cyberdefenders练习2

Posted on | In

前言

继续做取证,取证真的很有意思:)。

Hacked(linux磁盘取证)

question1

1
What is the system timezone?

取证大师分析,查看时区通过/etc/timezone文件查看。

answer:Europe/Brussels

question2

1
Who was the last user to log in to the system?

登陆日志在/var/log/wtmp中,导出后在linux执行last -f wtmp就可以看到了。

answer:mail

question3

1
What was the source port the user 'mail' connected from?

文件在var/log/auth.log中,找最后一个端口就是答案了。

answer:57708

question4

1
How long was the last session for user 'mail'? (Minutes only)

同样是auth.log文件,最后可以看到session open和session close的时间,前后就差了1分钟。

answer:1

question5

1
Which server service did the last user use to log in to the system?

还还还是那个auth.log文件,可以看出使用的是sshd登录。

answer:sshd

question6

1
What type of authentication attack was performed against the target machine?

其实直接看format就能猜出来是爆破,当然要验证的话也依然是看auth.log这个文件。

answer:bruteforce

question7

1
How many IP addresses are listed in the '/var/log/lastlog' file?

文件都给了,直接strings找到2个ip。

answer:2

question8

1
How many users have a login shell?

查看shell登录情况在/etc/passwd中看有没有bin/bash,即可,找到用户是root、mail、php、vulnosadmin和postgres。

answer:5

question9

1
What is the password of the mail user?

喜闻乐见的密码环节,/etc/shadow中存了sha512,利用exp和字典进行爆破。
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# coding=utf-8
import crypt

shadow_file = "shadow"                   # 获取系统密码路径
password_file = "pass.txt"    # 自己的密码文件,里面放的是明文密码


def get_pass(shadow_file):
    used = {}                           # key是用户,value是对应的密文
    f = open(shadow_file, "r")        # 读取系统密码文件
    userline = f.readlines()            # 将该文件转换为列表格式
    f.close()
    for item in userline:                  # 遍历列表里的内容
        if len(item.split(":")[1]) > 3:    # 以":"分割,取第二个元素的长度,也就是完整密文值的长度,如果大于3,我们认定它有密码,把它取出来
            used[item.split(":")[0]] = item.split(":")[1]  # 我们将取出的密文给了相应的用户,这里的used[i.split(":")[0]]是字典的key,也就是系统中的用户名,后面的i.split(":")[1]是用户名后的加密密文
    return used


# 提取自己的密码文件中的明文密码
def look_d(password_file):
    f = open(password_file, 'r')
    mwlist = f.readlines()              # 将读取的内容转换为列表
    f.close()
    for i, item in enumerate(mwlist):
        mwlist[i] = item.strip("\n")    # 去除每一行的换行符
    return mwlist  # 返回这个列表


# 根据密文是否相同判断出对应的用户和密码
def main(user_passfile, zidian):
    used = get_pass(user_passfile)      # 获取用户和对用的加密密文
    mingwen = look_d(zidian)            # 获取所有的明文密码
    for user in used:
        passwd = used[user]             # 一次遍历每个用户的密文
        salt = "$6$" + passwd.split("$")[2]  # 获取盐值
        for passwdmw in mingwen:        # 遍历系统中的每个完整密文
            if passwd == crypt.crypt(passwdmw.rstrip(), salt):  # 如果我们猜想的密文与系统中的密文相同,输入它的用户名和密码
                print("userName:%s passWord:%s" % (user, passwdmw.rstrip()))


if __name__ == "__main__":
    main(shadow_file, password_file)

