CHIqueen
Securinets Time Problems 본문
시작해보자
$ vol.py -f for2.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/sansforensics/Desktop/for2.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x8273fb78L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x80b96000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-03-20 11:58:05 UTC+0000
Image local date and time : 2020-03-20 12:58:05 +0100Win7SP1
이번에도 프로세스를보자
$ vol.py -f for2.raw --profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x839af9d0 System 4 0 82 507 ------ 0 2020-03-20 11:55:28 UTC+0000
0x848f6438 smss.exe 276 4 2 29 ------ 0 2020-03-20 11:55:28 UTC+0000
0x84abc030 csrss.exe 352 344 8 397 0 0 2020-03-20 11:55:31 UTC+0000
0x83a1ab10 wininit.exe 388 344 3 76 0 0 2020-03-20 11:55:31 UTC+0000
0x83a1a308 csrss.exe 396 380 8 307 1 0 2020-03-20 11:55:31 UTC+0000
0x84a37d20 winlogon.exe 436 380 4 113 1 0 2020-03-20 11:55:31 UTC+0000
0x853f5638 services.exe 480 388 9 196 0 0 2020-03-20 11:55:31 UTC+0000
0x854fa030 lsass.exe 488 388 7 501 0 0 2020-03-20 11:55:31 UTC+0000
0x85501550 lsm.exe 496 388 10 151 0 0 2020-03-20 11:55:31 UTC+0000
0x8555f8b8 svchost.exe 600 480 11 357 0 0 2020-03-20 11:55:32 UTC+0000
0x8557f030 VBoxService.ex 664 480 14 127 0 0 2020-03-20 11:55:32 UTC+0000
0x8558e250 svchost.exe 720 480 7 259 0 0 2020-03-20 11:55:32 UTC+0000
0x855a2c68 svchost.exe 772 480 21 454 0 0 2020-03-20 11:55:32 UTC+0000
0x855d73e8 svchost.exe 876 480 21 443 0 0 2020-03-20 11:55:32 UTC+0000
0x855f7030 svchost.exe 932 480 16 302 0 0 2020-03-20 11:55:33 UTC+0000
0x855ff030 svchost.exe 976 480 39 947 0 0 2020-03-20 11:55:33 UTC+0000
0x856062e0 audiodg.exe 1028 772 5 115 0 0 2020-03-20 11:55:33 UTC+0000
0x8560d778 svchost.exe 1064 480 5 115 0 0 2020-03-20 11:55:33 UTC+0000
0x85634a48 svchost.exe 1184 480 19 385 0 0 2020-03-20 11:55:33 UTC+0000
0x84c43d20 spoolsv.exe 1304 480 17 301 0 0 2020-03-20 11:55:33 UTC+0000
0x84d58b00 svchost.exe 1352 480 21 314 0 0 2020-03-20 11:55:33 UTC+0000
0x847c2b70 taskhost.exe 1456 480 10 186 1 0 2020-03-20 11:55:34 UTC+0000
0x847d28c8 dwm.exe 1528 876 4 75 1 0 2020-03-20 11:55:34 UTC+0000
0x847e09f8 explorer.exe 1568 1520 22 670 1 0 2020-03-20 11:55:34 UTC+0000
0x8481e030 svchost.exe 1620 480 15 229 0 0 2020-03-20 11:55:34 UTC+0000
0x8488c4c8 taskeng.exe 1776 976 6 83 0 0 2020-03-20 11:55:34 UTC+0000
0x8490b030 VBoxTray.exe 2036 1568 14 138 1 0 2020-03-20 11:55:35 UTC+0000
0x849b9498 SearchIndexer. 856 480 14 591 0 0 2020-03-20 11:55:41 UTC+0000
0x8493bd20 chrome.exe 2320 1568 34 894 1 0 2020-03-20 11:56:56 UTC+0000
0x849865c8 chrome.exe 2352 2320 9 76 1 0 2020-03-20 11:56:56 UTC+0000
0x84852590 chrome.exe 2384 2320 3 55 1 0 2020-03-20 11:56:57 UTC+0000
0x84853488 chrome.exe 2496 2320 17 324 1 0 2020-03-20 11:56:57 UTC+0000
0x83b6dd20 chrome.exe 2716 2320 11 200 1 0 2020-03-20 11:56:59 UTC+0000
0x83b50030 WmiPrvSE.exe 2724 600 9 148 0 0 2020-03-20 11:56:59 UTC+0000
0x84874100 WmiPrvSE.exe 3160 600 15 323 0 0 2020-03-20 11:57:08 UTC+0000
0x8554fc70 chrome.exe 3196 2320 14 309 1 0 2020-03-20 11:57:09 UTC+0000
0x8553d030 chrome.exe 3300 2320 16 245 1 0 2020-03-20 11:57:11 UTC+0000
0x83bf3a40 WmiApSrv.exe 3308 480 7 116 0 0 2020-03-20 11:57:11 UTC+0000
0x85424d20 chrome.exe 3344 2320 12 176 1 0 2020-03-20 11:57:12 UTC+0000
0x8bdfe960 chrome.exe 3364 2320 15 296 1 0 2020-03-20 11:57:13 UTC+0000
0x83af9d20 mscorsvw.exe 3680 480 6 78 0 0 2020-03-20 11:57:42 UTC+0000
0x83bf7d20 sppsvc.exe 3808 480 6 151 0 0 2020-03-20 11:57:43 UTC+0000 크롬을 읽어보자
그리고 왜인지 모르겠는데 chrome관련 플러그인이 안먹힌다.
