2021陇剑杯-内存取证
2021-09-17 本文已影响0人
ylylhl
未成想,退役三年老咸鱼竟又垂死病中惊坐起(
比赛时用mimikatz本体疯狂报错,麻了。win10,我的垃圾
看了看大师傅们的wp,复现了一下,留个档……
Volatility下载:
https://github.com/volatilityfoundation/volatility
6.1
题目描述
虚拟机的密码是_____________。(密码中为flag{xxxx},含有空格,提交时不要去掉)
复现
py -2 vol.py -f Target.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (D:\CTF\tools\volatility-2.6.1\Target.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf8000403c0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff8000403dd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2021-08-29 09:08:07 UTC+0000
Image local date and time : 2021-08-29 17:08:07 +0800
方法A
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 lsadump
Volatility Foundation Volatility Framework 2.6.1
DefaultPassword
0x00000000 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H...............
0x00000010 66 00 6c 00 61 00 67 00 7b 00 57 00 33 00 31 00 f.l.a.g.{.W.3.1.
0x00000020 43 00 30 00 4d 00 33 00 20 00 54 00 30 00 20 00 C.0.M.3...T.0...
0x00000030 54 00 48 00 69 00 53 00 20 00 33 00 34 00 53 00 T.H.i.S...3.4.S.
0x00000040 59 00 20 00 46 00 30 00 52 00 33 00 4e 00 53 00 Y...F.0.R.3.N.S.
0x00000050 69 00 43 00 58 00 7d 00 00 00 00 00 00 00 00 00 i.C.X.}.........
DPAPI_SYSTEM
0x00000000 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,...............
0x00000010 01 00 00 00 49 06 16 35 a7 90 b6 2a 53 69 03 27 ....I..5...*Si.'
0x00000020 b9 9a 60 9e 9a 15 90 37 7c cf 1d 3c f1 3f 60 05 ..`....7|..<.?`.
0x00000030 56 c1 59 68 53 9a dc e0 18 b3 55 ef 00 00 00 00 V.YhS.....U.....
方法B
下载volatility的mimikatz插件,放到./volatility/plugins文件夹下
https://github.com/ruokeqx/tool-for-CTF
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 mimikatz
Volatility Foundation Volatility Framework 2.6.1
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest CTF WIN-QUN5RVOOF27 flag{W31C0M3 T0 THiS 34SY F0R3NSiCX}
wdigest WIN-QUN5RVOOF27$ WORKGROUP
失败方法C
获取密码哈希-A
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80018bc9e0 System 4 0 88 488 ------ 0 2021-08-29 08:56:56 UTC+0000
0xfffffa800dbb49f0 smss.exe 268 4 2 29 ------ 0 2021-08-29 08:56:56 UTC+0000
0xfffffa80034a12c0 csrss.exe 352 344 8 402 0 0 2021-08-29 08:56:57 UTC+0000
0xfffffa80034b12c0 wininit.exe 404 344 3 76 0 0 2021-08-29 08:56:57 UTC+0000
0xfffffa80034ae060 csrss.exe 416 396 9 186 1 0 2021-08-29 08:56:57 UTC+0000
0xfffffa80036e2920 winlogon.exe 464 396 3 113 1 0 2021-08-29 08:56:57 UTC+0000
0xfffffa80036e5b30 services.exe 508 404 6 193 0 0 2021-08-29 08:56:57 UTC+0000
0xfffffa8003720b30 lsass.exe 516 404 6 546 0 0 2021-08-29 08:56:57 UTC+0000
0xfffffa8003725b30 lsm.exe 524 404 9 141 0 0 2021-08-29 08:56:57 UTC+0000
0xfffffa80037ac7d0 svchost.exe 628 508 10 351 0 0 2021-08-29 08:56:57 UTC+0000
0xfffffa80037e66c0 svchost.exe 696 508 8 262 0 0 2021-08-29 08:56:58 UTC+0000
0xfffffa8002d18060 svchost.exe 748 508 18 442 0 0 2021-08-29 08:56:58 UTC+0000
0xfffffa800380eb30 svchost.exe 852 508 18 427 0 0 2021-08-29 08:56:58 UTC+0000
0xfffffa8003893060 svchost.exe 912 508 35 938 0 0 2021-08-29 08:56:58 UTC+0000
0xfffffa80038c9b30 svchost.exe 360 508 10 521 0 0 2021-08-29 08:56:58 UTC+0000
0xfffffa80038fd250 svchost.exe 724 508 15 359 0 0 2021-08-29 08:56:58 UTC+0000
