Parsing Memory Forensics with OtterCTF and familiarity with the Volatility framework
Hi, Habr!
OtterCTF recently ended (for those interested - a link to ctftime), which this year I, as a person fairly tightly connected with iron, frankly pleased - was a separate category of Memory Forensics, which, in fact, was an analysis of the core dump. It is her that I want to make out in this post, for all who are interested - welcome under cat.
Introduction
Perhaps Habré already had articles describing work with Volatility, but, unfortunately, I did not find them. If not right - throw me a link in the comments. This article pursues two goals - to show how senseless all attempts by the administrator to protect the system are if the attacker has a memory dump and to acquaint readers with the most beautiful, in my opinion, tool. And, of course, share experiences. Enough water, let's get started!
Introduction to the tool
Volatility is an open-sorce framework developed by the community. Written on the second python and works with a modular architecture - there is a so-called. plug-ins that you can connect for analysis, and you can even write the missing ones yourself. A complete list of plug-ins that are available out of the box can be viewed using volatility -h.
Because of the python, the tool is cross-platform, so problems with running under some popular OS on which there is a python should not arise. The framework supports a huge number of profiles (in the understanding of Volatility, the systems from which the dump was taken): from popular Windows-Linux-MacOs to "directly" written-off dd-dumps and dumps of virtual machines (both QEMU and VirtualBox). In my opinion, a very good set.
The power of this tool is really amazing - I came across him at the time of debugging my kernel for ARM and he perfectly analyzed what I gave him at the entrance
As a bonus - support for almost any address space imaginable.
It seems that PR has turned out a little more than originally planned. Let's try to do the analysis itself.
Basic information and surface analysis
For those who want to do all the manipulations in the course of the article - a link to Mega with the image or you can use wget:
wget https://transfer.sh/AesNq/OtterCTF.7zSo, the image in our hands, you can start the analysis. First of all, you need to understand from which system the dump was taken. For this, volatility has a great plugin imageinfo. Just run
$ volatility -f %имя_образа% imageinfoIn our case, the exhaust will be approximately as follows:
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (%путь%/%имя_образа%)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c430a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c44d00L
KPCR for CPU 1 : 0xfffff880009ef000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-08-04 19:34:22 UTC+0000
Image local date and time : 2018-08-04 22:34:22 +0300So, we received almost exhaustive information about our dump - presumably, from which OS it was made (sorted in order of probability), the local date and time at the time of the dump, addressing and much more. So, we realized that we face a dump of Windows 7 Service Pack 1 x64. You can dig deep into!
What's the password
Since this is a kind of raitap, I will formulate the problem and then describe how to solve it with the help of volatility.
The first task is to get a user password.
To begin with, we will understand which users were in the system and, at the same time, we will try to get their passwords. The passwords themselves are harder to get, and therefore we hope that we are not a very clever person and we’ll manage to open the hash from his password. It remains to get it! To do this, try to look _CMHIVE- as a rule, there you can always find something interesting while running Windows. To do this, simply connect the plugin hivelist, while specifying Win7 in the profile:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
------------------ ------------------ ----
0xfffff8a00377d2d0 0x00000000624162d0 \??\C:\System Volume Information\Syscache.hve
0xfffff8a00000f010 0x000000002d4c1010 [no name]
0xfffff8a000024010 0x000000002d50c010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053320 0x000000002d5bb320 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000109410 0x0000000029cb4410 \SystemRoot\System32\Config\SECURITY
0xfffff8a00033d410 0x000000002a958410 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a0005d5010 0x000000002a983010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a001495010 0x0000000024912010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a0016d4010 0x00000000214e1010 \SystemRoot\System32\Config\SAM
0xfffff8a00175b010 0x00000000211eb010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a00176e410 0x00000000206db410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a002090010 0x000000000b92b010 \??\C:\Users\Rick\ntuser.dat
0xfffff8a0020ad410 0x000000000db41410 \??\C:\Users\Rick\AppData\Local\Microsoft\Windows\UsrClass.datPerfectly! We supposedly got the username and, at the same time, made sure that the SYSTEM and SAM we need were already loaded into memory. Now we just get the hashes and go through:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0016d4010
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::According to the results, we have three user - Administrator(31d6cfe0d16ae931b73c59d7e0c089c0), Guest(31d6cfe0d16ae931b73c59d7e0c089c0)and our Rick(518172d012f97d3a8fcc089615283940). Windows 7 hashes are NTLM and really long to sort through them. I can say that I have been doing this for almost a day on the gaming video card and have not come to anything. Therefore, you can go a simpler way and try to get through with mimikatz. It is not always a panacea and does not always work, but, but if it works, it always gives the result. Here that volatility universality comes in handy - there is a custom mimikatz plugin . We download to any convenient folder and then when starting we specify the path to this folder:
