Лаборатория SECCON Quals 2016, Memory Analysis writeup

Deflate
, 17 декабря 2016

Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!
http://files.quals.seccon.jp/memoryanalysis.zip
Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file
password: fjliejflsjiejlsiejee33cnc

Нам подсказывают, что файл нужно прогнать через volatility.

Посмотрим список процессов:

deflate@deflate-desktop:~$ volatility -f /tmp/forensic_100.raw pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8231f698:explorer.exe                             1556   1520     15    466 2016-12-06 05:27:10 UTC+0000
. 0x821f8438:vmtoolsd.exe                            1856   1556      3    129 2016-12-06 05:27:11 UTC+0000
. 0x819b4380:tcpview.exe                             3308   1556      2     84 2016-12-06 05:28:42 UTC+0000
. 0x82267900:rundll32.exe                            1712   1556      2    144 2016-12-06 05:27:16 UTC+0000
. 0x8216a5e8:DumpIt.exe                              3740   1556      1     25 2016-12-06 05:28:46 UTC+0000
. 0x82170da0:ctfmon.exe                              1872   1556      1     87 2016-12-06 05:27:11 UTC+0000
0x823c8660:System                                      4      0     58    259 1970-01-01 00:00:00 UTC+0000
. 0x81a18020:smss.exe                                 540      4      3     19 2016-12-06 05:27:04 UTC+0000
.. 0x82173da0:winlogon.exe                            628    540     24    541 2016-12-06 05:27:07 UTC+0000
... 0x8216e670:services.exe                           672    628     15    286 2016-12-06 05:27:07 UTC+0000
.... 0x81f46238:alg.exe                              2028    672      7    104 2016-12-06 05:27:16 UTC+0000
.... 0x82312450:svchost.exe                          1036    672     87   1514 2016-12-06 05:27:08 UTC+0000
..... 0x81f2cb20:wuauclt.exe                         3164   1036      5    107 2016-12-06 05:28:15 UTC+0000
..... 0x82062b20:wuauclt.exe                          488   1036      7    132 2016-12-06 05:27:13 UTC+0000
..... 0x81e56228:wscntfy.exe                          720   1036      1     37 2016-12-06 05:27:18 UTC+0000
.... 0x82154880:vmacthlp.exe                          836    672      1     25 2016-12-06 05:27:08 UTC+0000
.... 0x82151ca8:svchost.exe                           936    672     10    272 2016-12-06 05:27:08 UTC+0000
.... 0x81e4b4b0:vmtoolsd.exe                          312    672      9    265 2016-12-06 05:27:13 UTC+0000
.... 0x81f92778:svchost.exe                          1088    672      7     83 2016-12-06 05:27:08 UTC+0000
.... 0x81f00558:VGAuthService.e                       196    672      2     60 2016-12-06 05:27:13 UTC+0000
.... 0x81e18da0:svchost.exe                           848    672     20    216 2016-12-06 05:27:08 UTC+0000
..... 0x81e89200:wmiprvse.exe                         596    848     12    255 2016-12-06 05:27:13 UTC+0000
.... 0x81e41928:svchost.exe                          1320    672     12    183 2016-12-06 05:27:10 UTC+0000
.... 0x81f0dbe0:spoolsv.exe                          1644    672     15    133 2016-12-06 05:27:10 UTC+0000
.... 0x81f65da0:svchost.exe                          1776    672      2     23 2016-12-06 05:27:10 UTC+0000
..... 0x8225bda0:IEXPLORE.EXE                         380   1776     22    385 2016-12-06 05:27:19 UTC+0000
...... 0x8229f7e8:IEXPLORE.EXE                       1080    380     19    397 2016-12-06 05:27:21 UTC+0000
.... 0x81e4f560:svchost.exe                          1704    672      5    107 2016-12-06 05:27:10 UTC+0000
... 0x81f8c9a0:lsass.exe                              684    628     26    374 2016-12-06 05:27:07 UTC+0000
.. 0x81ef6da0:csrss.exe                               604    540     11    480 2016-12-06 05:27:07 UTC+0000
0x81e886f0:GoogleUpdate.ex                           372   1984      7    138 2016-12-06 05:27:13 UTC+0000



Из списка непонятно, какой из процессов svchost.exe нам нужен, сохраним дампы всех процессов и прогоним через strings | grep, в надежде что файл hosts был загружен в память.



deflate@deflate-desktop:~$ mkdir /tmp/dumps
deflate@deflate-desktop:~$ volatility -f /tmp/forensic_100.raw -D /tmp/dumps -n svchost.exe memdump
Volatility Foundation Volatility Framework 2.5
************************************************************************
Writing svchost.exe [   848] to 848.dmp
************************************************************************
Writing svchost.exe [   936] to 936.dmp
************************************************************************
Writing svchost.exe [  1036] to 1036.dmp
************************************************************************
Writing svchost.exe [  1088] to 1088.dmp
************************************************************************
Writing svchost.exe [  1320] to 1320.dmp
************************************************************************
Writing svchost.exe [  1704] to 1704.dmp
************************************************************************
Writing svchost.exe [  1776] to 1776.dmp
deflate@deflate-desktop:~$ find /tmp/dumps -exec bash -c "strings {} > {}.strings" \;
deflate@deflate-desktop:~$ grep localhost /tmp/dumps/*.strings
...
/tmp/dumps/1036.dmp.strings:Root\snmp\localhost:__Win32Provider.Name="MS_SNMP_INSTANCE_PROVIDER"
/tmp/dumps/1036.dmp.strings:Root\snmp\localhost:__Win32Provider.Name="MS_SNMP_ENCAPSULATED_EVENT_PROVIDER"
/tmp/dumps/1088.dmp.strings:127.0.0.1       localhost
/tmp/dumps/1088.dmp.strings:localhost
/tmp/dumps/1088.dmp.strings:Root\ms_snmp_root\localhost:__Win32Provider.Name="MS_SNMP_CLASS_PROVIDER"j*
...

В 1088.dmp нашлось что-то похожее на кусок файла hosts: 127.0.0.1       localhost

Уточним критерии поиска и попробуем вывести hosts полностью




deflate@deflate-desktop:~$ grep "127.0.0.1       localhost" /tmp/dumps/1088.dmp.strings -B 20 -A 3
USERPROFILE=C:\Documents and Settings\NetworkService
windir=C:\WINDOWS
Sw+"Sw  "Sw["Sw
ght (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file co
ngs of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed
umn followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# sp
the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
127.0.0.1       localhost
153.127.200.178    crattack.tistory.com attack.tistory.com
Actx
SsHd,





Посмотрим, обращался ли процесс к доменам crattack.tistory.com или attack.tistory.com




deflate@deflate-desktop:~$ grep "crattack.tistory.com" /tmp/dumps/1088.dmp.strings
153.127.200.178    crattack.tistory.com attack.tistory.com
Host: crattack.tistory.com
Referer: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Host: crattack.tistory.com
Access-Control-Allow-Origin: http://crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/trackback/90W





Попробуем зайти на http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd (обращаемся при этом к 153.127.200.178, можно просто добавить запись в hosts, но мы зайдём через curl)




deflate@deflate-desktop:~$ curl -H 'Host: crattack.tistory.com' 153.127.200.178/entry/Data-Science-import-pandas-as-pd
SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}





Авторизуйтесь, что бы оставить комментарий