はまやんはまやんはまやん

hamayanhamayan's blog

notes [UMassCTF 2021]

Security

競プロのコード例について補足 競技プログラミング練習問題集 Twitter 競技セキュリティまとめのまとめ

Volatility

解析してみよう。

$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a3b0a0L
          Number of Processors : 6
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a3cd00L
                KPCR for CPU 1 : 0xfffff880009f1000L
                KPCR for CPU 2 : 0xfffff88002ea9000L
                KPCR for CPU 3 : 0xfffff88002f1f000L
                KPCR for CPU 4 : 0xfffff88002f95000L
                KPCR for CPU 5 : 0xfffff88002fcb000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-03-20 18:16:12 UTC+0000
     Image local date and time : 2021-03-20 13:16:12 -0500

とりあえず、一番最初のsuggested profileを使ってみる。

$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem  --profile=Win7SP1x64  pslist -P
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x000000003ff5f040 System                    4      0    173      526 ------      0 2021-03-20 18:57:47 UTC+0000
0x000000003e832b30 smss.exe                572      4      3       34 ------      0 2021-03-20 18:57:47 UTC+0000
0x000000003e4287f0 csrss.exe               656    640     10      394      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003ec6e7c0 wininit.exe             688    640      3       82      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003ff6d240 csrss.exe               708    696     10      249      1      0 2021-03-20 18:57:49 UTC+0000
0x000000003edf4b30 services.exe            744    688      8      205      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003eaecb30 lsass.exe               760    688      9      564      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003ec497c0 lsm.exe                 768    688     10      149      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003eb95b30 svchost.exe             868    744     10      371      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003e8ce680 VBoxService.ex          928    744     13      146      0      0 2021-03-20 18:57:49 UTC+0000
0x000000003ed974e0 svchost.exe             988    744      8      268      0      0 2021-03-20 17:57:51 UTC+0000
0x000000003ec9d060 svchost.exe             604    744     20      476      0      0 2021-03-20 17:57:51 UTC+0000
0x000000003e9e62d0 svchost.exe             736    744     17      458      0      0 2021-03-20 17:57:51 UTC+0000
0x000000003e9eab30 svchost.exe             980    744     27      791      0      0 2021-03-20 17:57:51 UTC+0000
0x000000003e655b30 svchost.exe            1164    744     16      486      0      0 2021-03-20 17:57:51 UTC+0000
0x000000003e405890 svchost.exe            1264    744     16      426      0      0 2021-03-20 17:57:52 UTC+0000
0x000000003e423b30 spoolsv.exe            1356    744     12      311      0      0 2021-03-20 17:57:52 UTC+0000
0x000000003ed55890 svchost.exe            1384    744     17      317      0      0 2021-03-20 17:57:52 UTC+0000
0x000000003e53d060 svchost.exe            1480    744     16      310      0      0 2021-03-20 17:57:52 UTC+0000
0x000000003e54eb30 WLIDSVC.EXE            1572    744      8      257      0      0 2021-03-20 17:57:52 UTC+0000
0x000000003e17a910 SearchIndexer.         1888    744     14      673      0      0 2021-03-20 17:57:52 UTC+0000
0x000000003e1eb2e0 winlogon.exe           2004    696      3      116      1      0 2021-03-20 17:57:53 UTC+0000
0x000000003dec7b30 WLIDSVCM.EXE            696   1572      3       58      0      0 2021-03-20 17:57:53 UTC+0000
0x000000003dfa5060 taskhost.exe           2156    744      8      152      1      0 2021-03-20 17:57:53 UTC+0000
0x000000003e1beb30 dwm.exe                2236    736      3       94      1      0 2021-03-20 17:57:54 UTC+0000
0x000000003e218060 explorer.exe           2288   2216     27      898      1      0 2021-03-20 17:57:54 UTC+0000
0x000000003dc1db30 VBoxTray.exe           2432   2288     15      156      1      0 2021-03-20 17:57:54 UTC+0000
0x000000003dfe2b30 wmpnetwk.exe           2736    744      9      219      0      0 2021-03-20 17:58:00 UTC+0000
0x000000003facc460 FTK Imager.exe         1552   2708     17      429      1      0 2021-03-20 17:59:24 UTC+0000
0x000000003fe0f060 notepad.exe            2696   2288      4      309      1      0 2021-03-20 17:59:34 UTC+0000
0x000000003fe26b30 mscorsvw.exe           2104    744      7       92      0      1 2021-03-20 17:59:53 UTC+0000
0x000000003dd82590 mscorsvw.exe           1724    744      7       87      0      0 2021-03-20 17:59:53 UTC+0000
0x000000003e573090 SearchProtocol         3292   1888      8      284      0      0 2021-03-20 18:15:53 UTC+0000
0x000000003eb3e4e0 SearchFilterHo         1740   1888      5      103      0      0 2021-03-20 18:15:53 UTC+0000

ok. notepad.exeは何が開かれているんだろうと思いつつ、ファイル一覧を出してみる。

$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem  --profile=Win7SP1x64 filescan

0x000000003fdccf20     16      0 RW-rw- \Device\HarddiskVolume2\Users\user\Desktop\passwords.txt

沢山出てくるが、気になるのはこの行。 dumpしてこよう。

$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem  --profile=Win7SP1x64 dumpfiles -D . -Q 0x000000003fdccf20 --name
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3fdccf20   None   \Device\HarddiskVolume2\Users\user\Desktop\passwords.txt

中身はVU1BU1N7JDNDVVIzXyQ3MFJhZzN9Cg==となっており、CyberChefで中身を見てみるとフラグになっている。 UMASS{$3CUR3_$70Rag3}