«   2020/12   »
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Tags
more
Archives
Today
8
Total
8,895
관리 메뉴

CHIqueen

UMDCTF Jarred-3 본문

포렌식/CTF

UMDCTF Jarred-3

사용자 CHIqueen 2020. 4. 22. 19:09

윈도우 메모리문제 kdbgscan으로 Win7SP1x64 찾아주고

python vol.py -f jarred3.vmem kdbgscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: /home/sansforensics/Desktop/volatility/jarred3.vmem WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2a080a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64
PsActiveProcessHead           : 0x2a3eb90
PsLoadedModuleList            : 0x2a5ce90
KernelBase                    : 0xfffff80002817000

 

프로세스를 먼저보자

# python vol.py -f jarred3.vmem --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6.1
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa800418b060:firefox.exe                      2228   3204     49    749 2020-04-09 19:23:42 UTC+0000
. 0xfffffa80040f47e0:firefox.exe                     3456   2228     10    196 2020-04-09 19:23:44 UTC+0000
. 0xfffffa800417b060:firefox.exe                     3656   2228     21    320 2020-04-09 19:23:45 UTC+0000
. 0xfffffa8003860060:tor.exe                         3668   2228      5     71 2020-04-09 19:23:44 UTC+0000
. 0xfffffa8002f9f240:firefox.exe                     3992   2228     22    301 2020-04-09 19:25:02 UTC+0000
. 0xfffffa8004128630:firefox.exe                     2328   2228     26    349 2020-04-09 19:23:45 UTC+0000
 0xfffffa8003475b30:wininit.exe                       412    332      3     76 2020-04-09 19:10:16 UTC+0000
. 0xfffffa8002919530:services.exe                     520    412      6    204 2020-04-09 19:10:16 UTC+0000
.. 0xfffffa8003a98b30:VGAuthService.                 1580    520      3     87 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa80040bf310:svchost.exe                    2704    520     15    161 2020-04-09 19:12:19 UTC+0000
.. 0xfffffa8003799910:svchost.exe                     644    520     12    372 2020-04-09 19:10:17 UTC+0000
... 0xfffffa80063e1b30:WmiPrvSE.exe                  1740    644     10    216 2020-04-09 19:10:19 UTC+0000
.. 0xfffffa8003eac890:dllhost.exe                    2068    520     13    207 2020-04-09 19:10:20 UTC+0000
.. 0xfffffa8003f51300:svchost.exe                    1648    520     13    324 2020-04-09 19:12:19 UTC+0000
.. 0xfffffa800393ba30:spoolsv.exe                    1060    520     12    271 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80039a6b30:taskhost.exe                   1192    520      8    155 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80037f5b30:svchost.exe                     812    520     21    476 2020-04-09 19:10:17 UTC+0000
... 0xfffffa800386b060:audiodg.exe                    964    812      6    132 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa8004232060:sppsvc.exe                     1732    520      4    149 2020-04-09 19:12:19 UTC+0000
