Defcon DFIR CTF 2019 Write-up
- はじめに
- 更新履歴(2019/08/19)
- 解けた問題
- Memory Forensics
- get your volatility on [5pts]
- pr0file [10pts]
- hey, write this down [12pts]
- wscript can haz children [14pts]
- tcpip settings [18pts]
- intel [18pts]
- i <3 windows dependencies [20pts]
- mal-ware-are-you [20pts]
- lm-get bobs hash [24ptsp]
- vad the impaler [25ptsp]
- more vads?! [25ptsp]
- vacation bible school [25pts]
- 8675309 [35pts]
- whats-a-metasploit? [50pts]
- まとめ
はじめに
Defcon DFIR CTF 2019に個人で参加しました。
ジャンルは5つありますが「Memory Forensics」以外あまり解けなかったので、Memory Forensicsについて書きます。解け次第追記しますが、悪しからず。
更新履歴(2019/08/19)
なし
解けた問題
Memory Forensics
wscript can haz children [14pts]
i <3 windows dependencies [20pts]
Memory Forensics
get your volatility on [5pts]
配布されたmemファイルのSHA1を計算する
$ sha1sum Adam Ferrante - Triage-Memory.mem
flag<c95e8cc8c946f95a109ea8e47a6800de10a27abd>
pr0file [10pts]
配布されたmemファイルのOSは何かを特定する問題
$ volatility -f Adam Ferrante - Triage-Memory.mem imageinfo
flag<Win7SP1x64>
hey, write this down [12pts]
notepad.exeのプロセスIDは何かを特定する問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 pslist | grep notepad.exe
Foundation Volatility Framework 2.5
0xfffffa80054f9060 notepad.exe 3032 1432 1 60 1 0 2019-03-22 05:32:22 UTC+0000
flag<1432>
wscript can haz children [14pts]
wscript.exeの子プロセスの名前を特定する問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 pstree | grep -3 wscript.exe
Volatility Foundation Volatility Framework 2.5
. 0xfffffa8004798320:calc.exe 3548 1432 3 77 2019-03-22 05:34:43 UTC+0000
. 0xfffffa80053d3060:POWERPNT.EXE 4048 1432 23 765 2019-03-22 05:35:09 UTC+0000
. 0xfffffa8004905620:hfs.exe 3952 1432 6 214 2019-03-22 05:34:51 UTC+0000
.. 0xfffffa8005a80060:wscript.exe 5116 3952 8 312 2019-03-22 05:35:32 UTC+0000
... 0xfffffa8005a1d9e0:UWkpjFjDzM.exe 3496 5116 5 109 2019-03-22 05:35:33 UTC+0000
.... 0xfffffa8005bb0060:cmd.exe 4660 3496 1 33 2019-03-22 05:35:36 UTC+0000
. 0xfffffa80054f9060:notepad.exe 3032 1432 1 60 2019-03-22 05:32:22 UTC+0000
flag<UWkpjFjDzM.exe>
tcpip settings [18pts]
RAMがダンプされた時、マシンに割り当てられていたIPアドレスを答える問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.5
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x13e057300 UDPv4 10.0.0.101:55736 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
(snip)
0x13fc857e0 TCPv4 -:49167 72.51.60.132:443 CLOSED 1272 EXCEL.EXE
flag<10.0.0.101>
intel [18pts]
攻撃者のIPアドレスを特定する問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.5
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x13e057300 UDPv4 10.0.0.101:55736 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05b4f0 UDPv6 ::1:55735 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05b790 UDPv6 fe80::7475:ef30:be18:7807:55734 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
(snip)
0x13e397190 TCPv4 10.0.0.101:49217 10.0.0.106:4444 ESTABLISHED 3496 UWkpjFjDzM.exe
(snip)
0x13fa969f0 TCPv4 -:0 56.219.119.5:0 CLOSED 1272 EXCEL.EXE
0x13fbd07e0 TCPv4 -:49372 212.227.15.9:25 CLOSED 504
0x13fc857e0 TCPv4 -:49167 72.51.60.132:443 CLOSED 1272 EXCEL.EXE
flag<10.0.0.106>
i <3 windows dependencies [20pts]
VCRUNTIME140.dllが関連付けられているプロセスの名前を答える問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 dlldump --dump-dir ./ | grep VCRUNTIME140.dll
Volatility Foundation Volatility Framework 2.5