$ volatility --plugins=%путь_до_папки_с_плагином% -f OtterCTF.vmem --profile=Win7SP1x64 mimikatzAnd immediately get the user password:
Volatility Foundation Volatility Framework 2.6
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter
wdigest WIN-LO6FAF3DTFE$ WORKGROUPGeneral info
The challenge is to get the IP address and computer name
Now that we know who we are, we need to understand where we are. That is, it would be good to know our IP address and the name of the machine. In the case of an IP address, everything is simple - we look at the list of connections at the time of the dump using netscan:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000
0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000
0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000
0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System
0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System
0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System
0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System
0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe
0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe
0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe
0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe
0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe
0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe
0x7d634350 TCPv6 -:0 38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED 2836 BitTorrent.exe
0x7d6f27f0 TCPv4 192.168.202.131:50381 71.198.155.180:34674 CLOSED 2836 BitTorrent.exe
0x7d704010 TCPv4 192.168.202.131:50382 92.251.23.204:6881 CLOSED 2836 BitTorrent.exe
0x7d708cf0 TCPv4 192.168.202.131:50364 91.140.89.116:31847 CLOSED 2836 BitTorrent.exe
0x7d729620 TCPv4 -:50034 142.129.37.27:24578 CLOSED 2836 BitTorrent.exe
0x7d72cbe0 TCPv4 192.168.202.131:50340 23.37.43.27:80 CLOSED 3496 Lavasoft.WCAss
0x7d7365a0 TCPv4 192.168.202.131:50358 23.37.43.27:80 CLOSED 3856 WebCompanion.e
0x7d81c890 TCPv4 192.168.202.131:50335 185.154.111.20:60405 CLOSED 2836 BitTorrent.exe
0x7d8fd530 TCPv4 192.168.202.131:50327 23.37.43.27:80 CLOSED 3496 Lavasoft.WCAss
0x7d9cecf0 TCPv4 192.168.202.131:50373 173.239.232.46:2997 CLOSED 2836 BitTorrent.exe
0x7d9d7cf0 TCPv4 192.168.202.131:50371 191.253.122.149:59163 CLOSED 2836 BitTorrent.exe
0x7daefec0 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000
0x7daefec0 UDPv6 :::0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000
0x7db83b90 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000
0x7db83b90 UDPv6 :::0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000
0x7db9cdd0 UDPv4 0.0.0.0:0 *:* 2844 WebCompanion.e 2018-08-04 19:30:05 UTC+0000
0x7db9cdd0 UDPv6 :::0 *:* 2844 WebCompanion.e 2018-08-04 19:30:05 UTC+0000
0x7dc2dc30 UDPv4 0.0.0.0:50879 *:* 4076 chrome.exe 2018-08-04 19:30:41 UTC+0000
0x7dc2dc30 UDPv6 :::50879 *:* 4076 chrome.exe 2018-08-04 19:30:41 UTC+0000
0x7dc83810 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7dc83810 UDPv6 :::5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7dd82c30 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000
0x7df00980 UDPv4 0.0.0.0:0 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7df00980 UDPv6 :::0 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7df04cc0 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000
0x7df04cc0 UDPv6 :::5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000
0x7df5f010 UDPv4 0.0.0.0:55175 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7dfab010 UDPv4 0.0.0.0:58383 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7dfab010 UDPv6 :::58383 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7e12c1c0 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000
0x7e163a40 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000
0x7e163a40 UDPv6 :::0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000
0x7e1cf010 UDPv4 192.168.202.131:137 *:* 4 System 2018-08-04 19:26:35 UTC+0000
0x7e1da010 UDPv4 192.168.202.131:138 *:* 4 System 2018-08-04 19:26:35 UTC+0000
0x7dc4ad30 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 lsass.exe
0x7dc4ad30 TCPv6 :::49155 :::0 LISTENING 500 lsass.exe
0x7dc4b370 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 lsass.exe
0x7dd71010 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x7dd71010 TCPv6 :::445 :::0 LISTENING 4 System
0x7ddca6b0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe
0x7ddcbc00 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe
0x7ddcbc00 TCPv6 :::49156 :::0 LISTENING 492 services.exe
0x7de09c30 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe
0x7de09c30 TCPv6 :::49152 :::0 LISTENING 396 wininit.exe
0x7de0d7b0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe
0x7de424e0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 808 svchost.exe
0x7de45ef0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 808 svchost.exe
0x7de45ef0 TCPv6 :::49153 :::0 LISTENING 808 svchost.exe
0x7df3d270 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 868 svchost.exe
0x7df3eef0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 868 svchost.exe
0x7df3eef0 TCPv6 :::49154 :::0 LISTENING 868 svchost.exe
0x7e1f6010 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 712 svchost.exe
0x7e1f6010 TCPv6 :::135 :::0 LISTENING 712 svchost.exe
0x7e1f8ef0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 712 svchost.exe
0x7db000a0 TCPv4 -:50091 93.142.197.107:32645 CLOSED 2836 BitTorrent.exe
0x7db132e0 TCPv4 192.168.202.131:50280 72.55.154.81:80 CLOSED 3880 WebCompanionIn
0x7dbc3010 TCPv6 -:0 4847:d418:80fa:ffff:4847:d418:80fa:ffff:0 CLOSED 4076 chrome.exe
0x7dc4bcf0 TCPv4 -:0 104.240.179.26:0 CLOSED 3 ?4????
