CHIqueen

Securinets Time Problems 본문

포렌식/CTF

Securinets Time Problems

CHIqueen 2020. 3. 24. 16:29

시작해보자

$ vol.py -f for2.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/sansforensics/Desktop/for2.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x8273fb78L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x80b96000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2020-03-20 11:58:05 UTC+0000
     Image local date and time : 2020-03-20 12:58:05 +0100

Win7SP1

이번에도 프로세스를보자

$ vol.py -f for2.raw --profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x839af9d0 System                    4      0     82      507 ------      0 2020-03-20 11:55:28 UTC+0000                                 
0x848f6438 smss.exe                276      4      2       29 ------      0 2020-03-20 11:55:28 UTC+0000                                 
0x84abc030 csrss.exe               352    344      8      397      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x83a1ab10 wininit.exe             388    344      3       76      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x83a1a308 csrss.exe               396    380      8      307      1      0 2020-03-20 11:55:31 UTC+0000                                 
0x84a37d20 winlogon.exe            436    380      4      113      1      0 2020-03-20 11:55:31 UTC+0000                                 
0x853f5638 services.exe            480    388      9      196      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x854fa030 lsass.exe               488    388      7      501      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x85501550 lsm.exe                 496    388     10      151      0      0 2020-03-20 11:55:31 UTC+0000                                 
0x8555f8b8 svchost.exe             600    480     11      357      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x8557f030 VBoxService.ex          664    480     14      127      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x8558e250 svchost.exe             720    480      7      259      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x855a2c68 svchost.exe             772    480     21      454      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x855d73e8 svchost.exe             876    480     21      443      0      0 2020-03-20 11:55:32 UTC+0000                                 
0x855f7030 svchost.exe             932    480     16      302      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x855ff030 svchost.exe             976    480     39      947      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x856062e0 audiodg.exe            1028    772      5      115      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x8560d778 svchost.exe            1064    480      5      115      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x85634a48 svchost.exe            1184    480     19      385      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x84c43d20 spoolsv.exe            1304    480     17      301      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x84d58b00 svchost.exe            1352    480     21      314      0      0 2020-03-20 11:55:33 UTC+0000                                 
0x847c2b70 taskhost.exe           1456    480     10      186      1      0 2020-03-20 11:55:34 UTC+0000                                 
0x847d28c8 dwm.exe                1528    876      4       75      1      0 2020-03-20 11:55:34 UTC+0000                                 
0x847e09f8 explorer.exe           1568   1520     22      670      1      0 2020-03-20 11:55:34 UTC+0000                                 
0x8481e030 svchost.exe            1620    480     15      229      0      0 2020-03-20 11:55:34 UTC+0000                                 
0x8488c4c8 taskeng.exe            1776    976      6       83      0      0 2020-03-20 11:55:34 UTC+0000                                 
0x8490b030 VBoxTray.exe           2036   1568     14      138      1      0 2020-03-20 11:55:35 UTC+0000                                 
0x849b9498 SearchIndexer.          856    480     14      591      0      0 2020-03-20 11:55:41 UTC+0000                                 
0x8493bd20 chrome.exe             2320   1568     34      894      1      0 2020-03-20 11:56:56 UTC+0000                                 
0x849865c8 chrome.exe             2352   2320      9       76      1      0 2020-03-20 11:56:56 UTC+0000                                 
0x84852590 chrome.exe             2384   2320      3       55      1      0 2020-03-20 11:56:57 UTC+0000                                 
0x84853488 chrome.exe             2496   2320     17      324      1      0 2020-03-20 11:56:57 UTC+0000                                 
0x83b6dd20 chrome.exe             2716   2320     11      200      1      0 2020-03-20 11:56:59 UTC+0000                                 
0x83b50030 WmiPrvSE.exe           2724    600      9      148      0      0 2020-03-20 11:56:59 UTC+0000                                 
0x84874100 WmiPrvSE.exe           3160    600     15      323      0      0 2020-03-20 11:57:08 UTC+0000                                 
0x8554fc70 chrome.exe             3196   2320     14      309      1      0 2020-03-20 11:57:09 UTC+0000                                 
0x8553d030 chrome.exe             3300   2320     16      245      1      0 2020-03-20 11:57:11 UTC+0000                                 
0x83bf3a40 WmiApSrv.exe           3308    480      7      116      0      0 2020-03-20 11:57:11 UTC+0000                                 
0x85424d20 chrome.exe             3344   2320     12      176      1      0 2020-03-20 11:57:12 UTC+0000                                 
0x8bdfe960 chrome.exe             3364   2320     15      296      1      0 2020-03-20 11:57:13 UTC+0000                                 
0x83af9d20 mscorsvw.exe           3680    480      6       78      0      0 2020-03-20 11:57:42 UTC+0000                                 
0x83bf7d20 sppsvc.exe             3808    480      6      151      0      0 2020-03-20 11:57:43 UTC+0000         

크롬을 읽어보자

 

그리고 왜인지 모르겠는데 chrome관련 플러그인이 안먹힌다.

크롬 History를 직접 추출했다.

