OtterCTF Writeup Memory Forensics 3 - Play Time 50

Memory Forensics

3 - Play Time 50

Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?

format: CTF{flag}

 OtterCTF.7zを解凍するとOtterCTF.vmemが渡される。

Volatilityでプロセスを見る。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" psscan
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007d403610 mscorsvw.exe 412 492 0x0000000040d28000 2018-08-04 19:28:42 UTC+0000
0x000000007d686b30 Rick And Morty 3820 2728 0x000000000b59a000 2018-08-04 19:32:55 UTC+0000
0x000000007d6a7b30 bittorrentie.e 2308 2836 0x0000000076ada000 2018-08-04 19:27:19 UTC+0000
0x000000007d6c9b30 bittorrentie.e 2624 2836 0x00000000761f5000 2018-08-04 19:27:21 UTC+0000
0x000000007d7cb740 LunarMS.exe 708 2728 0x00000000731cb000 2018-08-04 19:27:39 UTC+0000
0x000000007d832060 sppsvc.exe 2500 492 0x000000000ae7b000 2018-08-04 19:26:58 UTC+0000
0x000000007d87e060 explorer.exe 2728 2696 0x000000000873f000 2018-08-04 19:27:04 UTC+0000
0x000000007d890b30 BitTorrent.exe 2836 2728 0x0000000006c2e000 2018-08-04 19:27:07 UTC+0000
0x000000007d8f02e0 WebCompanion.e 2844 2728 0x0000000006619000 2018-08-04 19:27:07 UTC+0000 2018-08-04 19:33:33 UTC+0000
0x000000007d9aab30 SearchIndexer. 3064 492 0x0000000079a02000 2018-08-04 19:27:14 UTC+0000
0x000000007da8f060 sc.exe 3208 3880 0x000000006fe9a000 2018-08-04 19:33:47 UTC+0000 2018-08-04 19:33:48 UTC+0000
0x000000007db12060 WmiPrvSE.exe 2136 604 0x0000000073b40000 2018-08-04 19:26:51 UTC+0000
0x000000007db8f060 WebCompanionIn 3880 1484 0x0000000043242000 2018-08-04 19:33:07 UTC+0000
0x000000007dbcdb30 vmtoolsd.exe 2804 2728 0x00000000074c6000 2018-08-04 19:27:06 UTC+0000
0x000000007dbe9b30 taskhost.exe 2344 492 0x000000000b824000 2018-08-04 19:26:57 UTC+0000
0x000000007dbfab30 dwm.exe 2704 844 0x0000000008a6d000 2018-08-04 19:27:04 UTC+0000
0x000000007dbfd960 notepad.exe 3304 3132 0x000000007207d000 2018-08-04 19:34:10 UTC+0000
0x000000007dc0f630 VGAuthService. 1356 492 0x0000000018f8b000 2018-08-04 19:26:25 UTC+0000
0x000000007dc7f630 dllhost.exe 1324 492 0x000000001030d000 2018-08-04 19:26:42 UTC+0000
0x000000007dc92920 vmtoolsd.exe 1428 492 0x0000000017f54000 2018-08-04 19:26:27 UTC+0000
0x000000007dcb6890 sc.exe 452 3880 0x000000005f76a000 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000
0x000000007dce7b30 SearchFilterHo 2740 3064 0x000000002fa16000 2018-08-04 19:33:11 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007dde7800 svchost.exe 1948 492 0x0000000076d80000 2018-08-04 19:26:42 UTC+0000
0x000000007ddf3b30 msdtc.exe 1436 492 0x000000000fcd5000 2018-08-04 19:26:43 UTC+0000
0x000000007de01060 sc.exe 2028 3880 0x0000000077e22000 2018-08-04 19:33:49 UTC+0000 2018-08-04 19:34:03 UTC+0000
0x000000007de2e9e0 svchost.exe 808 492 0x000000001fe6a000 2018-08-04 19:26:18 UTC+0000
0x000000007de31b30 svchost.exe 844 492 0x000000001ff36000 2018-08-04 19:26:18 UTC+0000
0x000000007de4db30 svchost.exe 868 492 0x000000002027f000 2018-08-04 19:26:18 UTC+0000
0x000000007de753a0 audiodg.exe 960 808 0x000000001f6df000 2018-08-04 19:26:19 UTC+0000
0x000000007de97060 svchost.exe 1012 492 0x000000001f58e000 2018-08-04 19:26:20 UTC+0000
0x000000007ded37e0 svchost.exe 620 492 0x000000001e7a0000 2018-08-04 19:26:21 UTC+0000
0x000000007df5ab30 spoolsv.exe 1120 492 0x000000001b0e7000 2018-08-04 19:26:22 UTC+0000
0x000000007df718a0 svchost.exe 1164 492 0x000000001ac36000 2018-08-04 19:26:23 UTC+0000
