Notice
Recent Posts
Recent Comments
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
Tags
more
Archives
Today
Total
관리 메뉴

CHIqueen

Houseplant Imagery 본문

포렌식/CTF

Houseplant Imagery

CHIqueen 2020. 4. 30. 07:19

 

$ python vol.py -f imagery.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_17763, Win10x64_15063 (Instantiated with Win10x64_15063)
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/sansforensics/Desktop/volatility/imagery.raw)
                      PAE type : No PAE
                           DTB : 0x1aa002L
                          KDBG : 0xf8037f6af5e0L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff8037e54e000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-04-24 09:50:12 UTC+0000
     Image local date and time : 2020-04-24 02:50:12 -0700

Win10x64_17134로 잡고 시작했다.

$ python vol.py -f imagery.raw --profile=Win10x64_17134 pstree
Volatility Foundation Volatility Framework 2.6.1
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xffff84024507d140:winlogon.exe                      512    436      4      0 2020-04-24 17:42:55 UTC+0000
. 0xffff8402452640c0:dwm.exe                          840    512     14      0 2020-04-24 17:42:56 UTC+0000
. 0xffff840247cb2440:userinit.exe                    2188    512      0 ------ 2020-04-24 09:43:20 UTC+0000
.. 0xffff840247cf2440:explorer.exe                   2416   2188     41      0 2020-04-24 09:43:21 UTC+0000
... 0xffff840245631540:VBoxTray.exe                  3264   2416     11      0 2020-04-24 09:44:05 UTC+0000
... 0xffff8402481b9480:SecurityHealth                2908   2416      2      0 2020-04-24 09:44:04 UTC+0000
... 0xffff840245632080:notepad.exe                   6076   2416      2      0 2020-04-24 09:44:40 UTC+0000
... 0xffff840245633080:OneDrive.exe                  3532   2416     19      0 2020-04-24 09:44:08 UTC+0000
. 0xffff840245122200:fontdrvhost.ex                   636    512      5      0 2020-04-24 17:42:56 UTC+0000
 0xffff840245004140:csrss.exe                         452    436     11      0 2020-04-24 17:42:55 UTC+0000
 0xffff840245084080:wininit.exe                       444    368      1      0 2020-04-24 17:42:55 UTC+0000
. 0xffff84024512e200:fontdrvhost.ex                   644    444      5      0 2020-04-24 17:42:56 UTC+0000
. 0xffff8402450b9140:services.exe                     536    444      5      0 2020-04-24 17:42:55 UTC+0000
.. 0xffff840245968080:spoolsv.exe                    1600    536      7      0 2020-04-24 09:43:01 UTC+0000
.. 0xffff8402416ea080:svchost.exe                    1432    536      2      0 2020-04-24 09:43:00 UTC+0000
.. 0xffff840245941080:svchost.exe                    1676    536     14      0 2020-04-24 09:43:01 UTC+0000
.. 0xffff840247cfb300:svchost.exe                    2724    536      0 ------ 2020-04-24 09:43:22 UTC+0000
.. 0xffff8402416a6080:svchost.exe                     916    536     24      0 2020-04-24 17:42:57 UTC+0000
.. 0xffff840245134300:svchost.exe                     664    536     20      0 2020-04-24 17:42:56 UTC+0000
... 0xffff840247f60080:MicrosoftEdge.                3956    664     23      0 2020-04-24 09:43:39 UTC+0000
... 0xffff8402480b1440:smartscreen.ex                1516    664      6      0 2020-04-24 09:44:03 UTC+0000
... 0xffff840248005080:SearchUI.exe                  3672    664     34      0 2020-04-24 09:43:35 UTC+0000
... 0xffff8402480b8540:RuntimeBroker.                5124    664      2      0 2020-04-24 09:44:42 UTC+0000
... 0xffff84024813f400:RuntimeBroker.                3784    664     10      0 2020-04-24 09:43:36 UTC+0000
... 0xffff84024861b080:MicrosoftEdgeC                4532    664     13      0 2020-04-24 09:43:52 UTC+0000
... 0xffff8402481c0080:browser_broker                3144    664      3      0 2020-04-24 09:43:40 UTC+0000
... 0xffff84024494c4c0:dllhost.exe                   5656    664      6      0 2020-04-24 09:44:19 UTC+0000
... 0xffff840248615400:RuntimeBroker.                4320    664      2      0 2020-04-24 09:43:43 UTC+0000
.... 0xffff840248627080:MicrosoftEdgeS               4596   4320      8      0 2020-04-24 09:43:52 UTC+0000
... 0xffff84024817f400:ApplicationFra                3928    664      4      0 2020-04-24 09:43:39 UTC+0000
... 0xffff840244dec540:WmiPrvSE.exe                  5352    664      5      0 2020-04-24 09:47:02 UTC+0000
... 0xffff840247fc70c0:ShellExperienc                3564    664     21      0 2020-04-24 09:43:33 UTC+0000
.. 0xffff840247ca6300:svchost.exe                    1308    536     27      0 2020-04-24 09:43:19 UTC+0000
.. 0xffff8402416d8080:svchost.exe                    1448    536      4      0 2020-04-24 09:43:00 UTC+0000
.. 0xffff8402452a2300:svchost.exe                     940    536     60      0 2020-04-24 17:42:56 UTC+0000
... 0xffff840247b79400:taskhostw.exe                 2848    940      9      0 2020-04-24 09:43:16 UTC+0000
... 0xffff840247b74380:sihost.exe                    2768    940     12      0 2020-04-24 09:43:15 UTC+0000
.. 0xffff840247747080:MsMpEng.exe                    1988    536     22      0 2020-04-24 09:43:02 UTC+0000
.. 0xffff84024596c080:svchost.exe                    1456    536      4      0 2020-04-24 09:43:00 UTC+0000
.. 0xffff8402416ef080:VBoxService.ex                 1208    536     11      0 2020-04-24 17:42:57 UTC+0000
.. 0xffff8402457ee300:svchost.exe                    1908    536     11      0 2020-04-24 09:43:02 UTC+0000
.. 0xffff840247bdb080:svchost.exe                    2964    536      6      0 2020-04-24 09:43:16 UTC+0000
.. 0xffff8402452d2380:svchost.exe                     960    536     13      0 2020-04-24 17:42:56 UTC+0000
.. 0xffff8402452d4380:svchost.exe                     968    536     14      0 2020-04-24 17:42:56 UTC+0000
.. 0xffff840247a74440:NisSrv.exe                     2572    536      6      0 2020-04-24 09:43:10 UTC+0000
.. 0xffff840247e3f080:svchost.exe                    3276    536      3      0 2020-04-24 09:43:29 UTC+0000
.. 0xffff840244197540:svchost.exe                     336    536     15      0 2020-04-24 17:42:57 UTC+0000
... 0xffff840247be9380:ctfmon.exe                    3012    336      8      0 2020-04-24 09:43:16 UTC+0000
... 0xffff8402479e6340:dasHost.exe                   2324    336      3      0 2020-04-24 09:43:06 UTC+0000
.. 0xffff84024886a340:SecurityHealth                 4664    536      7      0 2020-04-24 09:44:04 UTC+0000
.. 0xffff84024774b2c0:wlms.exe                       2004    536      2      0 2020-04-24 09:43:02 UTC+0000
.. 0xffff840245937080:svchost.exe                    2776    536      8      0 2020-04-24 09:43:15 UTC+0000
.. 0xffff8402416ee080:svchost.exe                    1060    536     20      0 2020-04-24 17:42:57 UTC+0000
.. 0xffff8402416e2080:svchost.exe                    1372    536      5      0 2020-04-24 09:43:00 UTC+0000
.. 0xffff84024562e080:SgrmBroker.exe                 2036    536      4      0 2020-04-24 09:45:08 UTC+0000
.. 0xffff840245966080:svchost.exe                    1632    536      9      0 2020-04-24 09:43:01 UTC+0000
.. 0xffff8402482ed2c0:svchost.exe                    5152    536     12      0 2020-04-24 09:45:07 UTC+0000
.. 0xffff840247720400:ruby.exe                       1980    536      9      0 2020-04-24 09:43:02 UTC+0000
.. 0xffff840248139300:SearchIndexer.                 4776    536     14      0 2020-04-24 09:43:54 UTC+0000
.. 0xffff840245204380:svchost.exe                     756    536      9      0 2020-04-24 17:42:56 UTC+0000
.. 0xffff840247dce500:svchost.exe                     992    536      6      0 2020-04-24 09:45:14 UTC+0000
. 0xffff8402450bb140:lsass.exe                        548    444      7      0 2020-04-24 17:42:55 UTC+0000
 0xffff8402453d9540:csrss.exe                         376    368      9      0 2020-04-24 17:42:55 UTC+0000
 0xffff84024165d300:System                              4      0    103      0 2020-04-24 17:42:46 UTC+0000
. 0xffff840241ca4040:smss.exe                         288      4      2      0 2020-04-24 17:42:46 UTC+0000
. 0xffff8402416dd040:MemCompression                  1332      4     26      0 2020-04-24 09:43:00 UTC+0000
. 0xffff840241792040:Registry                          68      4      4      0 2020-04-24 17:42:37 UTC+0000

