1. What the password? 100
question
you got a sample of rick's PC's memory. can you get his user password? format: CTF{…}
Alternative download link:
https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ
solve
看到Memory_Forensics,无脑上volatility
先在国外服务器起docker-kali,发现没有volatility
apt-get update&& apt-get install volatility -y
首先看imageinfo
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/root/Desktop/OtterCTF.vmem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c430a0L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c44d00L KPCR for CPU 1 : 0xfffff880009ef000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-08-04 19:34:22 UTC+0000 Image local date and time : 2018-08-04 22:34:22 +0300
由于要密码,很简单,直接dumphash
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
拿 518172d012f97d3a8fcc089615283940
去解hash发现不对,hash解出来是空密码,flag不对。大佬说是两段hash,后面的没出来,就用 python 源码的Volatility+mimikatz吧
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip unzip volatility-2.6.zip wget https://github.com/volatilityfoundation/community/raw/master/FrancescoPicasso/mimikatz.py cp mimikatz.py ./volatility-master/volatility/plugins/ ➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6 *** Failed to import volatility.plugins.mimikatz (AttributeError: 'module' object has no attribute 'ULInt32') ERROR : volatility.debug : You must specify something to do (try -h)
发现有错误,单独跑下mimakatz
➜ volatility-master python ./plugin/mimikatz.pyc Traceback (most recent call last): File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 171, in <module> File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 182, in LsaDecryptor AttributeError: 'module' object has no attribute 'ULInt32'
mimikatz的锅,找到方法
sudo pip uninstall construct sudo pip install construct==2.5.5-reupload
走起
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter wdigest WIN-LO6FAF3DTFE$ WORKGROUP
flag
第一关flag:CTF{MortyIsReallyAnOtter}
2 - General Info 75
question
Let's start easy - whats the PC's name and IP address?
format: CTF{flag}
solve
要ip地址,netscan走一波吧
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
主机名,先看注册表
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00377d2d0 0x00000000624162d0 ??C:System Volume InformationSyscache.hve 0xfffff8a00000f010 0x000000002d4c1010 [no name] 0xfffff8a000024010 0x000000002d50c010 REGISTRYMACHINESYSTEM 0xfffff8a000053320 0x000000002d5bb320 REGISTRYMACHINEHARDWARE 0xfffff8a000109410 0x0000000029cb4410 SystemRootSystem32ConfigSECURITY 0xfffff8a00033d410 0x000000002a958410 DeviceHarddiskVolume1BootBCD 0xfffff8a0005d5010 0x000000002a983010 SystemRootSystem32ConfigSOFTWARE 0xfffff8a001495010 0x0000000024912010 SystemRootSystem32ConfigDEFAULT 0xfffff8a0016d4010 0x00000000214e1010 SystemRootSystem32ConfigSAM 0xfffff8a00175b010 0x00000000211eb010 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT 0xfffff8a00176e410 0x00000000206db410 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT 0xfffff8a002090010 0x000000000b92b010 ??C:UsersRickntuser.dat 0xfffff8a0020ad410 0x000000000db41410 ??C:UsersRickAppDataLocalMicrosoftWindowsUsrClass.dat
看到system。。。不用想了,接着干
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} (S) Last updated: 2018-08-04 19:25:54 UTC+0000 Subkeys: (S) ControlSet001 (S) ControlSet002 (S) MountedDevices (S) RNG (S) Select (S) Setup (S) Software (S) WPA (V) CurrentControlSet Values:
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: ControlSet001 (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: (S) Control (S) Enum (S) Hardware Profiles (S) Policies (S) services Values:
就这样一个一个解析注册表,到最后
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001ControlComputerNameComputerName" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: ComputerName (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: Values: REG_SZ : (S) mnmsrvc REG_SZ ComputerName : (S) WIN-LO6FAF3DTFE
flag
CTF{WIN-LO6FAF3DTFE} CTF{192.168.202.131}
3 - Play Time 50
question
Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?
format: CTF{flag}
solve
netscan 中发现有个进程不认识,google下LunarMS,是个游戏,over
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000 0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000 0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System 0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System 0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System 0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System 0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe 0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe 0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe 0x7d634350 TCPv6 -:0 38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED 2836 BitTorrent.exe
flag
CTF{LunarMS} CTF{77.102.199.102}
4 - Name Game 100
question
We know that the account was logged in to a channel called Lunar-3. what is the account name?
format: CTF{flag}
solve
如果他登陆了,必定存入了Lunar到vmem中,尝试找找Lunar-3
➜ Desktop strings OtterCTF.vmem|grep Lunar-3 Lunar-3 Lunar-3
显示找到的前三行后三行
➜ Desktop strings OtterCTF.vmem|grep Lunar-3 -A 3 -B 3 disabled mouseOver keyFocused Lunar-3 0tt3r8r33z3 Sound/UI.img/ BtMouseClick -- c+Yt tb+Y4c+Y b+YLc+Y Lunar-3 Lunar-4 L(dNVxdNV L|eNV
flag
CTF{0tt3r8r33z3}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。