0x000000007e000a90 chrome.exe 3924 4076 0x00000000006ba000 2018-08-04 19:29:51 UTC+0000
0x000000007e072b30 sc.exe 3504 3880 0x0000000040331000 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000
0x000000007e0d1060 Lavasoft.WCAss 3496 492 0x0000000078089000 2018-08-04 19:33:49 UTC+0000
0x000000007e0f4060 winlogon.exe 432 380 0x00000000237dc000 2018-08-04 19:26:11 UTC+0000
0x000000007e1377c0 services.exe 492 396 0x000000002257a000 2018-08-04 19:26:12 UTC+0000
0x000000007e13f060 lsass.exe 500 396 0x000000002219a000 2018-08-04 19:26:12 UTC+0000
0x000000007e1461a0 lsm.exe 508 396 0x00000000221a2000 2018-08-04 19:26:12 UTC+0000
0x000000007e1bdb30 vmacthlp.exe 668 492 0x000000002120e000 2018-08-04 19:26:16 UTC+0000
0x000000007e1ebb30 svchost.exe 712 492 0x0000000020d1c000 2018-08-04 19:26:17 UTC+0000
0x000000007e4268b0 WebCompanion.e 3856 3880 0x000000003c956000 2018-08-04 19:34:05 UTC+0000
0x000000007e435240 chrome.exe 3648 4076 0x0000000067df6000 2018-08-04 19:33:38 UTC+0000
0x000000007e4643d0 conhost.exe 2420 348 0x0000000075907000 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e4af9f0 svchost.exe 164 492 0x000000003ffbd000 2018-08-04 19:28:42 UTC+0000
0x000000007e4c2700 mscorsvw.exe 3124 492 0x000000003fa08000 2018-08-04 19:28:43 UTC+0000
0x000000007e4e4b30 svchost.exe 3196 492 0x000000003e5d5000 2018-08-04 19:28:44 UTC+0000
0x000000007e5bfb30 ipconfig.exe 3788 3916 0x0000000039194000 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e5f98f0 chrome.exe 2748 4076 0x0000000074a76000 2018-08-04 19:31:15 UTC+0000
0x000000007e6c5b30 vmware-tray.ex 3720 3820 0x000000007653c000 2018-08-04 19:33:02 UTC+0000
0x000000007e6e3870 chrome.exe 4076 2728 0x0000000033cdc000 2018-08-04 19:29:30 UTC+0000
0x000000007e6eab30 chrome.exe 4084 4076 0x000000003338b000 2018-08-04 19:29:30 UTC+0000
0x000000007e6f7b30 chrome.exe 1808 4076 0x000000003ae8a000 2018-08-04 19:29:32 UTC+0000
0x000000007e702b30 chrome.exe 576 4076 0x0000000003f38000 2018-08-04 19:29:31 UTC+0000
0x000000007e772b30 cmd.exe 3916 1428 0x00000000199c1000 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e7ef1f0 chrome.exe 1796 4076 0x000000002b91a000 2018-08-04 19:33:41 UTC+0000
0x000000007e7fe210 SearchProtocol 3428 3064 0x0000000010edf000 2018-08-04 19:33:11 UTC+0000 2018-08-04 19:34:22 UTC+0000
0x000000007e8ed060 wininit.exe 396 336 0x00000000244f5000 2018-08-04 19:26:11 UTC+0000
0x000000007eac8380 csrss.exe 348 336 0x00000000245af000 2018-08-04 19:26:10 UTC+0000
0x000000007f28c2d0 PresentationFo 724 492 0x000000006541b000 2018-08-04 19:27:52 UTC+0000
0x000000007f2d3b30 csrss.exe 388 380 0x0000000074a96000 2018-08-04 19:26:11 UTC+0000
0x000000007f67e4d0 smss.exe 260 4 0x000000002abc9000 2018-08-04 19:26:03 UTC+0000
0x000000007fb24b30 WmiPrvSE.exe 1800 604 0x00000000134a3000 2018-08-04 19:26:39 UTC+0000
0x000000007fc3c890 svchost.exe 604 492 0x0000000021336000 2018-08-04 19:26:16 UTC+0000
0x000000007fe83740 System 4 0 0x0000000000187000 2018-08-04 19:26:03 UTC+0000

 

 メイプルストーリーやってるやんけ。。。

0x000000007d7cb740 LunarMS.exe 708 2728 0x00000000731cb000 2018-08-04 19:27:39 UTC+0000  

LunarMS

FLAG :CTF{LunarMS}

 次にLunarMS.exeの通信先を見る。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" netscan
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000
0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000

 (snip)


0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe

FLAG:CTF{77.102.199.102}