.. 0xfffffa800396fa30:svchost.exe                    1088    520     19    330 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80037c9b30:svchost.exe                     724    520      8    295 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80038de060:svchost.exe                     600    520     18    489 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa8003cb0b30:vmtoolsd.exe                   1684    520     12    276 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa8003996b30:SearchIndexer.                 2536    520     14    719 2020-04-09 19:10:24 UTC+0000
... 0xfffffa80016226c0:SearchFilterHo                2560   2536      5    100 2020-04-09 19:25:35 UTC+0000
... 0xfffffa8003f5ab30:SearchProtocol                2680   2536      8    449 2020-04-09 19:10:24 UTC+0000
.. 0xfffffa8003eb4b30:msdtc.exe                      2156    520     12    148 2020-04-09 19:10:20 UTC+0000
.. 0xfffffa8003840b30:svchost.exe                     884    520     42   1023 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa8003810b30:svchost.exe                     852    520     13    318 2020-04-09 19:10:17 UTC+0000
... 0xfffffa80039d84c0:dwm.exe                       1260    852      3     74 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa8003851b30:svchost.exe                    1020    520      9    537 2020-04-09 19:10:17 UTC+0000
. 0xfffffa8005a933e0:lsass.exe                        536    412      7    637 2020-04-09 19:10:16 UTC+0000
. 0xfffffa8002f977c0:lsm.exe                          544    412     10    148 2020-04-09 19:10:16 UTC+0000
 0xfffffa80072ae270:csrss.exe                         368    332     10    433 2020-04-09 19:10:16 UTC+0000
 0xfffffa8001423890:System                              4      0     90    522 2020-04-09 19:10:10 UTC+0000
. 0xfffffa80032bcb30:smss.exe                         276      4      2     30 2020-04-09 19:10:10 UTC+0000
 0xfffffa80039fc870:explorer.exe                     1284   1232     30    742 2020-04-09 19:10:18 UTC+0000
. 0xfffffa8003c903e0:vm3dservice.ex                  1560   1284      2     46 2020-04-09 19:10:18 UTC+0000
. 0xfffffa8003c9cb30:iexplore.exe                    1596   1284     18    709 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa8003866920:iexplore.exe                   1592   1596     17    581 2020-04-09 19:10:19 UTC+0000
.. 0xfffffa80017a9060:iexplore.exe                   3276   1596     12    377 2020-04-09 19:15:16 UTC+0000
.. 0xfffffa8004007540:iexplore.exe                   1760   1596     21    677 2020-04-09 19:12:25 UTC+0000
. 0xfffffa8003c9e910:vmtoolsd.exe                    1572   1284      8    154 2020-04-09 19:10:18 UTC+0000
 0xfffffa8006278590:csrss.exe                         432    420     11    456 2020-04-09 19:10:16 UTC+0000
 0xfffffa80079ad5b0:winlogon.exe                      484    420      3    112 2020-04-09 19:10:16 UTC+0000
 0xfffffa8001753680:thunderbird.ex                    424   1380     64    944 2020-04-09 19:14:33 UTC+0000
. 0xfffffa800163a660:helper.exe                      2940    424      0 ------ 2020-04-09 19:26:43 UTC+0000

