Notice
Recent Posts
Recent Comments
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
Tags
more
Archives
Today
Total
관리 메뉴

CHIqueen

Securinets Time Problems 본문

포렌식/CTF

Securinets Time Problems

CHIqueen 2020. 3. 24. 16:29

시작해보자

$ vol.py -f for2.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/sansforensics/Desktop/for2.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x8273fb78L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x80b96000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2020-03-20 11:58:05 UTC+0000
     Image local date and time : 2020-03-20 12:58:05 +0100

Win7SP1

이번에도 프로세스를보자

$ vol.py -f for2.raw --profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x839af9d0 System                    4      0     82      507 ------      0 2020-03-20 11:55:28 UTC+0000                                 
0x848f6438 smss.exe                276      4      2       29 ------      0 2020-03-20 11:55:28 UTC+0000                                 
0x84abc030 csrss.exe               352    344      8      397      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x83a1ab10 wininit.exe             388    344      3       76      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x83a1a308 csrss.exe               396    380      8      307      1      0 2020-03-20 11:55:31 UTC+0000                                 
0x84a37d20 winlogon.exe            436    380      4      113      1      0 2020-03-20 11:55:31 UTC+0000                                 
0x853f5638 services.exe            480    388      9      196      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x854fa030 lsass.exe               488    388      7      501      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x85501550 lsm.exe                 496    388     10      151      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x8555f8b8 svchost.exe             600    480     11      357      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x8557f030 VBoxService.ex          664    480     14      127      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x8558e250 svchost.exe             720    480      7      259      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x855a2c68 svchost.exe             772    480     21      454      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x855d73e8 svchost.exe             876    480     21      443      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x855f7030 svchost.exe             932    480     16      302      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x855ff030 svchost.exe             976    480     39      947      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x856062e0 audiodg.exe            1028    772      5      115      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x8560d778 svchost.exe            1064    480      5      115      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x85634a48 svchost.exe            1184    480     19      385      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x84c43d20 spoolsv.exe            1304    480     17      301      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x84d58b00 svchost.exe            1352    480     21      314      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x847c2b70 taskhost.exe           1456    480     10      186      1      0 2020-03-20 11:55:34 UTC+0000                                 
0x847d28c8 dwm.exe                1528    876      4       75      1      0 2020-03-20 11:55:34 UTC+0000                                 
0x847e09f8 explorer.exe           1568   1520     22      670      1      0 2020-03-20 11:55:34 UTC+0000                                 
0x8481e030 svchost.exe            1620    480     15      229      0      0 2020-03-20 11:55:34 UTC+0000                                 
0x8488c4c8 taskeng.exe            1776    976      6       83      0      0 2020-03-20 11:55:34 UTC+0000                                 
0x8490b030 VBoxTray.exe           2036   1568     14      138      1      0 2020-03-20 11:55:35 UTC+0000                                 
0x849b9498 SearchIndexer.          856    480     14      591      0      0 2020-03-20 11:55:41 UTC+0000                                 
0x8493bd20 chrome.exe             2320   1568     34      894      1      0 2020-03-20 11:56:56 UTC+0000                                 
0x849865c8 chrome.exe             2352   2320      9       76      1      0 2020-03-20 11:56:56 UTC+0000                                 
0x84852590 chrome.exe             2384   2320      3       55      1      0 2020-03-20 11:56:57 UTC+0000                                 
0x84853488 chrome.exe             2496   2320     17      324      1      0 2020-03-20 11:56:57 UTC+0000                                 
0x83b6dd20 chrome.exe             2716   2320     11      200      1      0 2020-03-20 11:56:59 UTC+0000                                 
0x83b50030 WmiPrvSE.exe           2724    600      9      148      0      0 2020-03-20 11:56:59 UTC+0000                                 
0x84874100 WmiPrvSE.exe           3160    600     15      323      0      0 2020-03-20 11:57:08 UTC+0000                                 
0x8554fc70 chrome.exe             3196   2320     14      309      1      0 2020-03-20 11:57:09 UTC+0000                                 
0x8553d030 chrome.exe             3300   2320     16      245      1      0 2020-03-20 11:57:11 UTC+0000                                 
0x83bf3a40 WmiApSrv.exe           3308    480      7      116      0      0 2020-03-20 11:57:11 UTC+0000                                 
0x85424d20 chrome.exe             3344   2320     12      176      1      0 2020-03-20 11:57:12 UTC+0000                                 
0x8bdfe960 chrome.exe             3364   2320     15      296      1      0 2020-03-20 11:57:13 UTC+0000                                 
0x83af9d20 mscorsvw.exe           3680    480      6       78      0      0 2020-03-20 11:57:42 UTC+0000                                 
0x83bf7d20 sppsvc.exe             3808    480      6      151      0      0 2020-03-20 11:57:43 UTC+0000         

크롬을 읽어보자

 

그리고 왜인지 모르겠는데 chrome관련 플러그인이 안먹힌다.

크롬 History를 직접 추출했다.