answer:forensics

question10

1
Which user account was created by the attacker?

因为账户是3字符的不多,而且爆破出来php账户密码和mail一样,再结合php也有登录shell的记录,所以就推断是这个账户了。

answer:php

question11

1
How many user groups exist on the machine?

查看用户组定位到/etc/group,一共58行,对应58个用户组。

answer:58

question12

1
How many users have sudo access?

那就看sudo的用户组下有几个用户就行了,很明显是php和mail这两个。

answer:2

question13

1
What is the home directory of the PHP user?

php用户的主目录,送分题属于是了。

answer:/usr/php

question14

1
What command did the attacker use to gain root privilege? (Answer contains two spaces).

那就是寻找命令执行的历史,我们查询到/var/mail/.bash_history时发现了sudo su-命令,经验证确实是使用的这个。

answer:sudo su -

question15

1
Which file did the user 'root' delete?

那就去看root用户的命令执行历史,定位/root/.bash_history,发现命令rm 37292.c。

answer:37292.c

question16

1
Recover the deleted file, open it and extract the exploit author name.

用工具恢复文件即可。

answer:rebel

question17

1
What is the content management system (CMS) installed on the machine?

一般cms装在usr里,翻了一下最后定位到了/usr/share/drupal7中。

answer:drupal

question18

1
What is the version of the CMS installed on the machine?

查了下怎么查看drupal的版本号,文件位置在drupal/modules/system/system.info

answer:7.26

question19

1
Which port was listening to receive the attacker's reverse shell?

定位/var/log/access.log查看服务器日志,最后有一串base64,解码出来就有端口了。

answer:4444

DeepDive(Windows内存)

question1

1
What profile should you use for this memory sample?

内存取证用vol工具,问内存文件的profile,直接用命令python2 vol.py -f ../banking-malware.vmem imageinfo查看就行。

answer:Win7SP1x64_24000

question2

1
What is the KDBG virtual address of the memory sample?

同样在imageinfo中可以得到。

answer:0xf80002bef120

question3

1
There is a malicious process running, but it's hidden. What's its name?

我们需要找到一个隐藏的进程,我刚开始用psscan,结果没找到,后来搜了下发现还有一个命令叫psxview,用这个就找到了。

answer:vds_ps.exe

question4

1
What is the physical offset of the malicious process?

偏移量也是上个命令就能看到了。

answer:0x000000007d336950

question5

1
What is the full path (including executable name) of the hidden executable?

直接python2 vol.py -f ../banking-malware.vmem --profile Win7SP1x64 filescan | grep vds_ps.exe就找到路径了。

answer:C:\Users\john\AppData\Local\api-ms-win-service-management-l2-1-0\vds_ps.exe

question6

1
Which malware is this?

首先将exe给dump出来:python2 vol.py -f ../banking-malware.vmem --profile Win7SP1x64 procdump --offset=0x000000007d336950 --dump-dir=../。接着放到微步里面分析,得到木马类型。

asnwer:Emotet

question7

1
The malicious process had two PEs injected into its memory. What's the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC

先用命令显示出注入点:python2 vol.py -f ../banking-malware.vmem --profile Win7SP1x64 malfind -p 2448。找到地址后用python2 vol.py -f ../banking-malware.vmem --profile Win7SP1x64 vadinfo -a 0x2a80000 --offset=0x000000007d336950查看所有的关于这个文件的大小,找出最大的即可。

answer:0x36fff

question8

1
This process was unlinked from the ActiveProcessLinks list. Follow its forward link. Which process does it lead to? Answer with its name and extension

psxview看PID为2448后面的一个,那就是PID为2616的SearchIndexer.exe了。

answer:SearchIndexer.exe

question9

1
What is the pooltag of the malicious process in ascii? (HINT: use volshell)

之前都没有用过volshell,而且这题还要计算偏移量,我实在不会做,去看wp了,看完wp直呼太难了。首先用dt('_EPROCESS',0x000000007d336950,space=addrspace().base)命令看看恶意文件的信息,并没有我们要找的东西。这里要计算偏移:

1
2
3
WinXP - Win7 cbDataOffsetPoolHdr = 0x5c
need to move backwards addition 0x4 - for the POOLTAG to lineup correctly
0x000000007d336950 - 0x60

所以执行dt("_POOL_HEADER",0x0000000007D3368F0, space=addrspace().base)就可以了,由于是小端序存储,在转成16进制后要记得逆一下。

answer:R0oT

question10

1
What is the physical address of the hidden executable's pooltag? (HINT: use volshell)

问物理地址,前面算出来的再+4就行了。

answer:0x7D3368F4