OtterCTF Writeup Memory Forensics 2 - General Info 75

Memory Forensics

2 - General Info 75

Let's start easy - whats the PC's name and IP address?

format: CTF{flag}

 FLAG:CTF{PC IP}

 FLAG:CTF{PC name}

3 - Play Timeに引き続き、メモリダンプの中身を見ていく。

まずはコンピューター名から確認する。調べるとコンピューター名は

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

に格納されているとか。

www.technlg.net

まずはhivelistを確認する。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" hivelist
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Virtual Physical Name
------------------ ------------------ ----
0xfffff8a00377d2d0 0x00000000624162d0 \??\C:\System Volume Information\Syscache.hve
0xfffff8a00000f010 0x000000002d4c1010 [no name]
0xfffff8a000024010 0x000000002d50c010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053320 0x000000002d5bb320 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000109410 0x0000000029cb4410 \SystemRoot\System32\Config\SECURITY
0xfffff8a00033d410 0x000000002a958410 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a0005d5010 0x000000002a983010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a001495010 0x0000000024912010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a0016d4010 0x00000000214e1010 \SystemRoot\System32\Config\SAM
0xfffff8a00175b010 0x00000000211eb010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a00176e410 0x00000000206db410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a002090010 0x000000000b92b010 \??\C:\Users\Rick\ntuser.dat
0xfffff8a0020ad410 0x000000000db41410 \??\C:\Users\Rick\AppData\Local\Microsoft\Windows\UsrClass.dat

CurrentControlSetでできるのかわからなかったのでprintkeyで得られたサブキーからCurrentControlSetを確認した。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" printkey
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

(snip)

Values:
----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} (S)
Last updated: 2018-08-04 19:25:54 UTC+0000

Subkeys:
(S) ControlSet001
(S) ControlSet002
(S) MountedDevices
(S) RNG
(S) Select
(S) Setup
(S) Software
(S) WPA
(V) CurrentControlSet

 

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" printkey -K "CurrentControlSet"
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: CurrentControlSet (V)
Last updated: 2018-08-04 19:25:54 UTC+0000

Subkeys:

Values:
REG_LINK SymbolicLinkValue : (V) \Registry\Machine\System\ControlSet001

 

 次にSystem hiveをダンプする。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" hivedump -o 0xfffff8a000024010
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Last Written Key
2018-08-04 19:25:54 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}
2018-06-02 19:23:00 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001
2018-08-04 19:26:03 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control
2009-07-14 04:49:01 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control\ACPI
2009-07-14 04:54:07 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control\AGP
2009-07-14 04:54:39 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control\AppID

(snip)

2018-08-04 19:26:11 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control\ComputerName
2018-06-02 19:23:00 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control\ComputerName\ComputerName
2018-08-04 19:26:11 UTC+0000 \CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}\ControlSet001\Control\ComputerName\ActiveComputerName

 ControlSet001\Control\ComputerNameを確認すればコンピューター名が確認できそう。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" printkey -K "ControlSet001\Control\ComputerName"
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2018-08-04 19:26:11 UTC+0000

Subkeys:
(S) ComputerName
(V) ActiveComputerName

Values:

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" printkey -K "ControlSet001\Control\ComputerName\ComputerName"
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2018-06-02 19:23:00 UTC+0000

Subkeys:

Values:
REG_SZ : (S) mnmsrvc

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" printkey -K "ControlSet001\Control\ComputerName\ActiveComputerName"
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ActiveComputerName (V)
Last updated: 2018-08-04 19:26:11 UTC+0000

Subkeys:

Values:
REG_SZ ComputerName : (V) WIN-LO6FAF3DTFE

 

FLAG:CTF{WIN-LO6FAF3DTFE}

次にIPアドレスを確認する。

IPアドレスはnetscanで通信しているアドレスからローカルIPを確認した。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" netscan
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000
0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000
0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000
0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000
0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System
0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System
0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System
0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System
0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe
0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe
0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe
0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe
0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe
0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe

FLAG:CTF{192.168.202.131}