$ vol.py -f for2.raw --profile=Win7SP1x86 filescan | grep History
Volatility Foundation Volatility Framework 2.6
0x000000001e3d5f80      5      1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
0x000000001ec096a8     17      1 RW-rw- \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History-journal
$ vol.py -f for2.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001e3d5f80 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1e3d5f80   None   \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History
SharedCacheMap 0x1e3d5f80   None   \Device\HarddiskVolume2\Users\home\AppData\Local\Google\Chrome\User Data\Default\History

안열린다 파일이 깨진건가

직접 읽자

 http를 검색해서 읽어 내려가보자

 

https://www.youtube.com/watch?v=wQoVjMMYWJ4
https://twitter.com/neymarjr/status/1217902956475047937
https://www.youtube.com/watch?v=BPi3ePVFRik
https://www.youtube.com/results?search_query=neymar+santos
http://52.205.164.112/
https://www.youtube.com/watch?v=c2JVTzQXryo
https://en.as.com/en/2020/03/18/football/1584532775_474206.html
https://www.google.com/search?ei=5qx0XvCVA4Xga5W3tJgF&q=corona+neymar&oq=corona+neymar&gs_l=psy-ab.3..0i22i30l2.3169.3969..4124...1.0..0.164.934.1j7......0....1..gws-wiz.......0i7i30j0i67j0._2KGdyv2UOI&ved=0ahUKEwjwoOWZ_ajoAhUF8BoKHZUbDVMQ4dUDCAs&uact=5
https://www.google.com/search?ei=36x0XoaaKYqmaLjViZgP&q=corona+italy&oq=corona+italy&gs_l=psy-ab.3..0l7.3997.4646..4809...1.0..0.171.779.4j3......0....1..gws-wiz.......0i324j0i7i30j0i7i10i30j0i8i30j38j0i10.WhwobcUikfw&ved=0ahUKEwjGheCW_ajoAhUKExoKHbhqAvMQ4dUDCAs&uact=5
https://www.google.com/search?ei=t6x0XreFKaGYlwSunraQCQ&q=corona+tunisie&oq=corona+tunisie&gs_l=psy-ab.3...37855.38694..38860...3.0..0.130.888.6j3......0....1..gws-wiz.......0i67j0j0i10.CYJAtwdExKQ&ved=0ahUKEwj3vNaD_ajoAhUhzIUKHS6PDZIQ4dUDCAs&uact=5
https://www.youtube.com/watch?v=X_EKflm9Eso
https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/world-map.html
https://www.nytimes.com/interactive/2020/world/coronavirus-maps.html
https://www.google.com/search?q=corona+map&oq=corona+map&aqs=chrome..69i57j0l7.7296j0j7&sourceid=chrome&ie=UTF-8
https://www.instagram.com/p/B87Wkf6gM2u/
https://www.instagram.com/p/B9FAtOtgKd9/
https://www.instagram.com/p/B9CU5rtgzdt/
https://www.youtube.com/watch?v=E-7qra5xs6E
https://activedreamers.com/
http://www.activedreamers.com/
https://l.instagram.com/?u=http%3A%2F%2Fwww.activedreamers.com%2F&e=ATOsHBx0JL2HM556yq-zdsWbPMufWGXrkbsw_TlMFBW5pig9pp7g_TRQxiX_yc3CULlwA9RL&s=1
https://www.youtube.com/results?search_query=neymar+best+skills
https://www.instagram.com/neymarjr/?hl=en
https://www.youtube.com/
https://youtube.com/
http://youtube.com/
https://www.google.com/search?ei=Nqx0Xuf_LqielwTxhpn4DA&q=neymar+instagram&oq=neymar+instagram&gs_l=psy-ab.3..0i67i70i251j0i67j0l8.6683.8241..8499...0.0..0.143.298.2j1......0....1..gws-wiz.......0i7i30.0Rj8Kayt_Kk&ved=0ahUKEwjn8prG_KjoAhUoz4UKHXFDBs8Q4dUDCAs&uact=5
https://twitter.com/neymarjr?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor(Uhttps://en.wikipedia.org/wiki/Neymar
https://www.google.com/search?q=neymar&oq=neymar&aqs=chrome..69i57j46j0l6.1797j0j7&sourceid=chrome&ie=UTF-8

축구팬인가 네이마르 검색이 많다 그리고 52.205.164.112가 눈에 띈다

 

하지만 들어가보면 flag가 마감이라 한다.

그 말은 그 전에는 flag를 제공했다는 것이니  우린 http://timetravel.mementoweb.org/

 

Time Travel

 

timetravel.mementoweb.org

이것을 이용하면 된다.

 

그럼 18일에 제공했었던걸 알 수 있다.

 

Securinets{█████_1s_my_f4vorit3_Pl4yer}

 

이렇게 나와있는데

저 빈칸은 네이마르 일것이다.

Securinets{neymar_1s_my_f4vorit3_Pl4yer}

'포렌식 > CTF' 카테고리의 다른 글

UMDCTF A Nation State Musical  (0) 2020.04.22
UMDCTF Sensitive  (0) 2020.04.22
Securinets Time Problems  (0) 2020.03.24
Securinets Time matters  (0) 2020.03.24
Pragyan CTF 2019 Late PR  (0) 2019.03.17
Pragyan CTF 2019 Slow Realization  (0) 2019.03.17
0 Comments
댓글쓰기 폼