0x7dc83080 TCPv4 192.168.202.131:50377 179.108.238.10:19761 CLOSED 2836 BitTorrent.exe
0x7dd451f0 TCPv4 192.168.202.131:50321 45.27.208.145:51414 CLOSED 2836 BitTorrent.exe
0x7ddae890 TCPv4 -:50299 212.92.105.227:8999 CLOSED 2836 BitTorrent.exe
0x7ddff010 TCPv4 192.168.202.131:50379 23.37.43.27:80 CLOSED 3856 WebCompanion.e
0x7e0057d0 TCPv4 192.168.202.131:50353 85.242.139.158:51413 CLOSED 2836 BitTorrent.exe
0x7e0114b0 TCPv4 192.168.202.131:50339 77.65.111.216:8306 CLOSED 2836 BitTorrent.exe
0x7e042cf0 TCPv4 192.168.202.131:50372 83.44.27.35:52103 CLOSED 2836 BitTorrent.exe
0x7e08a010 TCPv4 192.168.202.131:50374 89.46.49.163:20133 CLOSED 2836 BitTorrent.exe
0x7e092010 TCPv4 192.168.202.131:50378 120.29.114.41:13155 CLOSED 2836 BitTorrent.exe
0x7e094b90 TCPv4 192.168.202.131:50365 52.91.1.182:55125 CLOSED 2836 BitTorrent.exe
0x7e09ba90 TCPv6 -:0 68f0:181b:80fa:ffff:68f0:181b:80fa:ffff:0 CLOSED 2836 BitTorrent.exe
0x7e0a8b90 TCPv4 192.168.202.131:50341 72.55.154.81:80 CLOSED 3880 WebCompanionIn
0x7e0d6180 TCPv4 192.168.202.131:50349 196.250.217.22:32815 CLOSED 2836 BitTorrent.exe
0x7e108100 TCPv4 192.168.202.131:50360 174.0.234.77:31240 CLOSED 2836 BitTorrent.exe
0x7e124910 TCPv4 192.168.202.131:50366 89.78.106.196:51413 CLOSED 2836 BitTorrent.exe
0x7e14dcf0 TCPv4 192.168.202.131:50363 122.62.218.159:11627 CLOSED 2836 BitTorrent.exe
0x7e18bcf0 TCPv4 192.168.202.131:50333 191.177.124.34:21011 CLOSED 2836 BitTorrent.exe
0x7e1f7ab0 TCPv4 -:0 56.187.190.26:0 CLOSED 3 ?4????
0x7e48d9c0 UDPv6 fe80::b06b:a531:ec88:457f:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7e4ad870 UDPv4 127.0.0.1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7e511bb0 UDPv4 0.0.0.0:60005 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7e5dc3b0 UDPv6 fe80::b06b:a531:ec88:457f:546 *:* 808 svchost.exe 2018-08-04 19:33:28 UTC+0000
0x7e7469c0 UDPv4 0.0.0.0:50878 *:* 4076 chrome.exe 2018-08-04 19:30:39 UTC+0000
0x7e7469c0 UDPv6 :::50878 *:* 4076 chrome.exe 2018-08-04 19:30:39 UTC+0000
0x7e77cb00 UDPv4 0.0.0.0:50748 *:* 4076 chrome.exe 2018-08-04 19:30:07 UTC+0000
0x7e77cb00 UDPv6 :::50748 *:* 4076 chrome.exe 2018-08-04 19:30:07 UTC+0000
0x7e79f3f0 UDPv4 0.0.0.0:5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000
0x7e7a0ec0 UDPv4 0.0.0.0:5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000
0x7e7a0ec0 UDPv6 :::5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000
0x7e7a3960 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000
0x7e7dd010 UDPv6 ::1:58340 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7e413a40 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe
0x7e415010 TCPv4 192.168.202.131:50346 89.64.10.176:10589 CLOSED 2836 BitTorrent.exe
0x7e4202d0 TCPv4 192.168.202.131:50217 104.18.21.226:80 CLOSED 3880 WebCompanionIn
0x7e45f110 TCPv4 192.168.202.131:50211 104.18.20.226:80 CLOSED 3880 WebCompanionIn
0x7e4cc910 TCPv4 192.168.202.131:50228 104.18.20.226:80 CLOSED 3880 WebCompanionIn
0x7e512950 TCPv4 192.168.202.131:50345 77.126.30.221:13905 CLOSED 2836 BitTorrent.exe
0x7e521b50 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe
0x7e5228d0 TCPv4 192.168.202.131:50075 70.65.116.120:52700 CLOSED 2836 BitTorrent.exe
0x7e52f010 TCPv4 192.168.202.131:50343 86.121.4.189:46392 CLOSED 2836 BitTorrent.exe
0x7e563860 TCPv4 192.168.202.131:50170 103.232.25.44:25384 CLOSED 2836 BitTorrent.exe
0x7e572cf0 TCPv4 192.168.202.131:50125 122.62.218.159:11627 CLOSED 2836 BitTorrent.exe
0x7e5d6cf0 TCPv4 192.168.202.131:50324 54.197.8.177:49420 CLOSED 2836 BitTorrent.exe
0x7e71b010 TCPv4 192.168.202.131:50344 70.27.98.75:6881 CLOSED 2836 BitTorrent.exe
0x7e71d010 TCPv4 192.168.202.131:50351 99.251.199.160:1045 CLOSED 2836 BitTorrent.exe
0x7e74b010 TCPv4 192.168.202.131:50385 209.236.6.89:56500 CLOSED 2836 BitTorrent.exe
0x7e78b7f0 TCPv4 192.168.202.131:50238 72.55.154.82:80 CLOSED 3880 WebCompanionIn
0x7e7ae380 TCPv4 192.168.202.131:50361 5.34.21.181:8999 CLOSED 2836 BitTorrent.exe
