1. What the password? 100
question
you got a sample of rick's PC's memory. can you get his user password? format: CTF{…}
Alternative download link:
https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ
solve
看到Memory_Forensics,无脑上volatility
先在国外服务器起docker-kali,发现没有volatility
apt-get update&& apt-get install volatility -y
首先看imageinfo
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/root/Desktop/OtterCTF.vmem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c430a0L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c44d00L KPCR for CPU 1 : 0xfffff880009ef000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-08-04 19:34:22 UTC+0000 Image local date and time : 2018-08-04 22:34:22 +0300
由于要密码,很简单,直接dumphash
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
拿 518172d012f97d3a8fcc089615283940
去解hash发现不对,hash解出来是空密码,flag不对。大佬说是两段hash,后面的没出来,就用 python 源码的Volatility+mimikatz吧
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip unzip volatility-2.6.zip wget https://github.com/volatilityfoundation/community/raw/master/FrancescoPicasso/mimikatz.py cp mimikatz.py ./volatility-master/volatility/plugins/ ➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6 *** Failed to import volatility.plugins.mimikatz (AttributeError: 'module' object has no attribute 'ULInt32') ERROR : volatility.debug : You must specify something to do (try -h)
发现有错误,单独跑下mimakatz
➜ volatility-master python ./plugin/mimikatz.pyc Traceback (most recent call last): File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 171, in <module> File "/root/Desktop/volatility-master/plugin/mimikatz.py", line 182, in LsaDecryptor AttributeError: 'module' object has no attribute 'ULInt32'
mimikatz的锅,找到方法
sudo pip uninstall construct sudo pip install construct==2.5.5-reupload
走起
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter wdigest WIN-LO6FAF3DTFE$ WORKGROUP
flag
第一关flag:CTF{MortyIsReallyAnOtter}
2 - General Info 75
question
Let's start easy - whats the PC's name and IP address?
format: CTF{flag}
solve
要ip地址,netscan走一波吧
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
主机名,先看注册表
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00377d2d0 0x00000000624162d0 ??C:System Volume InformationSyscache.hve 0xfffff8a00000f010 0x000000002d4c1010 [no name] 0xfffff8a000024010 0x000000002d50c010 REGISTRYMACHINESYSTEM 0xfffff8a000053320 0x000000002d5bb320 REGISTRYMACHINEHARDWARE 0xfffff8a000109410 0x0000000029cb4410 SystemRootSystem32ConfigSECURITY 0xfffff8a00033d410 0x000000002a958410 DeviceHarddiskVolume1BootBCD 0xfffff8a0005d5010 0x000000002a983010 SystemRootSystem32ConfigSOFTWARE 0xfffff8a001495010 0x0000000024912010 SystemRootSystem32ConfigDEFAULT 0xfffff8a0016d4010 0x00000000214e1010 SystemRootSystem32ConfigSAM 0xfffff8a00175b010 0x00000000211eb010 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT 0xfffff8a00176e410 0x00000000206db410 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT 0xfffff8a002090010 0x000000000b92b010 ??C:UsersRickntuser.dat 0xfffff8a0020ad410 0x000000000db41410 ??C:UsersRickAppDataLocalMicrosoftWindowsUsrClass.dat
看到system。。。不用想了,接着干
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: REGISTRYMACHINESYSTEM
Key name: CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} (S)
Last updated: 2018-08-04 19:25:54 UTC+0000
Subkeys:
(S) ControlSet001
(S) ControlSet002
(S) MountedDevices
(S) RNG
(S) Select
(S) Setup
(S) Software
(S) WPA
(V) CurrentControlSet
Values:
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: ControlSet001 (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: (S) Control (S) Enum (S) Hardware Profiles (S) Policies (S) services Values:
就这样一个一个解析注册表,到最后
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001ControlComputerNameComputerName" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: REGISTRYMACHINESYSTEM Key name: ComputerName (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: Values: REG_SZ : (S) mnmsrvc REG_SZ ComputerName : (S) WIN-LO6FAF3DTFE
flag
CTF{WIN-LO6FAF3DTFE}
CTF{192.168.202.131}
3 - Play Time 50
question
Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?
format: CTF{flag}
solve
netscan 中发现有个进程不认识,google下LunarMS,是个游戏,over
➜ volatility-master python vol.py -f ../OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000 0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000 0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System 0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System 0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System 0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System 0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe 0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe 0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe 0x7d634350 TCPv6 -:0 38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED 2836 BitTorrent.exe
flag
CTF{LunarMS}
CTF{77.102.199.102}
4 - Name Game 100
question
We know that the account was logged in to a channel called Lunar-3. what is the account name?
format: CTF{flag}
solve
如果他登陆了,必定存入了Lunar到vmem中,尝试找找Lunar-3
➜ Desktop strings OtterCTF.vmem|grep Lunar-3 Lunar-3 Lunar-3
显示找到的前三行后三行
➜ Desktop strings OtterCTF.vmem|grep Lunar-3 -A 3 -B 3 disabled mouseOver keyFocused Lunar-3 0tt3r8r33z3 Sound/UI.img/ BtMouseClick -- c+Yt tb+Y4c+Y b+YLc+Y Lunar-3 Lunar-4 L(dNVxdNV L|eNV
flag
CTF{0tt3r8r33z3}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Mathematica Cookbook
Sal Mangano / O'Reilly Media / 2009 / GBP 51.99
As the leading software application for symbolic mathematics, Mathematica is standard in many environments that rely on math, such as science, engineering, financial analysis, software development, an......一起来看看 《Mathematica Cookbook》 这本书的介绍吧!