그나마 눈에 들어오는게 tor, ie, thunderbird, helper

우선 thunderbird를 먼저 보자

썬더버드는 메일 클라이언트로 무엇을 하고 있었는지 수상해보이는 helper랑 같이 memdump를 떠보자

# python vol.py -f jarred3.vmem --profile=Win7SP1x64 memdump -p 424 -D ./
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing thunderbird.ex [   424] to 424.dmp
# python vol.py -f jarred3.vmem --profile=Win7SP1x64 memdump -p 2940 -D ./
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing helper.exe [  2940] to 2940.dmp

메모리에서 메일을 찾아봅니다.

첨부파일까지 긁은다음 뽑아서 eml파일로 저장해줍니다.

 

압축 풀어보면 docx문서가 있는데 아무래도 vba같아 보이죠?

oletools를 사용합니다. https://www.decalage.info/python/oletools

 

oletools - python tools to analyze OLE and MS Office files | Decalage

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis

www.decalage.info

olevba를 돌려보면

# olevba LovinInvoice.zip 
olevba 0.55.1 on Python 2.7.12 - http://decalage.info/python/oletools
===============================================================================
FILE: LovinInvoice.zip
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Const qeletzpyif = 2
Const jlouvjnmew = 1
Const hgsajszpkq = 0
Private Function jhihworeroqddxunrzx(eatnjvyp As String, snhnkbvor As Long) As String
Dim Tbl, vencfvgarczvufa As String, strTemp, lxpauxezygfacat As String, pwipsogiznsqxl As Long, hykiqmgwmibgmow As Byte
Const cvemyhmtgqsvwbnyzzha As String = "ABCDEFGHIJKLMNOPQRSTUVW" & "XYZ"
Const gqbrepcojoj As Byte = 26
Const wbuccvajxcjjha As Byte = 65 - 1
Const eazcwbvbjqofiqfia As Byte = 97 - 1
strTemp = eatnjvyp
If snhnkbvor < gqbrepcojoj And lngNumber > gqbrepcojoj * -1 Then
vencfvgarczvufa = cvemyhmtgqsvwbnyzzha & cvemyhmtgqsvwbnyzzha & cvemyhmtgqsvwbnyzzha & cvemyhmtgqsvwbnyzzha
Tbl = vencfvgarczvufa
For pwipsogiznsqxl = 1 To Len(strTemp)
If Mid(strTemp, pwipsogiznsqxl, jlouvjnmew) Like xitrlsvziikd("5b612d7a412d") & xitrlsvziikd("5a5d") Then
hykiqmgwmibgmow = Asc(Mid(strTemp, pwipsogiznsqxl, jlouvjnmew))
If Mid(strTemp, pwipsogiznsqxl, jlouvjnmew) = Mid(Tbl, hykiqmgwmibgmow - wbuccvajxcjjha, jlouvjnmew) Then
lxpauxezygfacat = lxpauxezygfacat & Mid(Tbl, hykiqmgwmibgmow - wbuccvajxcjjha + snhnkbvor, jlouvjnmew)
Else
lxpauxezygfacat = lxpauxezygfacat & LCase(Mid(Tbl, hykiqmgwmibgmow - eazcwbvbjqofiqfia + snhnkbvor, jlouvjnmew))
End If
Else
lxpauxezygfacat = lxpauxezygfacat & Mid(strTemp, pwipsogiznsqxl, jlouvjnmew)
End If
Next pwipsogiznsqxl
End If
jhihworeroqddxunrzx = lxpauxezygfacat
End Function
Private Sub bhzktzyjlmcapyvxl()
Dim dcdpcwemxccxonyfp As String
Dim mchyjruygvs As String
Dim ledflensmpxsfkn As String
Dim xynalbyflz As Integer
dcdpcwemxccxonyfp = xitrlsvziikd("206f68") & xitrlsvziikd("6365206b2f20646d63")
mchyjruygvs = xitrlsvziikd("7d2121216c6a336870335f3575316b66334a30785f714a306533655f345f4a6d7b2d") & xitrlsvziikd("584c5556454d")
mchyjruygvs = jhihworeroqddxunrzx(mchyjruygvs, 5)
xynalbyflz = Len(dcdpcwemxccxonyfp)
ledflensmpxsfkn = ""
For pos = xynalbyflz To 1 Step -1
Next_Char = Mid(dcdpcwemxccxonyfp, pos, jlouvjnmew)
ledflensmpxsfkn = ledflensmpxsfkn & Next_Char
Next pos
ledflensmpxsfkn = ledflensmpxsfkn & mchyjruygvs
retVal = Shell(ledflensmpxsfkn, hgsajszpkq)
End Sub
Sub Workbook_Open()
bhzktzyjlmcapyvxl
End Sub
Sub AutoOpen()
bhzktzyjlmcapyvxl
End Sub
Private Function xitrlsvziikd(ByVal ppxscssdlsvg As String) As String
Dim pwfoigdypupp As Long
For pwfoigdypupp = 1 To Len(ppxscssdlsvg) Step 2
xitrlsvziikd = xitrlsvziikd & Chr$(Val("&H" & Mid$(ppxscssdlsvg, pwfoigdypupp, 2)))
Next pwfoigdypupp
End Function

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|AutoExec  |Workbook_Open       |Runs when the Excel Workbook is opened       |
|Suspicious|Shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Hex String|[a-zA-              |5b612d7a412d                                 |
|Hex String|ce k/ dmc           |6365206b2f20646d63                           |
|Hex String|}!!!lj3hp3_5u1kf3J0x|7d2121216c6a336870335f3575316b66334a30785f714|
|          |_qJ0e3e_4_Jm{-      |a306533655f345f4a6d7b2d                      |
|Hex String|XLUVEM              |584c5556454d                                 |
+----------+--------------------+---------------------------------------------+