0x7e7b0380 TCPv6 -:0 4847:d418:80fa:ffff:4847:d418:80fa:ffff:0 CLOSED 2836 BitTorrent.exe
0x7e7b9010 TCPv4 192.168.202.131:50334 188.129.94.129:25128 CLOSED 2836 BitTorrent.exe
0x7e94b010 TCPv4 192.168.202.131:50356 77.126.30.221:13905 CLOSED 2836 BitTorrent.exe
0x7e9ad840 TCPv4 192.168.202.131:50380 84.52.144.29:56299 CLOSED 2836 BitTorrent.exe
0x7e9bacf0 TCPv4 192.168.202.131:50350 77.253.242.0:5000 CLOSED 2836 BitTorrent.exe
0x7eaac5e0 TCPv4 192.168.202.131:50387 93.184.220.29:80 CLOSED 3856 WebCompanion.e
0x7eab4cf0 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe
0x7fb9cec0 UDPv4 192.168.202.131:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7fb9d430 UDPv4 127.0.0.1:58341 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+000IP 192.168.202.131found. Of course, this is IP on the local network, but, unfortunately, you can’t pull it out of the dump anymore - in order to get an external IP you need more than just a dump. Now we get the name of the company. To do this, just read the registry branch SYSTEM:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2018-06-02 19:23:00 UTC+0000
Subkeys:
Values:
REG_SZ : (S) mnmsrvc
REG_SZ ComputerName : (S) WIN-LO6FAF3DTFEGreat, we got the name of the company WIN-LO6FAF3DTFE.
Play time
The user likes to play old video games. It is required to find the name of his favorite game and the IP address of its server.
Just look at the exhaust netscanin the previous step and see weird processes LunarMS.exe. Google is really a video game. You can also find the IP address with which the connection is open -77.102.199.102
Name game
We know that the user is logged in to the channel Lunar-3. But what is the account name?
Since the user is logged in to this channel, the name should simply be in the form of plain-text in the dump. Make stringsand get the flag:
$ strings OtterCTF.vmem | grep Lunar-3 -A 2 -B 3
disabled
mouseOver
keyFocused
Lunar-3
0tt3r8r33z3
Sound/UI.img/
--
c+Yt
tb+Y4c+Y
b+YLc+Y
Lunar-3
Lunar-4
L(dNVxdNVOf all the lines most like a flag 0tt3r8r33z3. We try and really - this is it!
Silly ick
Our user always forgets his password, so he uses the password manager and simply copies the correct password when you need to enter. Maybe you can find out something?
Judging by the wording, you just need to get the contents of the clipboard. Volatility has a response to this - a plugin clipboard. We check and see the password:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0x150133L 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0 Hide and seek
The reason for the computer's brakes is in a virus that has been sitting in the system for a long time Maybe you can find it? Be careful, you only have three attempts to pass this flag!
Well, if we have three attempts, then we will be careful, as we were advised =)
First, get a list of all processes using pslist:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 pslist
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8018d44740 System 4 0 95 411 ------ 0 2018-08-04 19:26:03 UTC+0000
0xfffffa801947e4d0 smss.exe 260 4 2 30 ------ 0 2018-08-04 19:26:03 UTC+0000
0xfffffa801a0c8380 csrss.exe 348 336 9 563 0 0 2018-08-04 19:26:10 UTC+0000
0xfffffa80198d3b30 csrss.exe 388 380 11 460 1 0 2018-08-04 19:26:11 UTC+0000
0xfffffa801a2ed060 wininit.exe 396 336 3 78 0 0 2018-08-04 19:26:11 UTC+0000
0xfffffa801aaf4060 winlogon.exe 432 380 3 113 1 0 2018-08-04 19:26:11 UTC+0000
0xfffffa801ab377c0 services.exe 492 396 11 242 0 0 2018-08-04 19:26:12 UTC+0000
0xfffffa801ab3f060 lsass.exe 500 396 7 610 0 0 2018-08-04 19:26:12 UTC+0000
0xfffffa801ab461a0 lsm.exe 508 396 10 148 0 0 2018-08-04 19:26:12 UTC+0000
0xfffffa8018e3c890 svchost.exe 604 492 11 376 0 0 2018-08-04 19:26:16 UTC+0000
0xfffffa801abbdb30 vmacthlp.exe 668 492 3 56 0 0 2018-08-04 19:26:16 UTC+0000
0xfffffa801abebb30 svchost.exe 712 492 8 301 0 0 2018-08-04 19:26:17 UTC+0000
0xfffffa801ac2e9e0 svchost.exe 808 492 22 508 0 0 2018-08-04 19:26:18 UTC+0000
