OtterCTF Writeup Memory Forensics 4 - Name Game 100

Memory Forensics

4 - Name Game 100

We know that the account was logged in to a channel called Lunar-3. what is the account name?

format: CTF{flag}

引き続きメモリダンプを見ていく。

Lunar-MS.exeをメモリダンプする。

 > volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" psscan
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007d403610 mscorsvw.exe 412 492 0x0000000040d28000 2018-08-04 19:28:42 UTC+0000
0x000000007d686b30 Rick And Morty 3820 2728 0x000000000b59a000 2018-08-04 19:32:55 UTC+0000
0x000000007d6a7b30 bittorrentie.e 2308 2836 0x0000000076ada000 2018-08-04 19:27:19 UTC+0000
0x000000007d6c9b30 bittorrentie.e 2624 2836 0x00000000761f5000 2018-08-04 19:27:21 UTC+0000
0x000000007d7cb740 LunarMS.exe 708 2728 0x00000000731cb000 2018-08-04 19:27:39 UTC+0000
0x000000007d832060 sppsvc.exe 2500 492 0x000000000ae7b000 2018-08-04 19:26:58 UTC+0000
0x000000007d87e060 explorer.exe 2728 2696 0x000000000873f000 2018-08-04 19:27:04 UTC+0000
0x000000007d890b30 BitTorrent.exe 2836 2728 0x0000000006c2e000 2018-08-04 19:27:07 UTC+0000

 (sninp)

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" memdump -p 708 -D ./

 バイナリエディタでLunar-3を検索する。

f:id:Yunolay:20181211011559p:plain

FLAG:CTF{0tt3r8r33z3} 

Bulk extractorでカービングしてみるとregisterでusernameでもわかった

f:id:Yunolay:20181211012117p:plain