notepad.exe, ruby.exe빼곤 눈에 띄는건 없었다.

$ python vol.py -f imagery.raw --profile=Win10x64_17134 memdump -p 6076 -D ./

메모장의 메모리 따로 때준다음

PS D:\ctf\Houseplant\Imagery> .\strings64.exe .\6076.dmp | findstr rtcp      
rtcp{camera_goes_click_brrrrrr^and^gives^photo}
rtcp{camera_goes_click_brrrrrr^and^gives^pholto
rtcp{camera_goes_click_brrrrrr^and^gives^photo}
rtcp{camera_goes_click_brrrrrr^and^gives^photo
rtcp{camera_goes_click_brrrrrr^and^gives^pholt
rtcp{camera_goes_click_brrrrrr^and^gives^phot
rtcp
rtcp{camera_goes_click_brrrr
rtcp{camera_goes_click_brrrrrrj
rtcp{camera_goes_click_brrrrrr^and^g
rtcp{camera_goes_click_brrrrrr^an
rtcp{camera_goes_click_brrrrrr^and^
rtcp{camera_goes_click_brrrrrr^
rtcp{camera_goes_click_brrrrrr^and
rtcp{camera_goes_click_brrrrrr^a
Assets\Text\rtcpal_registry.reg
Assets\Text\rtcpal_registry.reg
FINDSTR?: la ligne 2984961 est trop longue.
FINDSTR?: la ligne 2984961 est trop longue.
FINDSTR?: la ligne 2984961 est trop longue.

그냥 flag형식을 찾아봤더니 나왔다.

 

 

'포렌식 > CTF' 카테고리의 다른 글

Houseplant Deep Lyrics  (0) 2020.04.30
Houseplant Neko Hero  (0) 2020.04.30
UMDCTF CoolCoin  (0) 2020.04.23
UMDCTF Zero Cool  (0) 2020.04.23
UMDCTF Jarred-3  (0) 2020.04.22
Comments