Notice
Recent Posts
Recent Comments
«   2024/03   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
Tags
more
Archives
Today
Total
관리 메뉴

CHIqueen

Securinets Time matters 본문

포렌식/CTF

Securinets Time matters

CHIqueen 2020. 3. 24. 15:50

솔직히 많이 못만든 문제

문제 설명도 구대기고 정확히 뭘 원하는지 모르는 문제

 

$ vol.py -f for1.raw kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2785b78
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x86_23418
Version64                     : 0x2785b50 (Major: 15, Minor: 7601)
PsActiveProcessHead           : 0x8279ad70
PsLoadedModuleList            : 0x827a2730
KernelBase                    : 0x8264e000

**************************************************
Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2785b78
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x86
Version64                     : 0x2785b50 (Major: 15, Minor: 7601)
PsActiveProcessHead           : 0x8279ad70
PsLoadedModuleList            : 0x827a2730
KernelBase                    : 0x8264e000

**************************************************
Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2785b78
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP0x86
Version64                     : 0x2785b50 (Major: 15, Minor: 7601)
PsActiveProcessHead           : 0x8279ad70
PsLoadedModuleList            : 0x827a2730
KernelBase                    : 0x8264e000

Win7SP1x86

 

프로세스를 한번 보자

$ vol.py -f for1.raw --profile=Win7SP1x86_23418 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x839af9d0 System                    4      0     85      529 ------      0 2020-03-20 12:38:06 UTC+0000                                 
0x8485c880 smss.exe                280      4      2       29 ------      0 2020-03-20 12:38:06 UTC+0000                                 
0x848bc540 csrss.exe               356    348      8      467      0      0 2020-03-20 12:38:07 UTC+0000                                 
0x84929030 wininit.exe             392    348      3       76      0      0 2020-03-20 12:38:07 UTC+0000                                 
0x849296d8 csrss.exe               400    384      8      316      1      0 2020-03-20 12:38:07 UTC+0000                                 
0x84b2dd20 winlogon.exe            440    384      5      118      1      0 2020-03-20 12:38:07 UTC+0000                                 
0x850ef458 services.exe            484    392      8      195      0      0 2020-03-20 12:38:07 UTC+0000                                 
0x85100698 lsass.exe               492    392      9      738      0      0 2020-03-20 12:38:07 UTC+0000                                 
0x850f8620 lsm.exe                 500    392     10      148      0      0 2020-03-20 12:38:07 UTC+0000                                 
0x85148030 svchost.exe             608    484     13      365      0      0 2020-03-20 12:38:07 UTC+0000                                 
0x85155030 VBoxService.ex          668    484     13      125      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x85165b40 svchost.exe             724    484      7      285      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x85183578 svchost.exe             776    484     24      520      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x851ae4e8 svchost.exe             896    484     31      552      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x851c5030 svchost.exe             940    484     33      505      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x851ce030 svchost.exe             984    484     38      827      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x851d3310 audiodg.exe            1036    776      5      125      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x8bee6030 svchost.exe            1072    484      5      118      0      0 2020-03-20 12:38:08 UTC+0000                                 
0x85211af8 svchost.exe            1260    484     18      384      0      0 2020-03-20 12:38:09 UTC+0000                                 
0x8523c790 spoolsv.exe            1360    484     17      298      0      0 2020-03-20 12:38:09 UTC+0000                                 
0x85255d20 svchost.exe            1396    484     19      306      0      0 2020-03-20 12:38:09 UTC+0000                                 
0x852e3688 svchost.exe            1496    484     28      293      0      0 2020-03-20 12:38:09 UTC+0000                                 
0x842f41a8 taskhost.exe            296    484     12      228      1      0 2020-03-20 12:38:25 UTC+0000                                 
0x8540f730 taskeng.exe             384    984      8       93      0      0 2020-03-20 12:38:25 UTC+0000                                 
0x84986b30 dwm.exe                 476    896      5       77      1      0 2020-03-20 12:38:25 UTC+0000                                 
0x8505f030 explorer.exe            328    404     38      883      1      0 2020-03-20 12:38:25 UTC+0000                                 
0x85456760 VBoxTray.exe           1888    328     13      138      1      0 2020-03-20 12:38:26 UTC+0000                                 
0x8546e7b8 GoogleUpdate.e         1240    384      6      114      0      0 2020-03-20 12:38:26 UTC+0000                                 
0x85421510 SearchIndexer.         1236    484     13      612      0      0 2020-03-20 12:38:33 UTC+0000                                 
0x8547ad20 wmpnetwk.exe           2056    484     16      439      0      0 2020-03-20 12:38:33 UTC+0000                                 
0x854acc28 SearchProtocol         2136   1236      8      262      1      0 2020-03-20 12:38:34 UTC+0000                                 
0x847fba38 SearchFilterHo         2176   1236      6       84      0      0 2020-03-20 12:38:34 UTC+0000                                 
0x854dad20 chrome.exe             2288    328     29      666      1      0 2020-03-20 12:38:34 UTC+0000                                 
0x854e7848 svchost.exe            2336    484     11      355      0      0 2020-03-20 12:38:34 UTC+0000                                 
0x854e92a0 chrome.exe             2356   2288      8       64      1      0 2020-03-20 12:38:34 UTC+0000                                 
0x85575810 WmiPrvSE.exe           2524    608     15      317      0      0 2020-03-20 12:38:36 UTC+0000                                 
0x85597030 chrome.exe             2588   2288      2       55      1      0 2020-03-20 12:38:36 UTC+0000                                 
0x842fed20 chrome.exe             2692   2288     14      301      1      0 2020-03-20 12:38:37 UTC+0000                                 
0x842fdbb0 chrome.exe             2888   2288     10      170      1      0 2020-03-20 12:38:39 UTC+0000                                 
0x854beb98 WmiPrvSE.exe           3040    608      7      129      0      0 2020-03-20 12:38:40 UTC+0000                                 
0x8431ed20 chrome.exe             3260   2288     13      224      1      0 2020-03-20 12:38:43 UTC+0000                                 
0x847f8d20 software_repor         3344   2288     11      197      1      0 2020-03-20 12:38:45 UTC+0000                                 
0x856a7328 software_repor         3356   3344      7       82      1      0 2020-03-20 12:38:46 UTC+0000                                 
0x84804c28 WmiApSrv.exe           3468    484      7      116      0      0 2020-03-20 12:38:47 UTC+0000                                 
0x84816410 software_repor         3500   3344      3      106      1      0 2020-03-20 12:38:48 UTC+0000                                 
0x84884c28 software_repor         3792   3344      2       96      1      0 2020-03-20 12:39:00 UTC+0000

