注:取证实操,otterctf2018的8个取证题

1
2
sekurlsa::minidump lsass.dmp
sekurlsa::tspkg

1 - What the password?

Description

源文件

1
you got a sample of rick's PC's memory. can you get his user password? format: CTF{...}

solve

参考博客1

参考博客2

解决方法:

1
python vol.py -f OtterCTF.vmem imageinfo

得到系统消息,继续:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 hivelist

拿管理员hash密码

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 -y 0xfffff8a000024010 -s 0xfffff8a0016d4010 hashdump

拿出hash值发现无法爆破

1
2
3
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::

中间过程可以参考博客链接,不重复说明了

其实直接使用mimikatz插件一把搞定:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz

结果:

1
2
3
4
5
Volatility Foundation Volatility Framework 2.6.1
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter
wdigest WIN-LO6FAF3DTFE$ WORKGROUP

flag:

1
CTF{MortyIsReallyAnOtter}

2 - General Info

Description

1
Let's start easy - whats the PC's name and IP address?

solve

PC名字上面已经拿出来了

1
CTF{WIN-LO6FAF3DTFE}

本机IP:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan

IP 为192.168.202.131

flag:

1
2
CTF{WIN-LO6FAF3DTFE}
CTF{192.168.202.131}

3 - Play Time

Description

1
Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?

solve

解决方法:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pslist

游戏名字为LunarMS

netscan里面有服务IP

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan | find /i "LunarMS"

flag:

1
2
CTF{LunarMS}
CTF{77.102.199.102}

4 - Name Game

Description

1
We know that the account was logged in to a channel called Lunar-3. what is the account name?

solve

windows下面做题真的很累。。。。

Linux命令(将目标字符附近的6行打印出来):

1
strings OtterCTF.vmem | grep 'Lunar-3' -A 3 -B 3

windows解决:

不知道怎么把附近的字符串打印出来,所以先下载strings.exe然后将OtterCTF.vmem文件字符串提取出来,然后用git bash里面的grep即可相同操作:

1
2
strings64.exe OtterCTF.vmem > ooo.txt
grep 'Lunar-3' -A 3 -B 3 ooo.txt

这样就可以了,结果都是:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
disabled
mouseOver
keyFocused
Lunar-3
0tt3r8r33z3
Sound/UI.img/
BtMouseClick
--
L`*
Yt*
L-2
Lunar-3
Lunar-4
~&S
>Zc

flag:

1
CTF{0tt3r8r33z3}

5 - Name Game 2

Description

1
From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What's rick's character's name? format: CTF{...}

solve

将游戏进程文件导出,使用010editor进行查找5a 0c 00 00后面接着的就是flag

解决命令:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 memdump -D . -p 708

查找结果有185个。

flag:

1
CTF{M0rtyL0L}

6 - Silly Rick

Description

1
Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?

solve

copy and paste the password知道剪切板里面可能有密码:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 clipboard

结果:

1
2
3
4
5
6
7
8
Volatility Foundation Volatility Framework 2.6.1
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0x150133L 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0

flag:

1
CTF{M@il_Pr0vid0rs}

7 - Hide And Seek

Description

1
2
3
The reason that we took rick's PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)

BEAWARE! There are only 3 attempts to get the right flag!

solve

参考链接

解决命令:

1
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pstree

结果部分展示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 0xfffffa801b27e060:explorer.exe                     2728   2696     33    854 2018-08-04 19:27:04 UTC+0000
. 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
. 0xfffffa801b2f02e0:WebCompanion.e 2844 2728 0 ------ 2018-08-04 19:27:07 UTC+0000
. 0xfffffa801a4e3870:chrome.exe 4076 2728 44 1160 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a4eab30:chrome.exe 4084 4076 8 86 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a5ef1f0:chrome.exe 1796 4076 15 170 2018-08-04 19:33:41 UTC+0000
.. 0xfffffa801aa00a90:chrome.exe 3924 4076 16 228 2018-08-04 19:29:51 UTC+0000
.. 0xfffffa801a635240:chrome.exe 3648 4076 16 207 2018-08-04 19:33:38 UTC+0000
.. 0xfffffa801a502b30:chrome.exe 576 4076 2 58 2018-08-04 19:29:31 UTC+0000
.. 0xfffffa801a4f7b30:chrome.exe 1808 4076 13 229 2018-08-04 19:29:32 UTC+0000
.. 0xfffffa801a7f98f0:chrome.exe 2748 4076 15 181 2018-08-04 19:31:15 UTC+0000
. 0xfffffa801b5cb740:LunarMS.exe 708 2728 18 346 2018-08-04 19:27:39 UTC+0000
. 0xfffffa801b1cdb30:vmtoolsd.exe 2804 2728 6 190 2018-08-04 19:27:06 UTC+0000
. 0xfffffa801b290b30:BitTorrent.exe 2836 2728 24 471 2018-08-04 19:27:07 UTC+0000
.. 0xfffffa801b4c9b30:bittorrentie.e 2624 2836 13 316 2018-08-04 19:27:21 UTC+0000
.. 0xfffffa801b4a7b30:bittorrentie.e 2308 2836 15 337 2018-08-04 19:27:19 UTC+0000
0xfffffa8018d44740:System 4 0 95 411 2018-08-04 19:26:03 UTC+0000
. 0xfffffa801947e4d0:smss.exe 260 4 2 30 2018-08-04 19:26:03 UTC+0000
0xfffffa801a2ed060:wininit.exe 396 336 3 78 2018-08-04 19:26:11 UTC+0000
. 0xfffffa801ab377c0:services.exe 492 396 11 242 2018-08-04 19:26:12 UTC+0000
.. 0xfffffa801afe7800:svchost.exe 1948 492 6 96 2018-08-04 19:26:42 UTC+0000

flag:

1
CTF{vmware-tray.exe}

8 - Name Game 2

Description

1
How did the malware got to rick's PC? It must be one of rick old illegal habits...

solve

解决命令:

1
2
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 filescan | grep "Rick And Morty"
python vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D .

notepad++打开,里面有:

1
website19:M3an_T0rren7_4_R!ck

flag:

1
CTF{M3an_T0rren7_4_R!ck}