0xfffffa800394db30 spoolsv.exe 1088 508 12 263 0 0 2021-08-29 08:56:59 UTC+0000
0xfffffa80039b4390 svchost.exe 1148 508 17 313 0 0 2021-08-29 08:56:59 UTC+0000
0xfffffa80039e8b30 taskhost.exe 1256 508 9 165 1 0 2021-08-29 08:56:59 UTC+0000
0xfffffa8003a752c0 dwm.exe 1352 852 3 70 1 0 2021-08-29 08:56:59 UTC+0000
0xfffffa8003a79890 explorer.exe 1372 1324 32 769 1 0 2021-08-29 08:56:59 UTC+0000
0xfffffa8003adf2f0 vm3dservice.ex 1500 1372 2 39 1 0 2021-08-29 08:56:59 UTC+0000
0xfffffa8003a88790 vmtoolsd.exe 1508 1372 9 179 1 0 2021-08-29 08:56:59 UTC+0000
0xfffffa8003b235d0 VGAuthService. 1600 508 3 86 0 0 2021-08-29 08:57:00 UTC+0000
0xfffffa8003b31b30 vmtoolsd.exe 1636 508 11 274 0 0 2021-08-29 08:57:00 UTC+0000
0xfffffa8003c3fb30 WmiPrvSE.exe 1984 628 10 201 0 0 2021-08-29 08:57:01 UTC+0000
0xfffffa8003ddc740 dllhost.exe 1044 508 14 191 0 0 2021-08-29 08:57:01 UTC+0000
0xfffffa8003a66060 msdtc.exe 848 508 13 150 0 0 2021-08-29 08:57:02 UTC+0000
0xfffffa8003ddfb30 SearchIndexer. 2212 508 11 612 0 0 2021-08-29 08:57:05 UTC+0000
0xfffffa8003eda630 WmiPrvSE.exe 2440 628 9 218 0 0 2021-08-29 08:57:21 UTC+0000
0xfffffa80028c11b0 svchost.exe 2416 508 10 137 0 0 2021-08-29 08:59:00 UTC+0000
0xfffffa8001a53970 sppsvc.exe 1620 508 4 146 0 0 2021-08-29 08:59:01 UTC+0000
0xfffffa80019e6b30 svchost.exe 2640 508 13 320 0 0 2021-08-29 08:59:01 UTC+0000
0xfffffa8001a20060 SearchProtocol 1048 2212 8 321 0 0 2021-08-29 09:07:20 UTC+0000
0xfffffa800f1e6060 SearchFilterHo 1528 2212 5 97 0 0 2021-08-29 09:07:20 UTC+0000
找到lsass.exe的pid值为516,导出
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 memdump -p 516 -D ./
获取密码哈希-B
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:be5593366cb1019400210101581e5d0d:::
尝试恢复密码
换mimikatz就疯狂报错memory opening,无语了……
https://github.com/gentilkiwi/mimikatz
mimikatz# privilege::debug
mimikatz# sekurlsa::minidump lsass.dmp
mimikatz# sekurlsa::logonPasswords full
6.2
题目描述
虚拟机中有一个某品牌手机的备份文件,文件里的图片里的字符串为_____________。(解题过程中需要用到上一题答案中flag{}内的内容进行处理。本题的格式也是flag{xxx},含有空格,提交时不要去掉)
复现
列出文件
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 filescan|findstr CTF >./111.txt
# 111.txt
0x000000007d8c7d10 4 0 R--r-d \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz.exe
提取
py -2 vol.py -f Target.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007d8c7d10 -D ./1111/
Volatility Foundation Volatility Framework 2.6.1
ImageSectionObject 0x7d8c7d10 None \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz.exe
DataSectionObject 0x7d8c7d10 None \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz.exe
获得img和dat文件。由于提取的是HUAWEI P40_2021-aa-bb xx.yy.zz.exe,将提取出的dat文件后缀改为exe运行,为自解压文件。解压后获得文件夹和images0.tar.enc
# 111.txt
0x000000007fe72430 2 0 -W-r-- \Device\HarddiskVolume1\Users\CTF\Desktop\HUAWEI P40_2021-aa-bb xx.yy.zz\picture\storage\MediaTar\images\images0.tar.enc
下载华为备份文件解密工具:
https://github.com/RealityNet/kobackupdec
由上一题得知密码为W31C0M3_T0_THiS_34SY_F0R3NSiCX,重命名解压得到的备份文件夹问HUAWEI_P40
py -3 kobackupdec.py -vvv W31C0M3_T0_THiS_34SY_F0R3NSiCX HUAWEI_P40 ./1111
得到解密后的图片,即为flag
参考链接
volatility2各类外部插件使用简介- CSDN - Blus.King
2021陇剑杯部分WP - CSDN - YYK[17|6]
✿第一届陇剑杯✿内存取证1WP以及2部分思路 - CSDN - Tokeii
Plus
一种膜大佬属于是