딱히 크롬말곤 없다

 

$ vol.py -f for1.raw --profile=Win7SP1x86 cmdscan
$ vol.py -f for1.raw --profile=Win7SP1x86 consoles
$ vol.py -f for1.raw --profile=Win7SP1x86 screenshot -D ./
$ vol.py -f for1.raw --profile=Win7SP1x86_23418 clipboard

뭐 없다

그나마 스크린샷 했을때 

FolderView외엔 뭐 없는것 크롬은 안쓴거 같다.

 

$ vol.py -f for1.raw --profile=Win7SP1x86 mimikatz
Volatility Foundation Volatility Framework 2.6
Module   User             Domain           Password                                
-------- ---------------- ---------------- ----------------------------------------
wdigest  studio           studio-PC        Messi2020                               
wdigest  STUDIO-PC$       WORKGROUP

mimikatz결과다. 원래 설정을 잘 안하는 편인데 비번이 있는걸보니 일단 킵 해두자

$ vol.py -f for1.raw --profile=Win7SP1x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual    Physical   Name
---------- ---------- ----
0x8ee14888 0x1af1a888 \Device\HarddiskVolume1\Boot\BCD
0x8ee414c8 0x1aba04c8 \SystemRoot\System32\Config\SOFTWARE
0x9025f008 0x158fd008 \SystemRoot\System32\Config\DEFAULT
0x903ce9c8 0x149ff9c8 \SystemRoot\System32\Config\SAM
0x903ef9c8 0x18ff19c8 \SystemRoot\System32\Config\SECURITY
0x98d229c8 0x075a19c8 \??\C:\Users\studio\AppData\Local\Microsoft\Windows\UsrClass.dat
0x8740a6a8 0x1ba366a8 [no name]
0x87418218 0x1b8bc218 \REGISTRY\MACHINE\SYSTEM
0x87438590 0x1bc5c590 \REGISTRY\MACHINE\HARDWARE
0x880f82c0 0x18b3e2c0 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x881b02e0 0x04e052e0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x89165008 0x08e35008 \??\C:\Users\studio\ntuser.dat

hivelist를 통해 레지스트리에서 최근 실행 UserAssist를 뽑을것이다.