크롬 History를 직접 추출했다.
$ vol.py -f for2.raw --profile=Win7SP1x86 filescan | grep History
Volatility Foundation Volatility Framework 2.6
0x000000001e3d5f80 5 1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
0x000000001ec096a8 17 1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History-journal$ vol.py -f for2.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001e3d5f80 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1e3d5f80 None \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x1e3d5f80 None \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
안열린다 파일이 깨진건가
직접 읽자
http를 검색해서 읽어 내려가보자
https://www.youtube.com/watch?v=wQoVjMMYWJ4
https://twitter.com/neymarjr/status/1217902956475047937
https://www.youtube.com/watch?v=BPi3ePVFRik
https://www.youtube.com/results?search_query=neymar+santos
http://52.205.164.112/
https://www.youtube.com/watch?v=c2JVTzQXryo
https://en.as.com/en/2020/03/18/football/1584532775_474206.html
https://www.google.com/search?ei=5qx0XvCVA4Xga5W3tJgF&q=corona+neymar&oq=corona+neymar&gs_l=psy-ab.3..0i22i30l2.3169.3969..4124...1.0..0.164.934.1j7......0....1..gws-wiz.......0i7i30j0i67j0._2KGdyv2UOI&ved=0ahUKEwjwoOWZ_ajoAhUF8BoKHZUbDVMQ4dUDCAs&uact=5
https://www.google.com/search?ei=36x0XoaaKYqmaLjViZgP&q=corona+italy&oq=corona+italy&gs_l=psy-ab.3..0l7.3997.4646..4809...1.0..0.171.779.4j3......0....1..gws-wiz.......0i324j0i7i30j0i7i10i30j0i8i30j38j0i10.WhwobcUikfw&ved=0ahUKEwjGheCW_ajoAhUKExoKHbhqAvMQ4dUDCAs&uact=5
https://www.google.com/search?ei=t6x0XreFKaGYlwSunraQCQ&q=corona+tunisie&oq=corona+tunisie&gs_l=psy-ab.3...37855.38694..38860...3.0..0.130.888.6j3......0....1..gws-wiz.......0i67j0j0i10.CYJAtwdExKQ&ved=0ahUKEwj3vNaD_ajoAhUhzIUKHS6PDZIQ4dUDCAs&uact=5
https://www.youtube.com/watch?v=X_EKflm9Eso
https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/world-map.html
https://www.nytimes.com/interactive/2020/world/coronavirus-maps.html
https://www.google.com/search?q=corona+map&oq=corona+map&aqs=chrome..69i57j0l7.7296j0j7&sourceid=chrome&ie=UTF-8
https://www.instagram.com/p/B87Wkf6gM2u/
https://www.instagram.com/p/B9FAtOtgKd9/
https://www.instagram.com/p/B9CU5rtgzdt/
https://www.youtube.com/watch?v=E-7qra5xs6E
https://activedreamers.com/
http://www.activedreamers.com/
https://l.instagram.com/?u=http%3A%2F%2Fwww.activedreamers.com%2F&e=ATOsHBx0JL2HM556yq-zdsWbPMufWGXrkbsw_TlMFBW5pig9pp7g_TRQxiX_yc3CULlwA9RL&s=1
https://www.youtube.com/results?search_query=neymar+best+skills
https://www.instagram.com/neymarjr/?hl=en
https://www.youtube.com/
https://youtube.com/
http://youtube.com/
https://www.google.com/search?ei=Nqx0Xuf_LqielwTxhpn4DA&q=neymar+instagram&oq=neymar+instagram&gs_l=psy-ab.3..0i67i70i251j0i67j0l8.6683.8241..8499...0.0..0.143.298.2j1......0....1..gws-wiz.......0i7i30.0Rj8Kayt_Kk&ved=0ahUKEwjn8prG_KjoAhUoz4UKHXFDBs8Q4dUDCAs&uact=5
https://twitter.com/neymarjr?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor(Uhttps://en.wikipedia.org/wiki/Neymar
https://www.google.com/search?q=neymar&oq=neymar&aqs=chrome..69i57j46j0l6.1797j0j7&sourceid=chrome&ie=UTF-8축구팬인가 네이마르 검색이 많다 그리고 52.205.164.112가 눈에 띈다
하지만 들어가보면 flag가 마감이라 한다.
그 말은 그 전에는 flag를 제공했다는 것이니 우린 http://timetravel.mementoweb.org/
Time Travel
timetravel.mementoweb.org
이것을 이용하면 된다.
그럼 18일에 제공했었던걸 알 수 있다.
Securinets{█████_1s_my_f4vorit3_Pl4yer}
이렇게 나와있는데
저 빈칸은 네이마르 일것이다.
Securinets{neymar_1s_my_f4vorit3_Pl4yer}
'포렌식 > CTF' 카테고리의 다른 글
| UMDCTF A Nation State Musical (0) | 2020.04.22 |
|---|---|
| UMDCTF Sensitive (0) | 2020.04.22 |
| Securinets Time matters (0) | 2020.03.24 |
| Pragyan CTF 2019 Late PR (0) | 2019.03.17 |
| Pragyan CTF 2019 Slow Realization (0) | 2019.03.17 |
'포렌식/CTF' Related Articles
more
Comments