0xfffffa801ac31b30 svchost.exe 844 492 17 396 0 0 2018-08-04 19:26:18 UTC+0000
0xfffffa801ac4db30 svchost.exe 868 492 45 1114 0 0 2018-08-04 19:26:18 UTC+0000
0xfffffa801ac753a0 audiodg.exe 960 808 7 151 0 0 2018-08-04 19:26:19 UTC+0000
0xfffffa801ac97060 svchost.exe 1012 492 12 554 0 0 2018-08-04 19:26:20 UTC+0000
0xfffffa801acd37e0 svchost.exe 620 492 19 415 0 0 2018-08-04 19:26:21 UTC+0000
0xfffffa801ad5ab30 spoolsv.exe 1120 492 14 346 0 0 2018-08-04 19:26:22 UTC+0000
0xfffffa801ad718a0 svchost.exe 1164 492 18 312 0 0 2018-08-04 19:26:23 UTC+0000
0xfffffa801ae0f630 VGAuthService. 1356 492 3 85 0 0 2018-08-04 19:26:25 UTC+0000
0xfffffa801ae92920 vmtoolsd.exe 1428 492 9 313 0 0 2018-08-04 19:26:27 UTC+0000
0xfffffa8019124b30 WmiPrvSE.exe 1800 604 9 222 0 0 2018-08-04 19:26:39 UTC+0000
0xfffffa801afe7800 svchost.exe 1948 492 6 96 0 0 2018-08-04 19:26:42 UTC+0000
0xfffffa801ae7f630 dllhost.exe 1324 492 15 207 0 0 2018-08-04 19:26:42 UTC+0000
0xfffffa801aff3b30 msdtc.exe 1436 492 14 155 0 0 2018-08-04 19:26:43 UTC+0000
0xfffffa801b112060 WmiPrvSE.exe 2136 604 12 324 0 0 2018-08-04 19:26:51 UTC+0000
0xfffffa801b1e9b30 taskhost.exe 2344 492 8 193 1 0 2018-08-04 19:26:57 UTC+0000
0xfffffa801b232060 sppsvc.exe 2500 492 4 149 0 0 2018-08-04 19:26:58 UTC+0000
0xfffffa801b1fab30 dwm.exe 2704 844 4 97 1 0 2018-08-04 19:27:04 UTC+0000
0xfffffa801b27e060 explorer.exe 2728 2696 33 854 1 0 2018-08-04 19:27:04 UTC+0000
0xfffffa801b1cdb30 vmtoolsd.exe 2804 2728 6 190 1 0 2018-08-04 19:27:06 UTC+0000
0xfffffa801b290b30 BitTorrent.exe 2836 2728 24 471 1 1 2018-08-04 19:27:07 UTC+0000
0xfffffa801b2f02e0 WebCompanion.e 2844 2728 0 -------- 1 0 2018-08-04 19:27:07 UTC+0000 2018-08-04 19:33:33 UTC+0000
0xfffffa801b3aab30 SearchIndexer. 3064 492 11 610 0 0 2018-08-04 19:27:14 UTC+0000
0xfffffa801b4a7b30 bittorrentie.e 2308 2836 15 337 1 1 2018-08-04 19:27:19 UTC+0000
0xfffffa801b4c9b30 bittorrentie.e 2624 2836 13 316 1 1 2018-08-04 19:27:21 UTC+0000
0xfffffa801b5cb740 LunarMS.exe 708 2728 18 346 1 1 2018-08-04 19:27:39 UTC+0000
0xfffffa801988c2d0 PresentationFo 724 492 6 148 0 0 2018-08-04 19:27:52 UTC+0000
0xfffffa801b603610 mscorsvw.exe 412 492 7 86 0 1 2018-08-04 19:28:42 UTC+0000
0xfffffa801a6af9f0 svchost.exe 164 492 12 147 0 0 2018-08-04 19:28:42 UTC+0000
0xfffffa801a6c2700 mscorsvw.exe 3124 492 7 77 0 0 2018-08-04 19:28:43 UTC+0000
0xfffffa801a6e4b30 svchost.exe 3196 492 14 352 0 0 2018-08-04 19:28:44 UTC+0000
0xfffffa801a4e3870 chrome.exe 4076 2728 44 1160 1 0 2018-08-04 19:29:30 UTC+0000
0xfffffa801a4eab30 chrome.exe 4084 4076 8 86 1 0 2018-08-04 19:29:30 UTC+0000
0xfffffa801a502b30 chrome.exe 576 4076 2 58 1 0 2018-08-04 19:29:31 UTC+0000
0xfffffa801a4f7b30 chrome.exe 1808 4076 13 229 1 0 2018-08-04 19:29:32 UTC+0000
0xfffffa801aa00a90 chrome.exe 3924 4076 16 228 1 0 2018-08-04 19:29:51 UTC+0000
0xfffffa801a7f98f0 chrome.exe 2748 4076 15 181 1 0 2018-08-04 19:31:15 UTC+0000
0xfffffa801b486b30 Rick And Morty 3820 2728 4 185 1 1 2018-08-04 19:32:55 UTC+0000
0xfffffa801a4c5b30 vmware-tray.ex 3720 3820 8 147 1 1 2018-08-04 19:33:02 UTC+0000
0xfffffa801b18f060 WebCompanionIn 3880 1484 15 522 0 1 2018-08-04 19:33:07 UTC+0000
0xfffffa801a635240 chrome.exe 3648 4076 16 207 1 0 2018-08-04 19:33:38 UTC+0000
0xfffffa801a5ef1f0 chrome.exe 1796 4076 15 170 1 0 2018-08-04 19:33:41 UTC+0000
0xfffffa801b08f060 sc.exe 3208 3880 0 -------- 0 0 2018-08-04 19:33:47 UTC+0000 2018-08-04 19:33:48 UTC+0000
0xfffffa801aeb6890 sc.exe 452 3880 0 -------- 0 0 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000
0xfffffa801aa72b30 sc.exe 3504 3880 0 -------- 0 0 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000
0xfffffa801ac01060 sc.exe 2028 3880 0 -------- 0 0 2018-08-04 19:33:49 UTC+0000 2018-08-04 19:34:03 UTC+0000
0xfffffa801aad1060 Lavasoft.WCAss 3496 492 14 473 0 0 2018-08-04 19:33:49 UTC+0000
0xfffffa801a6268b0 WebCompanion.e 3856 3880 15 386 0 1 2018-08-04 19:34:05 UTC+0000