0x89165008

UserAssist는 중간에 GUID때문에 두번 진행해 줘야한다.

$ vol.py -f for1.raw --profile=Win7SP1x86 printkey -o 0x89165008 -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \??\C:\Users\studio\ntuser.dat
Key name: UserAssist (S)
Last updated: 2020-03-20 12:15:20 UTC+0000

Subkeys:
  (S) {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
  (S) {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}

Values:
$ vol.py -f for1.raw --profile=Win7SP1x86 printkey -o 0x89165008 -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" | grep REG_BINARY
Volatility Foundation Volatility Framework 2.6
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax : (S) 
REG_BINARY    HRZR_PGYFRFFVBA : (S) 
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax : (S) 
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax : (S) 
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax : (S) 
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax : (S) 
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax : (S) 
REG_BINARY    {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax : (S) 
REG_BINARY    {N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax : (S) 
REG_BINARY    ::{RQ228SQS-9RN8-4870-83O1-96O02PSR0Q52}\{00Q8862O-6453-4957-N821-3Q98Q74P76OR} : (S) 
REG_BINARY    HRZR_PGYPHNPbhag:pgbe : (S) 
REG_BINARY    {9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Vagrearg Rkcybere.yax : (S) 
REG_BINARY    {9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Jvaqbjf Rkcybere.yax : (S) 
REG_BINARY    {9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Tbbtyr Puebzr.yax : (S) 

어처구니 없다

RT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Welcome Center.lnk : (F) 
ERT_OVANEL    UEME_CTLSESSION : (F) 
ERT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Media Center.lnk : (F) 
ERT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Calculator.lnk : (F) 
ERT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Sticky Notes.lnk : (F) 
ERT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Snipping Tool.lnk : (F) 
ERT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Paint.lnk : (F) 
ERT_OVANEL    {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Remote Desktop Connection.lnk : (F) 
ERT_OVANEL    {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Accessibility\Magnify.lnk : (F) 
ERT_OVANEL    ::{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\{00D8862B-6453-4957-A821-3D98D74C76BE} : (F) 
ERT_OVANEL    UEME_CTLCUACount:ctor : (F) 
ERT_OVANEL    {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Internet Explorer.lnk : (F) 
ERT_OVANEL    {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Windows Explorer.lnk : (F) 
ERT_OVANEL    {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Google Chrome.lnk : (F)

윈도우 설치하고 그냥 파일 복붙하고 사람들 속일라고 크롬킨거 같다.

 

그럼 남은건 filescan밖에 없다.

$ vol.py -f for1.raw --profile=Win7SP1x86 filescan | grep "Desktop"
Volatility Foundation Volatility Framework 2.6
0x000000001e200038      2      1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop
0x000000001e203d58      2      1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x000000001e203e10      2      1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x000000001e246af0      2      1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop
0x000000001e24a0e8      2      1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\steghide
0x000000001e24bcd0      2      1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\steghide
0x000000001e45e730      8      0 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\DS0394.jpg
0x000000001e5cbe40      8      0 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop\desktop.ini
0x000000001ed2fa30      8      0 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\desktop.ini
0x000000001ee76f80      8      0 R--rwd \Device\HarddiskVolume2\Users\studio\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini

steghide랑 사진이 있다.

