Лаборатория SECCON Quals 2016, Memory Analysis writeup

Deflate
, 17 декабря 2016

Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!
http://files.quals.seccon.jp/memoryanalysis.zip
Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file
password: fjliejflsjiejlsiejee33cnc

Нам подсказывают, что файл нужно прогнать через volatility.

Посмотрим список процессов:

deflate@deflate-desktop:~$ volatility -f /tmp/forensic_100.raw pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8231f698:explorer.exe                             1556   1520     15    466 2016-12-06 05:27:10 UTC+0000
. 0x821f8438:vmtoolsd.exe                            1856   1556      3    129 2016-12-06 05:27:11 UTC+0000
. 0x819b4380:tcpview.exe                             3308   1556      2     84 2016-12-06 05:28:42 UTC+0000
. 0x82267900:rundll32.exe                            1712   1556      2    144 2016-12-06 05:27:16 UTC+0000
. 0x8216a5e8:DumpIt.exe                              3740   1556      1     25 2016-12-06 05:28:46 UTC+0000
. 0x82170da0:ctfmon.exe                              1872   1556      1     87 2016-12-06 05:27:11 UTC+0000
0x823c8660:System                                      4      0     58    259 1970-01-01 00:00:00 UTC+0000
. 0x81a18020:smss.exe                                 540      4      3     19 2016-12-06 05:27:04 UTC+0000
.. 0x82173da0:winlogon.exe                            628    540     24    541 2016-12-06 05:27:07 UTC+0000
... 0x8216e670:services.exe                           672    628     15    286 2016-12-06 05:27:07 UTC+0000
.... 0x81f46238:alg.exe                              2028    672      7    104 2016-12-06 05:27:16 UTC+0000
.... 0x82312450:svchost.exe                          1036    672     87   1514 2016-12-06 05:27:08 UTC+0000
..... 0x81f2cb20:wuauclt.exe                         3164   1036      5    107 2016-12-06 05:28:15 UTC+0000
..... 0x82062b20:wuauclt.exe                          488   1036      7    132 2016-12-06 05:27:13 UTC+0000
..... 0x81e56228:wscntfy.exe                          720   1036      1     37 2016-12-06 05:27:18 UTC+0000
.... 0x82154880:vmacthlp.exe                          836    672      1     25 2016-12-06 05:27:08 UTC+0000
.... 0x82151ca8:svchost.exe                           936    672     10    272 2016-12-06 05:27:08 UTC+0000
.... 0x81e4b4b0:vmtoolsd.exe                          312    672      9    265 2016-12-06 05:27:13 UTC+0000
.... 0x81f92778:svchost.exe                          1088    672      7     83 2016-12-06 05:27:08 UTC+0000
.... 0x81f00558:VGAuthService.e                       196    672      2     60 2016-12-06 05:27:13 UTC+0000
.... 0x81e18da0:svchost.exe                           848    672     20    216 2016-12-06 05:27:08 UTC+0000
..... 0x81e89200:wmiprvse.exe                         596    848     12    255 2016-12-06 05:27:13 UTC+0000
.... 0x81e41928:svchost.exe                          1320    672     12    183 2016-12-06 05:27:10 UTC+0000
.... 0x81f0dbe0:spoolsv.exe                          1644    672     15    133 2016-12-06 05:27:10 UTC+0000
.... 0x81f65da0:svchost.exe                          1776    672      2     23 2016-12-06 05:27:10 UTC+0000
..... 0x8225bda0:IEXPLORE.EXE                         380   1776     22    385 2016-12-06 05:27:19 UTC+0000
...... 0x8229f7e8:IEXPLORE.EXE                       1080    380     19    397 2016-12-06 05:27:21 UTC+0000
.... 0x81e4f560:svchost.exe                          1704    672      5    107 2016-12-06 05:27:10 UTC+0000
... 0x81f8c9a0:lsass.exe                              684    628     26    374 2016-12-06 05:27:07 UTC+0000
.. 0x81ef6da0:csrss.exe                               604    540     11    480 2016-12-06 05:27:07 UTC+0000
0x81e886f0:GoogleUpdate.ex                           372   1984      7    138 2016-12-06 05:27:13 UTC+0000



Из списка непонятно, какой из процессов svchost.exe нам нужен, сохраним дампы всех процессов и прогоним через strings | grep, в надежде что файл hosts был загружен в память.