0xfffffa80058ed390 OfficeClickToR 0x000007fefa5c0000 VCRUNTIME140.dll OK: module.1136.13e4ed390.7fefa5c0000.dll
flag<OfficeClickToR>
注意:正しいプロセス名は「OfficeClickToRun.exe」だが、Volatility上で表示されている「OfficeClickToR」を入力しないとフラグが通らない。
mal-ware-are-you [20pts]
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 procdump -D ./ -p 3496
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa8005a1d9e0 0x0000000000400000 UWkpjFjDzM.exe OK: executable.3496.exe
$ md5sum -d executable.3496.exe
690ea20bc3bdfb328e23005d9a80c290
flag<690ea20bc3bdfb328e23005d9a80c290>
lm-get bobs hash [24ptsp]
bobsというアカウントのLMハッシュを答える問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
flag<aad3b435b51404eeaad3b435b51404ee>
vad the impaler [25ptsp]
該当VADノードのページプロテクション状態を答える問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep -10 0xfffffa800577ba10
Volatility Foundation Volatility Framework 2.5
(snip)
VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad
Flags: NoChange: 1, Protection: 1
Protection: PAGE_READONLY
Vad Type: VadNone
ControlArea @fffffa8005687a50 Segment fffff8a000c4f870
NumberOfSectionReferences: 1 NumberOfPfnReferences: 0
NumberOfMappedViews: 29 NumberOfUserReferences: 30
Control Flags: Commit: 1
First prototype PTE: fffff8a000c4f8b8 Last contiguous PTE: fffff8a000c4f8d0
Flags2: Inherit: 1, SecNoChange: 1
flag<PAGE_READONLY>
more vads?! [25ptsp]
同じく、該当VADノードのページプロテクション状態を答える問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep -5 0x00000000033c0000
Volatility Foundation Volatility Framework 2.5
VAD node @ 0xfffffa8005819640 Start 0x0000000002f60000 End 0x0000000002fdffff Tag VadS
Flags: CommitCharge: 2, PrivateMemory: 1, Protection: 4
Protection: PAGE_READWRITE
Vad Type: VadNone
(snip)
VAD node @ 0xfffffa80052652b0 Start 0x00000000033c0000 End 0x00000000033dffff Tag VadS
Flags: CommitCharge: 32, PrivateMemory: 1, Protection: 24
Protection: PAGE_NOACCESS
Vad Type: VadNone
(snip)
VAD node @ 0xfffffa8005441480 Start 0x00000000033c0000 End 0x00000000033cffff Tag Vad
Flags: Protection: 4
Protection: PAGE_READWRITE
Vad Type: VadNone
ControlArea @fffffa80053012c0 Segment fffff8a0037d2100
NumberOfSectionReferences: 1 NumberOfPfnReferences: 0
flag<PAGE_NOACCESS>
vacation bible school [25pts]
マシン上で実行されたVBSファイルの名前を特定する問題
$ volatility -f Adam Ferrante - Triage-Memory.mem --profile=Win7SP1x64 dlllist | grep .vbs
Volatility Foundation Volatility Framework 2.5
Command line : "C:\Windows\System32\wscript.exe" //B //NOLOGO %TEMP%\vhjReUDEuumrX.vbs
flag<vhjReUDEuumrX.vbs>
8675309 [35pts]
レコードが59045であるファイルの名前を特定する問題
$ volatility -f Adam Ferrante - Triage-Memory.mem mftparser
(snip)
***************************************************************************
***************************************************************************
MFT entry found at offset 0x2193d400
Attribute: In Use & File
Record Number: 59045
Link count: 2
$STANDARD_INFORMATION
Creation Modified MFT Altered Access Date Type
------------------------------ ------------------------------ ------------------------------ ------------------------------ ----
2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Archive
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EMPLOY~1.XLS
(snip)
flag<EMPLOY~1.XLS>
whats-a-metasploit? [50pts]
MeterpreteであるプロセスのPIDを答える問題
flag<3496>
まとめ
Volatilityの使い方を覚えるのに最適なCTF
メモリフォレンジック入門者向けかなという印象
楽しい