 보기 이쁘게 정리해보면

Private Function jhihworeroqddxunrzx(eatnjvyp As String, snhnkbvor As Long) As String
    Dim Tbl, vencfvgarczvufa As String, strTemp, result As String, i As Long, hykiqmgwmibgmow As Byte
    Const alpha As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    strTemp = eatnjvyp
    If snhnkbvor < 26 And lngNumber > 26 * -1 Then
        Tbl = alpha & alpha & alpha & alpha
        For i = 1 To Len(strTemp)
            If Mid(strTemp, i, 1) Like xitrlsvziikd("5b612d7a412d") & xitrlsvziikd("5a5d") Then
                hykiqmgwmibgmow = Asc(Mid(strTemp, i, 1))
                If Mid(strTemp, i, 1) = Mid(Tbl, hykiqmgwmibgmow - 64, 1) Then
                    result = result & Mid(Tbl, hykiqmgwmibgmow - 64 + snhnkbvor, 1)
                Else
                    result = result & LCase(Mid(Tbl, hykiqmgwmibgmow - 96 + snhnkbvor, 1))
                End If
            Else
                result = result & Mid(strTemp, i, 1)
            End If
        Next i
    End If
    jhihworeroqddxunrzx = result
End Function

Private Sub bhzktzyjlmcapyvxl()
    Dim dcdpcwemxccxonyfp As String
    Dim mchyjruygvs As String
    Dim ledflensmpxsfkn As String
    Dim xynalbyflz  As Integer
    dcdpcwemxccxonyfp = xitrlsvziikd("206f68") & xitrlsvziikd("6365206b2f20646d63")
    mchyjruygvs = xitrlsvziikd("7d2121216c6a336870335f3575316b66334a30785f714a306533655f345f4a6d7b2d") & xitrlsvziikd("584c5556454d")
    mchyjruygvs = jhihworeroqddxunrzx(mchyjruygvs, 5)
    xynalbyflz = Len(dcdpcwemxccxonyfp)
    ledflensmpxsfkn = ""
    For pos = xynalbyflz To 1 Step -1
        Next_Char = Mid(dcdpcwemxccxonyfp, pos, 1)
        ledflensmpxsfkn = ledflensmpxsfkn & Next_Char
    Next pos
    ledflensmpxsfkn = ledflensmpxsfkn & mchyjruygvs
    retVal = Shell(ledflensmpxsfkn, 0)
End Sub

Sub Workbook_Open()
    bhzktzyjlmcapyvxl
End Sub

Sub AutoOpen()
    bhzktzyjlmcapyvxl
End Sub

Private Function xitrlsvziikd(ByVal ppxscssdlsvg As String) As String
    Dim pwfoigdypupp As Long
    For pwfoigdypupp = 1 To Len(ppxscssdlsvg) Step 2
        xitrlsvziikd = xitrlsvziikd & Chr$(Val("&H" & Mid$(ppxscssdlsvg, pwfoigdypupp, 2)))
    Next pwfoigdypupp
End Function

첫번째 함수는 아마 flag만드는 함수

두번째는 AutoOpen후 Shell을 하기 위한 함수

마지막 xi~는 문자열 처리함수 같은데

 

이상한게 있다.

첫번째 함수를 보면 lngNumber가 어디에도 없다.

 

그런데 

}!!!lj3hp3_5u1kf3J0x_qJ0e3e_4_Jm{ 이건 아무래도 첫번째 함수를 통해 나온 flag같이 생겼다.

함수내에 26이랑 A-Z가 신경쓰여서 이리 저리 해봤더니

Caesar 알고리즘 이었다.

 

문자열을 뒤집고 알고리즘을 적용했더니

{uR_4_m3m0Ry_f0R3ns1c5_3xp3rt!!!}

 

UMDCTF-{uR_4_m3m0Ry_f0R3ns1c5_3xp3rt!!!}

'포렌식 > CTF' 카테고리의 다른 글

UMDCTF CoolCoin  (0) 2020.04.23
UMDCTF Zero Cool  (0) 2020.04.23
UMDCTF Jarred-3  (0) 2020.04.22
UMDCTF Jarred-1  (0) 2020.04.22
UMDCTF SomeZips  (0) 2020.04.22
UMDCTF A Nation State Musical  (0) 2020.04.22
0 Comments
댓글쓰기 폼