$ vol.py -f for2.raw --profile=Win7SP1x86 filescan | grep History
Volatility Foundation Volatility Framework 2.6
0x000000001e3d5f80      5      1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
0x000000001ec096a8     17      1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History-journal
$ vol.py -f for2.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001e3d5f80 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1e3d5f80   None   \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x1e3d5f80   None   \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History

안열린다 파일이 깨진건가

직접 읽자

 http를 검색해서 읽어 내려가보자

 

https://www.youtube.com/watch?v=wQoVjMMYWJ4
https://twitter.com/neymarjr/status/1217902956475047937
https://www.youtube.com/watch?v=BPi3ePVFRik
https://www.youtube.com/results?search_query=neymar+santos
http://52.205.164.112/
https://www.youtube.com/watch?v=c2JVTzQXryo
https://en.as.com/en/2020/03/18/football/1584532775_474206.html
https://www.google.com/search?ei=5qx0XvCVA4Xga5W3tJgF&q=corona+neymar&oq=corona+neymar&gs_l=psy-ab.3..0i22i30l2.3169.3969..4124...1.0..0.164.934.1j7......0....1..gws-wiz.......0i7i30j0i67j0._2KGdyv2UOI&ved=0ahUKEwjwoOWZ_ajoAhUF8BoKHZUbDVMQ4dUDCAs&uact=5
https://www.google.com/search?ei=36x0XoaaKYqmaLjViZgP&q=corona+italy&oq=corona+italy&gs_l=psy-ab.3..0l7.3997.4646..4809...1.0..0.171.779.4j3......0....1..gws-wiz.......0i324j0i7i30j0i7i10i30j0i8i30j38j0i10.WhwobcUikfw&ved=0ahUKEwjGheCW_ajoAhUKExoKHbhqAvMQ4dUDCAs&uact=5
https://www.google.com/search?ei=t6x0XreFKaGYlwSunraQCQ&q=corona+tunisie&oq=corona+tunisie&gs_l=psy-ab.3...37855.38694..38860...3.0..0.130.888.6j3......0....1..gws-wiz.......0i67j0j0i10.CYJAtwdExKQ&ved=0ahUKEwj3vNaD_ajoAhUhzIUKHS6PDZIQ4dUDCAs&uact=5
https://www.youtube.com/watch?v=X_EKflm9Eso
https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/world-map.html
https://www.nytimes.com/interactive/2020/world/coronavirus-maps.html
https://www.google.com/search?q=corona+map&oq=corona+map&aqs=chrome..69i57j0l7.7296j0j7&sourceid=chrome&ie=UTF-8
https://www.instagram.com/p/B87Wkf6gM2u/
https://www.instagram.com/p/B9FAtOtgKd9/
https://www.instagram.com/p/B9CU5rtgzdt/
https://www.youtube.com/watch?v=E-7qra5xs6E
https://activedreamers.com/
http://www.activedreamers.com/
https://l.instagram.com/?u=http%3A%2F%2Fwww.activedreamers.com%2F&e=ATOsHBx0JL2HM556yq-zdsWbPMufWGXrkbsw_TlMFBW5pig9pp7g_TRQxiX_yc3CULlwA9RL&s=1
https://www.youtube.com/results?search_query=neymar+best+skills
https://www.instagram.com/neymarjr/?hl=en
https://www.youtube.com/
https://youtube.com/
http://youtube.com/
https://www.google.com/search?ei=Nqx0Xuf_LqielwTxhpn4DA&q=neymar+instagram&oq=neymar+instagram&gs_l=psy-ab.3..0i67i70i251j0i67j0l8.6683.8241..8499...0.0..0.143.298.2j1......0....1..gws-wiz.......0i7i30.0Rj8Kayt_Kk&ved=0ahUKEwjn8prG_KjoAhUoz4UKHXFDBs8Q4dUDCAs&uact=5
https://twitter.com/neymarjr?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor(Uhttps://en.wikipedia.org/wiki/Neymar
https://www.google.com/search?q=neymar&oq=neymar&aqs=chrome..69i57j46j0l6.1797j0j7&sourceid=chrome&ie=UTF-8

축구팬인가 네이마르 검색이 많다 그리고 52.205.164.112가 눈에 띈다

 

하지만 들어가보면 flag가 마감이라 한다.

그 말은 그 전에는 flag를 제공했다는 것이니  우린 http://timetravel.mementoweb.org/

 

Time Travel

 

timetravel.mementoweb.org

이것을 이용하면 된다.

 

그럼 18일에 제공했었던걸 알 수 있다.

 

Securinets{█████_1s_my_f4vorit3_Pl4yer}

 

이렇게 나와있는데

저 빈칸은 네이마르 일것이다.

Securinets{neymar_1s_my_f4vorit3_Pl4yer}

'포렌식 > CTF' 카테고리의 다른 글

UMDCTF A Nation State Musical  (0) 2020.04.22
UMDCTF Sensitive  (0) 2020.04.22
Securinets Time matters  (0) 2020.03.24
Pragyan CTF 2019 Late PR  (0) 2019.03.17
Pragyan CTF 2019 Slow Realization  (0) 2019.03.17
Comments