0xfffffa801b1fd960 notepad.exe 3304 3132 2 79 1 0 2018-08-04 19:34:10 UTC+0000
0xfffffa801a572b30 cmd.exe 3916 1428 0 -------- 0 0 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0xfffffa801a6643d0 conhost.exe 2420 348 0 30 0 0 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000 Hmm. Somehow not very conveniently analyzed. We have one more plugin - pstreewhich displays the processes in the form of a tree (which is, in general, logical):
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 pstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa801b27e060:explorer.exe 2728 2696 33 854 2018-08-04 19:27:04 UTC+0000
. 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
. 0xfffffa801b2f02e0:WebCompanion.e 2844 2728 0 ------ 2018-08-04 19:27:07 UTC+0000
. 0xfffffa801a4e3870:chrome.exe 4076 2728 44 1160 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a4eab30:chrome.exe 4084 4076 8 86 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a5ef1f0:chrome.exe 1796 4076 15 170 2018-08-04 19:33:41 UTC+0000
.. 0xfffffa801aa00a90:chrome.exe 3924 4076 16 228 2018-08-04 19:29:51 UTC+0000
.. 0xfffffa801a635240:chrome.exe 3648 4076 16 207 2018-08-04 19:33:38 UTC+0000
.. 0xfffffa801a502b30:chrome.exe 576 4076 2 58 2018-08-04 19:29:31 UTC+0000
.. 0xfffffa801a4f7b30:chrome.exe 1808 4076 13 229 2018-08-04 19:29:32 UTC+0000
.. 0xfffffa801a7f98f0:chrome.exe 2748 4076 15 181 2018-08-04 19:31:15 UTC+0000
. 0xfffffa801b5cb740:LunarMS.exe 708 2728 18 346 2018-08-04 19:27:39 UTC+0000
. 0xfffffa801b1cdb30:vmtoolsd.exe 2804 2728 6 190 2018-08-04 19:27:06 UTC+0000
. 0xfffffa801b290b30:BitTorrent.exe 2836 2728 24 471 2018-08-04 19:27:07 UTC+0000
.. 0xfffffa801b4c9b30:bittorrentie.e 2624 2836 13 316 2018-08-04 19:27:21 UTC+0000
.. 0xfffffa801b4a7b30:bittorrentie.e 2308 2836 15 337 2018-08-04 19:27:19 UTC+0000
0xfffffa8018d44740:System 4 0 95 411 2018-08-04 19:26:03 UTC+0000
. 0xfffffa801947e4d0:smss.exe 260 4 2 30 2018-08-04 19:26:03 UTC+0000
0xfffffa801a2ed060:wininit.exe 396 336 3 78 2018-08-04 19:26:11 UTC+0000
. 0xfffffa801ab377c0:services.exe 492 396 11 242 2018-08-04 19:26:12 UTC+0000
.. 0xfffffa801afe7800:svchost.exe 1948 492 6 96 2018-08-04 19:26:42 UTC+0000
.. 0xfffffa801ae92920:vmtoolsd.exe 1428 492 9 313 2018-08-04 19:26:27 UTC+0000
... 0xfffffa801a572b30:cmd.exe 3916 1428 0 ------ 2018-08-04 19:34:22 UTC+0000
.. 0xfffffa801ae0f630:VGAuthService. 1356 492 3 85 2018-08-04 19:26:25 UTC+0000
.. 0xfffffa801abbdb30:vmacthlp.exe 668 492 3 56 2018-08-04 19:26:16 UTC+0000
.. 0xfffffa801aad1060:Lavasoft.WCAss 3496 492 14 473 2018-08-04 19:33:49 UTC+0000
.. 0xfffffa801a6af9f0:svchost.exe 164 492 12 147 2018-08-04 19:28:42 UTC+0000
.. 0xfffffa801ac2e9e0:svchost.exe 808 492 22 508 2018-08-04 19:26:18 UTC+0000
... 0xfffffa801ac753a0:audiodg.exe 960 808 7 151 2018-08-04 19:26:19 UTC+0000
.. 0xfffffa801ae7f630:dllhost.exe 1324 492 15 207 2018-08-04 19:26:42 UTC+0000
.. 0xfffffa801a6c2700:mscorsvw.exe 3124 492 7 77 2018-08-04 19:28:43 UTC+0000
.. 0xfffffa801b232060:sppsvc.exe 2500 492 4 149 2018-08-04 19:26:58 UTC+0000
.. 0xfffffa801abebb30:svchost.exe 712 492 8 301 2018-08-04 19:26:17 UTC+0000
.. 0xfffffa801ad718a0:svchost.exe 1164 492 18 312 2018-08-04 19:26:23 UTC+0000
.. 0xfffffa801ac31b30:svchost.exe 844 492 17 396 2018-08-04 19:26:18 UTC+0000
... 0xfffffa801b1fab30:dwm.exe 2704 844 4 97 2018-08-04 19:27:04 UTC+0000
.. 0xfffffa801988c2d0:PresentationFo 724 492 6 148 2018-08-04 19:27:52 UTC+0000
.. 0xfffffa801b603610:mscorsvw.exe 412 492 7 86 2018-08-04 19:28:42 UTC+0000
.. 0xfffffa8018e3c890:svchost.exe 604 492 11 376 2018-08-04 19:26:16 UTC+0000
... 0xfffffa8019124b30:WmiPrvSE.exe 1800 604 9 222 2018-08-04 19:26:39 UTC+0000
... 0xfffffa801b112060:WmiPrvSE.exe 2136 604 12 324 2018-08-04 19:26:51 UTC+0000
.. 0xfffffa801ad5ab30:spoolsv.exe 1120 492 14 346 2018-08-04 19:26:22 UTC+0000
.. 0xfffffa801ac4db30:svchost.exe 868 492 45 1114 2018-08-04 19:26:18 UTC+0000
.. 0xfffffa801a6e4b30:svchost.exe 3196 492 14 352 2018-08-04 19:28:44 UTC+0000
