dump, PAE, full dump, 131072 pages

参考URL: http://terakonya.sarm.net/wordpress/2016/03/07/secpolo-23/

grapswiz commented 7 years ago 
[volatility_2.5.mac.standalone] ./volatility_2.5_mac -ff forensic_100 imageinfo                                                             1:02:22
Volatility Foundation Volatility Framework 2.5
^CInterrupted
[volatility_2.5.mac.standalone] ./volatility_2.5_mac -f forensic_100 imageinfo                                                              1:02:30
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
WARNING : volatility.debug    : Overlay structure tty_struct not present in vtypes
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/Users/grapswiz/Downloads/volatility_2.5.mac.standalone/forensic_100)
                      PAE type : PAE
                           DTB : 0x34c000L
                          KDBG : 0x80545ce0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-12-06 05:28:47 UTC+0000
     Image local date and time : 2016-12-06 14:28:47 +0900
grapswiz commented 7 years ago 
[volatility_2.5.mac.standalone] ./volatility_2.5_mac -f forensic_100 --profile=WinXPSP2x86 pstree                                           1:03:00
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x8231f698:explorer.exe                             1556   1520     15    466 2016-12-06 05:27:10 UTC+0000
. 0x821f8438:vmtoolsd.exe                            1856   1556      3    129 2016-12-06 05:27:11 UTC+0000
. 0x819b4380:tcpview.exe                             3308   1556      2     84 2016-12-06 05:28:42 UTC+0000
. 0x82267900:rundll32.exe                            1712   1556      2    144 2016-12-06 05:27:16 UTC+0000
. 0x8216a5e8:DumpIt.exe                              3740   1556      1     25 2016-12-06 05:28:46 UTC+0000
. 0x82170da0:ctfmon.exe                              1872   1556      1     87 2016-12-06 05:27:11 UTC+0000
 0x823c8660:System                                      4      0     58    259 1970-01-01 00:00:00 UTC+0000
. 0x81a18020:smss.exe                                 540      4      3     19 2016-12-06 05:27:04 UTC+0000
.. 0x82173da0:winlogon.exe                            628    540     24    541 2016-12-06 05:27:07 UTC+0000
... 0x8216e670:services.exe                           672    628     15    286 2016-12-06 05:27:07 UTC+0000
.... 0x81f46238:alg.exe                              2028    672      7    104 2016-12-06 05:27:16 UTC+0000
.... 0x82312450:svchost.exe                          1036    672     87   1514 2016-12-06 05:27:08 UTC+0000
..... 0x81f2cb20:wuauclt.exe                         3164   1036      5    107 2016-12-06 05:28:15 UTC+0000
..... 0x82062b20:wuauclt.exe                          488   1036      7    132 2016-12-06 05:27:13 UTC+0000
..... 0x81e56228:wscntfy.exe                          720   1036      1     37 2016-12-06 05:27:18 UTC+0000
.... 0x82154880:vmacthlp.exe                          836    672      1     25 2016-12-06 05:27:08 UTC+0000
.... 0x82151ca8:svchost.exe                           936    672     10    272 2016-12-06 05:27:08 UTC+0000
.... 0x81e4b4b0:vmtoolsd.exe                          312    672      9    265 2016-12-06 05:27:13 UTC+0000
.... 0x81f92778:svchost.exe                          1088    672      7     83 2016-12-06 05:27:08 UTC+0000
.... 0x81f00558:VGAuthService.e                       196    672      2     60 2016-12-06 05:27:13 UTC+0000
.... 0x81e18da0:svchost.exe                           848    672     20    216 2016-12-06 05:27:08 UTC+0000
..... 0x81e89200:wmiprvse.exe                         596    848     12    255 2016-12-06 05:27:13 UTC+0000
.... 0x81e41928:svchost.exe                          1320    672     12    183 2016-12-06 05:27:10 UTC+0000
.... 0x81f0dbe0:spoolsv.exe                          1644    672     15    133 2016-12-06 05:27:10 UTC+0000
.... 0x81f65da0:svchost.exe                          1776    672      2     23 2016-12-06 05:27:10 UTC+0000
..... 0x8225bda0:IEXPLORE.EXE                         380   1776     22    385 2016-12-06 05:27:19 UTC+0000
...... 0x8229f7e8:IEXPLORE.EXE                       1080    380     19    397 2016-12-06 05:27:21 UTC+0000
.... 0x81e4f560:svchost.exe                          1704    672      5    107 2016-12-06 05:27:10 UTC+0000
... 0x81f8c9a0:lsass.exe                              684    628     26    374 2016-12-06 05:27:07 UTC+0000
.. 0x81ef6da0:csrss.exe                               604    540     11    480 2016-12-06 05:27:07 UTC+0000
 0x81e886f0:GoogleUpdate.ex                           372   1984      7    138 2016-12-06 05:27:13 UTC+0000
grapswiz commented 7 years ago 
[volatility_2.5.mac.standalone] ./volatility_2.5_mac -f forensic_100 --profile=WinXPSP2x86 connections                                      1:04:33
Volatility Foundation Volatility Framework 2.5
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x8213bbe8 192.168.88.131:1034       153.127.200.178:80        1080
grapswiz commented 7 years ago 
[volatility_2.5.mac.standalone] ./volatility_2.5_mac -f forensic_100 --profile=WinXPSP2x86 connscan                                         1:05:25
Volatility Foundation Volatility Framework 2.5
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x018c3cc8 192.168.88.131:1077       180.70.134.87:80          3676
0x0196f6a0 192.168.88.131:1122       175.126.170.70:80         3676
0x0233bbe8 192.168.88.131:1034       153.127.200.178:80        1080
0x02470238 192.168.88.131:1036       172.217.27.78:443         2776