美文网首页
2021陇剑杯-内存取证

2021陇剑杯-内存取证

作者: ylylhl | 来源:发表于2021-09-17 17:30 被阅读0次

    未成想,退役三年老咸鱼竟又垂死病中惊坐起(
    比赛时用mimikatz本体疯狂报错,麻了。win10,我的垃圾
    看了看大师傅们的wp,复现了一下,留个档……

    Volatility下载:
    https://github.com/volatilityfoundation/volatility

    6.1

    题目描述

    虚拟机的密码是_____________。(密码中为flag{xxxx},含有空格,提交时不要去掉)

    复现

    py -2 vol.py -f Target.vmem imageinfo
    
    Volatility Foundation Volatility Framework 2.6.1
    INFO    : volatility.debug    : Determining profile based on KDBG search...
              Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                         AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                         AS Layer2 : FileAddressSpace (D:\CTF\tools\volatility-2.6.1\Target.vmem)
                          PAE type : No PAE
                               DTB : 0x187000L
                              KDBG : 0xf8000403c0a0L
              Number of Processors : 1
         Image Type (Service Pack) : 1
                    KPCR for CPU 0 : 0xfffff8000403dd00L
                 KUSER_SHARED_DATA : 0xfffff78000000000L
               Image date and time : 2021-08-29 09:08:07 UTC+0000
         Image local date and time : 2021-08-29 17:08:07 +0800
    
    

    方法A

    py -2 vol.py -f Target.vmem --profile=Win7SP1x64 lsadump
    
    Volatility Foundation Volatility Framework 2.6.1
    DefaultPassword
    0x00000000  48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   H...............
    0x00000010  66 00 6c 00 61 00 67 00 7b 00 57 00 33 00 31 00   f.l.a.g.{.W.3.1.
    0x00000020  43 00 30 00 4d 00 33 00 20 00 54 00 30 00 20 00   C.0.M.3...T.0...
    0x00000030  54 00 48 00 69 00 53 00 20 00 33 00 34 00 53 00   T.H.i.S...3.4.S.
    0x00000040  59 00 20 00 46 00 30 00 52 00 33 00 4e 00 53 00   Y...F.0.R.3.N.S.
    0x00000050  69 00 43 00 58 00 7d 00 00 00 00 00 00 00 00 00   i.C.X.}.........
    
    DPAPI_SYSTEM
    0x00000000  2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ,...............
    0x00000010  01 00 00 00 49 06 16 35 a7 90 b6 2a 53 69 03 27   ....I..5...*Si.'
    0x00000020  b9 9a 60 9e 9a 15 90 37 7c cf 1d 3c f1 3f 60 05   ..`....7|..<.?`.
    0x00000030  56 c1 59 68 53 9a dc e0 18 b3 55 ef 00 00 00 00   V.YhS.....U.....
    

    方法B

    下载volatility的mimikatz插件,放到./volatility/plugins文件夹下
    https://github.com/ruokeqx/tool-for-CTF

    py -2 vol.py -f Target.vmem --profile=Win7SP1x64 mimikatz
    
    Volatility Foundation Volatility Framework 2.6.1
    Module   User             Domain           Password                             
    -------- ---------------- ---------------- ----------------------------------------
    wdigest  CTF              WIN-QUN5RVOOF27  flag{W31C0M3 T0 THiS 34SY F0R3NSiCX} 
    wdigest  WIN-QUN5RVOOF27$ WORKGROUP      
    