.. 0xfffffa801acd37e0:svchost.exe 620 492 19 415 2018-08-04 19:26:21 UTC+0000
.. 0xfffffa801b1e9b30:taskhost.exe 2344 492 8 193 2018-08-04 19:26:57 UTC+0000
.. 0xfffffa801ac97060:svchost.exe 1012 492 12 554 2018-08-04 19:26:20 UTC+0000
.. 0xfffffa801b3aab30:SearchIndexer. 3064 492 11 610 2018-08-04 19:27:14 UTC+0000
.. 0xfffffa801aff3b30:msdtc.exe 1436 492 14 155 2018-08-04 19:26:43 UTC+0000
. 0xfffffa801ab3f060:lsass.exe 500 396 7 610 2018-08-04 19:26:12 UTC+0000
. 0xfffffa801ab461a0:lsm.exe 508 396 10 148 2018-08-04 19:26:12 UTC+0000
0xfffffa801a0c8380:csrss.exe 348 336 9 563 2018-08-04 19:26:10 UTC+0000
. 0xfffffa801a6643d0:conhost.exe 2420 348 0 30 2018-08-04 19:34:22 UTC+0000
0xfffffa80198d3b30:csrss.exe 388 380 11 460 2018-08-04 19:26:11 UTC+0000
0xfffffa801aaf4060:winlogon.exe 432 380 3 113 2018-08-04 19:26:11 UTC+0000
0xfffffa801b18f060:WebCompanionIn 3880 1484 15 522 2018-08-04 19:33:07 UTC+0000
. 0xfffffa801aa72b30:sc.exe 3504 3880 0 ------ 2018-08-04 19:33:48 UTC+0000
. 0xfffffa801aeb6890:sc.exe 452 3880 0 ------ 2018-08-04 19:33:48 UTC+0000
. 0xfffffa801a6268b0:WebCompanion.e 3856 3880 15 386 2018-08-04 19:34:05 UTC+0000
. 0xfffffa801b08f060:sc.exe 3208 3880 0 ------ 2018-08-04 19:33:47 UTC+0000
. 0xfffffa801ac01060:sc.exe 2028 3880 0 ------ 2018-08-04 19:33:49 UTC+0000
0xfffffa801b1fd960:notepad.exe 3304 3132 2 79 2018-08-04 19:34:10 UTC+0000Yeah! There are suspicious lines
0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000As we see, the process with PID 3820 generates a process with PID 3720. The reason to analyze both. First we get a list of dll-libraries that use processes:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3820
Volatility Foundation Volatility Framework 2.6
************************************************************************
Rick And Morty pid: 3820
Command line : "C:\Torrents\Rick And Morty season 1 download.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount Path
------------------ ------------------ ------------------ ----
0x0000000000400000 0x56000 0xffff C:\Torrents\Rick And Morty season 1 download.exe
0x00000000776f0000 0x1a9000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x0000000075210000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll
0x00000000751b0000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll
0x00000000751a0000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dllSo. Exe in a folder with torrents? Kind of weird. Also, ntdll.dlltoo, does not inspire confidence. Let's try to get the list of dlls that the 3720 process uses:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720
Volatility Foundation Volatility Framework 2.6
************************************************************************
vmware-tray.ex pid: 3720
Command line : "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount Path
------------------ ------------------ ------------------ ----
0x0000000000ec0000 0x6e000 0xffff C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
0x00000000776f0000 0x1a9000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x0000000075210000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll
0x00000000751b0000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll
0x00000000751a0000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dllWow. But this is not normal at all. So, the first assumption is that this is exactly the trojan we are looking for. Let us process the process using memdumpand analyze it with any decompiler:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 3720 --dump-dir=%папка_куда_сохранить_дамп%
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exeThe process of analyzing dumps has already been described more than once in habr, and in other sources, so I will not repeat, especially since this extortioner is written in .NET, so it is not difficult to analyze. If you still need to - write in the comments, add this part. Now just say. that it really was the desired trojan.