deflate@deflate-desktop:~$ mkdir /tmp/dumps
deflate@deflate-desktop:~$ volatility -f /tmp/forensic_100.raw -D /tmp/dumps -n svchost.exe memdump
Volatility Foundation Volatility Framework 2.5
************************************************************************
Writing svchost.exe [   848] to 848.dmp
************************************************************************
Writing svchost.exe [   936] to 936.dmp
************************************************************************
Writing svchost.exe [  1036] to 1036.dmp
************************************************************************
Writing svchost.exe [  1088] to 1088.dmp
************************************************************************
Writing svchost.exe [  1320] to 1320.dmp
************************************************************************
Writing svchost.exe [  1704] to 1704.dmp
************************************************************************
Writing svchost.exe [  1776] to 1776.dmp
deflate@deflate-desktop:~$ find /tmp/dumps -exec bash -c "strings {} > {}.strings" \;
deflate@deflate-desktop:~$ grep localhost /tmp/dumps/*.strings
...
/tmp/dumps/1036.dmp.strings:Root\snmp\localhost:__Win32Provider.Name="MS_SNMP_INSTANCE_PROVIDER"
/tmp/dumps/1036.dmp.strings:Root\snmp\localhost:__Win32Provider.Name="MS_SNMP_ENCAPSULATED_EVENT_PROVIDER"
/tmp/dumps/1088.dmp.strings:127.0.0.1       localhost
/tmp/dumps/1088.dmp.strings:localhost
/tmp/dumps/1088.dmp.strings:Root\ms_snmp_root\localhost:__Win32Provider.Name="MS_SNMP_CLASS_PROVIDER"j*
...

В 1088.dmp нашлось что-то похожее на кусок файла hosts: 127.0.0.1       localhost

Уточним критерии поиска и попробуем вывести hosts полностью




deflate@deflate-desktop:~$ grep "127.0.0.1       localhost" /tmp/dumps/1088.dmp.strings -B 20 -A 3
USERPROFILE=C:\Documents and Settings\NetworkService
windir=C:\WINDOWS
Sw+"Sw  "Sw["Sw
ght (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file co
ngs of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed
umn followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# sp
the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
127.0.0.1       localhost
153.127.200.178    crattack.tistory.com attack.tistory.com
Actx
SsHd,





Посмотрим, обращался ли процесс к доменам crattack.tistory.com или attack.tistory.com




deflate@deflate-desktop:~$ grep "crattack.tistory.com" /tmp/dumps/1088.dmp.strings
153.127.200.178    crattack.tistory.com attack.tistory.com
Host: crattack.tistory.com
Referer: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Host: crattack.tistory.com
Access-Control-Allow-Origin: http://crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/trackback/90W





Попробуем зайти на http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd (обращаемся при этом к 153.127.200.178, можно просто добавить запись в hosts, но мы зайдём через curl)




deflate@deflate-desktop:~$ curl -H 'Host: crattack.tistory.com' 153.127.200.178/entry/Data-Science-import-pandas-as-pd
SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}





1 комментарий:

  1. ChasTume
       #   23:04, 21 мая 2017
    Comprar Viagra Sin Receta En Farmacia Zoloft Free Offer Kamagra Frankfurt Acheter Du Viagra Par Correspondance Low Cost Cialis Online Macrobid 100mg Online Propecia Efectos Caida Del Cabello Price Of Viagra Free Viagra Pills In Reading Pa. Clomid Et Bb Cialis 5mg Amoxicillin And Clavulanate Potassium Dose Genereic Viagara Generic Zoloft Pfizer Brand Viagra Cialis Se Vende Con Receta Buy Generic Viagra Vendo Cialis Barcelona Buy Vigora Online Kamagra Cheap Generic Legally Levaquin Cravit Internet Low Price On Line Elocon Asmanex No Doctors Consult Mastercard Accepted Buy Tadalafil Cialis Ou Pas Amoxicillin Clavulanate Rash Kamagra On Line Priligy Blood Pressure Macrodantin Purchase Clomiphene Order Kamagra Vendita In Tunisia Cephalexin Safe For Cats Shop Cialis Online Isotretinoin Find What Is Keflex For By Cheap Clomiphene Propecia Precio 1 Mg Overnight Online Drug No Rx Best Cytotec Online Amoxicillin And Pregnancy Yerba Zoloft Online Will Cephalexin Help Pneumonia Best Price Levitra Generic Buy Generic Kamagra Online Where can i buy isotretinoin North Ayrshire Where To Order Free Shipping Online Stendra Worldwide China Viagra Online Real Doxycycline Drugs Shipped Ups Discount Cialis 20mg Canadian Cheap Cialis Schlecker Levitra Viagra Und Alkohol Generic Vibramycin 100mg Buy Pain Meds Online With E Check Viagra Generico Pagamento Postepay Cheap Zithromax On Line Canadian Cialis Pharmacy

Авторизуйтесь, что бы оставить комментарий