    失败方法C

    获取密码哈希-A
    py -2 vol.py -f Target.vmem --profile=Win7SP1x64 pslist
    
    Volatility Foundation Volatility Framework 2.6.1
    Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
    ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
    0xfffffa80018bc9e0 System                    4      0     88      488 ------      0 2021-08-29 08:56:56 UTC+0000
    0xfffffa800dbb49f0 smss.exe                268      4      2       29 ------      0 2021-08-29 08:56:56 UTC+0000
    0xfffffa80034a12c0 csrss.exe               352    344      8      402      0      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa80034b12c0 wininit.exe             404    344      3       76      0      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa80034ae060 csrss.exe               416    396      9      186      1      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa80036e2920 winlogon.exe            464    396      3      113      1      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa80036e5b30 services.exe            508    404      6      193      0      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa8003720b30 lsass.exe               516    404      6      546      0      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa8003725b30 lsm.exe                 524    404      9      141      0      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa80037ac7d0 svchost.exe             628    508     10      351      0      0 2021-08-29 08:56:57 UTC+0000
    0xfffffa80037e66c0 svchost.exe             696    508      8      262      0      0 2021-08-29 08:56:58 UTC+0000
    0xfffffa8002d18060 svchost.exe             748    508     18      442      0      0 2021-08-29 08:56:58 UTC+0000
    0xfffffa800380eb30 svchost.exe             852    508     18      427      0      0 2021-08-29 08:56:58 UTC+0000
    0xfffffa8003893060 svchost.exe             912    508     35      938      0      0 2021-08-29 08:56:58 UTC+0000
    0xfffffa80038c9b30 svchost.exe             360    508     10      521      0      0 2021-08-29 08:56:58 UTC+0000
    0xfffffa80038fd250 svchost.exe             724    508     15      359      0      0 2021-08-29 08:56:58 UTC+0000
    0xfffffa800394db30 spoolsv.exe            1088    508     12      263      0      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa80039b4390 svchost.exe            1148    508     17      313      0      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa80039e8b30 taskhost.exe           1256    508      9      165      1      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa8003a752c0 dwm.exe                1352    852      3       70      1      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa8003a79890 explorer.exe           1372   1324     32      769      1      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa8003adf2f0 vm3dservice.ex         1500   1372      2       39      1      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa8003a88790 vmtoolsd.exe           1508   1372      9      179      1      0 2021-08-29 08:56:59 UTC+0000
    0xfffffa8003b235d0 VGAuthService.         1600    508      3       86      0      0 2021-08-29 08:57:00 UTC+0000
    0xfffffa8003b31b30 vmtoolsd.exe           1636    508     11      274      0      0 2021-08-29 08:57:00 UTC+0000
    0xfffffa8003c3fb30 WmiPrvSE.exe           1984    628     10      201      0      0 2021-08-29 08:57:01 UTC+0000
    0xfffffa8003ddc740 dllhost.exe            1044    508     14      191      0      0 2021-08-29 08:57:01 UTC+0000
    0xfffffa8003a66060 msdtc.exe               848    508     13      150      0      0 2021-08-29 08:57:02 UTC+0000
    0xfffffa8003ddfb30 SearchIndexer.         2212    508     11      612      0      0 2021-08-29 08:57:05 UTC+0000
    0xfffffa8003eda630 WmiPrvSE.exe           2440    628      9      218      0      0 2021-08-29 08:57:21 UTC+0000
    0xfffffa80028c11b0 svchost.exe            2416    508     10      137      0      0 2021-08-29 08:59:00 UTC+0000
    0xfffffa8001a53970 sppsvc.exe             1620    508      4      146      0      0 2021-08-29 08:59:01 UTC+0000
    0xfffffa80019e6b30 svchost.exe            2640    508     13      320      0      0 2021-08-29 08:59:01 UTC+0000
    0xfffffa8001a20060 SearchProtocol         1048   2212      8      321      0      0 2021-08-29 09:07:20 UTC+0000
    0xfffffa800f1e6060 SearchFilterHo         1528   2212      5       97      0      0 2021-08-29 09:07:20 UTC+0000
    

    找到lsass.exe的pid值为516,导出

    py -2 vol.py -f Target.vmem --profile=Win7SP1x64 memdump -p 516 -D ./
    
    获取密码哈希-B
     py -2 vol.py -f Target.vmem --profile=Win7SP1x64 hashdump
    
    Volatility Foundation Volatility Framework 2.6.1
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    CTF:1000:aad3b435b51404eeaad3b435b51404ee:be5593366cb1019400210101581e5d0d:::
    
    尝试恢复密码

    换mimikatz就疯狂报错memory opening,无语了……
    https://github.com/gentilkiwi/mimikatz

    mimikatz# privilege::debug
    mimikatz# sekurlsa::minidump lsass.dmp
    mimikatz# sekurlsa::logonPasswords full
    

    6.2

    题目描述

    虚拟机中有一个某品牌手机的备份文件,文件里的图片里的字符串为_____________。(解题过程中需要用到上一题答案中flag{}内的内容进行处理。本题的格式也是flag{xxx},含有空格,提交时不要去掉)

    复现

    列出文件

    py -2 vol.py -f Target.vmem --profile=Win7SP1x64 filescan|findstr CTF >./111.txt
    
    # 111.txt
    0x000000007d8c7d10      4      0 R--r-d \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz.exe
    

    提取

    py -2 vol.py -f Target.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007d8c7d10 -D ./1111/
    
    Volatility Foundation Volatility Framework 2.6.1
    ImageSectionObject 0x7d8c7d10   None   \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz.exe
    DataSectionObject 0x7d8c7d10   None   \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz.exe
    

    获得img和dat文件。由于提取的是HUAWEI P40_2021-aa-bb xx.yy.zz.exe,将提取出的dat文件后缀改为exe运行,为自解压文件。解压后获得文件夹和images0.tar.enc

    # 111.txt
    0x000000007fe72430      2      0 -W-r-- \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz\picture\storage\MediaTar\images\images0.tar.enc
    

    下载华为备份文件解密工具:
    https://github.com/RealityNet/kobackupdec
    由上一题得知密码为W31C0M3_T0_THiS_34SY_F0R3NSiCX,重命名解压得到的备份文件夹问HUAWEI_P40

    py -3 kobackupdec.py -vvv W31C0M3_T0_THiS_34SY_F0R3NSiCX HUAWEI_P40 ./1111
    

    得到解密后的图片,即为flag

    参考链接

    volatility2各类外部插件使用简介- CSDN - Blus.King
    2021陇剑杯部分WP - CSDN - YYK[17|6]
    ✿第一届陇剑杯✿内存取证1WP以及2部分思路 - CSDN - Tokeii

    Plus

    一种膜大佬属于是

    相关文章

      网友评论

          本文标题:2021陇剑杯-内存取证

          本文链接:https://www.haomeiwen.com/subject/waajgltx.html