Bit by Bit and Graphics is for the weak
Find the address of the bitcoin wallet of the attacker who infected the computer with a virus!
During the analysis from the previous paragraph, one could easily notice the address 1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M, which is the flag. Similarly, from the same binary you can get a picture with a flag for another task, so I merge them into one item
Recovery
Extortionist encrypted files. Help the user to restore access to them!
In fact, this task also relates to a binary, but I brought it to a separate paragraph, because it very much resembles the analyst’s everyday life of various Malvaris and it will be useful to show the whole process. Open the binary and find the function CreatePassword. In my opinion, this "LJ" is no accident:
publicstringCreatePassword(int length)
{
StringBuilder stringBuilder = new StringBuilder();
Random random = new Random();
while (0 < length--)
{
stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/".Length)]);
}
return stringBuilder.ToString();
}As we see, the password is really random. But we know the regular expression abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/that our password satisfies. Now, if there is a password creation function, somewhere there should be a function for its use: D
A little leafing through, we find it:
publicvoidstartAction()
{
string password = this.CreatePassword(15);
string str = "\\Desktop\\";
string location = this.userDir + this.userName + str;
this.SendPassword(password);
this.encryptDirectory(location, password);
this.messageCreator();
}Well, already something new, now we know that the password length is 15 characters. Let's try to pull it out of the dump process and immediately evaluate how bad everything is: `
$ strings 3720.dmp > analyze.txt && wc -l
1589147 analyze.txtNot bad. You can, of course, sit cross handles, but this is somehow too much. Let's apply some black magic!
$ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|NID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory|Window|Loader|Manage|Class|Sink|Sys|Wow|MM|Create' | uniq | wc -l
2915The team looks scary, but stands a bit peering at it and it becomes crystal clear. If this is not the case - again, kick in the comments, sort by bricks. In the meantime, we have reduced the number from a million to some miserable three thousand. Let's see what these lines are:
$ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|NID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory|Window|Loader|Manage|Class|Sink|Sys|Wow|MM|Create' | uniq | less
444444440444444
66666FFFFFFFFFF
444444444444433
CLIPBRDWNDCLASS
utav4823DF041B0
aDOBofVYUNVnmp7
444444440444444
66666FFFFFFFFFF
444444444444433
ffnLffnLffnpffm
lemeneoepeqerep
.........Unfortunately, here I did not come up with an elegant solution, and therefore further logical reasoning. As we remember from the moment of the reverse, our binary contains the public key b03f5f7f11d50a3a. Well, let's try to find it in our almost 3K lines with our hands. Well, or not at all :) For this, let's change our team a bit:
$ $ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{15}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|ID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory' | uniq | less
ssssssssssssssss
b03f5f7f11d50a3a
CryptoStreamMode
ContainerControl
ICryptoTransform
encryptDirectory
MSTaskListWClass
ssssssssssssssss
`ubugukupuvuxuzu
PAQARASATAUAVAWA
MRNRORPRQRRRSRTR
D!E!F!G!H!I!J!K!
......So, judging by this conclusion, the key is somewhere at the top of the previous output. There are not so many first lines that look like a key, and here you really have to use the ancient BruteForce spell
It is clear that not all the lines in our sample are keys - moreover, not everyone is like him. So the number of options is even stronger. We try in a row and in the second version we find the key aDOBofVYUNVnmp7, which is the flag.
Instead of conclusion
Thank you for reading my article to the end. If there are any shoals or shortcomings - please write in the comments, I will try to fix everything. These are not all the tasks that were associated with this image. I continue to solve this series and as I progress I will add new solutions. I hope everyone made something new for themselves. Also, if everything is okay, after a while I will be able to run the flag checker for these tasks and the curious will be able to solve it themselves, and then, if something does not work out, look at my solutions. All good: 3