어이x

$ vol.py -f for1.raw --profile=Win7SP1x86 mftparser | grep Desktop
Volatility Foundation Volatility Framework 2.6
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   Desktop.ini
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   Scenes\Desktop.ini
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   Desktop.ini
2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000   2020-03-20 12:19:20 UTC+0000   2020-03-20 12:19:20 UTC+0000   Users\Public\Desktop\GOOGLE~1.LNK
2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000   2020-03-20 12:19:20 UTC+0000   2020-03-20 12:19:20 UTC+0000   Users\Public\Desktop\Google Chrome.lnk
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide
2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000   2020-03-20 21:05:22 UTC+0000   2020-03-20 21:05:22 UTC+0000   DesktopWindowsMgmt.dll
2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000   2020-03-20 21:05:22 UTC+0000   2020-03-20 21:05:22 UTC+0000   DesktopWindowsMgmt.dll
2020-03-20 12:33:35 UTC+0000 2020-03-20 12:33:35 UTC+0000   2020-03-20 12:33:35 UTC+0000   2020-03-20 12:33:35 UTC+0000   Users\studio\Desktop\DS0394.jpg
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide\todo.txt
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\Windows\SendTo\Desktop.ini
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\Windows\SendTo\Desktop (create shortcut).DeskLink
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\MAINTE~1\Desktop.ini
2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000   2020-03-20 21:05:08 UTC+0000   2020-03-20 21:05:08 UTC+0000   Microsoft-Windows-RemoteDesktopClient-BlueIP-Package~31bf3856ad364e35~x86~en-US~7.2.7601.16415.cat
2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000   2020-03-20 21:05:08 UTC+0000   2020-03-20 21:05:08 UTC+0000   Microsoft-Windows-RemoteDesktopClient-BlueIP-Package~31bf3856ad364e35~x86~en-US~7.2.7601.16415.cat
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide\MANUAL~1.PDF
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide\manual_es.pdf
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   Desktop.ini
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   Users\Public\Desktop\desktop.ini
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide\cygwin1.dll
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide\bugs.txt
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   2020-03-20 12:35:00 UTC+0000   Users\studio\Desktop\steghide\copying.txt
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\Accessibility\Desktop.ini
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\Desktop.ini
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\Shows Desktop.lnk
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\System Tools\Desktop.ini
2020-03-20 12:15:20 UTC+0000 2020-03-20 12:15:20 UTC+0000   2020-03-20 12:15:20 UTC+0000   2020-03-20 12:15:20 UTC+0000   Users\studio\Links\Desktop.lnk
00000000b0: 75 64 69 6f 5c 44 65 73 6b 74 6f 70 00 0a 00 2e   udio\Desktop....
2020-03-20 21:05:03 UTC+0000 2020-03-20 21:05:03 UTC+0000   2020-03-20 21:05:03 UTC+0000   2020-03-20 21:05:03 UTC+0000   Users\Public\Desktop
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   2020-03-20 12:15:02 UTC+0000   Users\studio\Desktop
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   Desktop.ini
2020-03-20 21:07:40 UTC+0000 2020-03-20 21:07:40 UTC+0000   2020-03-20 21:07:40 UTC+0000   2020-03-20 21:07:40 UTC+0000   ProgramData\Desktop
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   2020-03-20 21:06:46 UTC+0000   ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini

 출제자의 Time zone은 모르지만 아까 screenshot을 했을때 시간은 11:39분 DS0394.jpg 파일의 생성시간은 2020-03-20 12:33:35 UTC+0000 더 웃긴건 steghide 생성시간이다. 2020-03-20 12:35:00 UTC+0000

 

$ vol.py -f for1.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001e45e730 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1e45e730   None   \Device\HarddiskVolume2\Users\studio\Desktop\DS0394.jpg

추출한 이미지다

하지만 steghide로 풀어줘야한다.

 

비번은 아까 mimikatz로 봤던 Messi2020같지만 아니다

저 사진은 보면 2019년에 찍혀있다. 그래서 Messi2019로 했더니 성공

PS C:\Users\CHIqueen\Downloads\steghide> .\steghide.exe extract -sf .\DS0394.jpg
Enter passphrase: 
wrote extracted data to "image.png".

Securinets{c7e2723752111ed983249627a3d752d6}

'포렌식 > CTF' 카테고리의 다른 글

UMDCTF Sensitive  (0) 2020.04.22
Securinets Time Problems  (0) 2020.03.24
Pragyan CTF 2019 Late PR  (0) 2019.03.17
Pragyan CTF 2019 Slow Realization  (0) 2019.03.17
Pragyan CTF 2019 Save Earth  (0) 2019.03.17
Comments