前言
火眼到货了,等新电脑到了配完环境应该就会开始整整手机了。
DumpMe(Windows内存取证)
question1
1 | What is the SHA1 hash of Triage-Memory.mem (memory dump)? |
直接certutil -hashfile C:\Users\lym\Desktop\Triage-Memory.mem SHA1看sha1的值。
answer:C95E8CC8C946F95A109EA8E47A6800DE10A27ABD
question2
1 | What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393) |
imageinfo即可。
answer:Win7SP1x64
question3
1 | What was the process ID of notepad.exe? |
pslist即可。
answer:3032
question4
1 | Name the child process of wscript.exe. |
pstree即可。
answer:UWkpjFjDzM.exe
question5
1 | What was the IP address of the machine at the time the RAM dump was created? |
netscan即可,onwer为system
answer:10.0.0.101
question6
1 | Based on the answer regarding the infected PID, can you determine the IP of the attacker? |
netscan看进程,发现一个onwer是UWkpjFjDzM.exe,那么对应ip就是答案了。
answer:10.0.0.106
question7
1 | How many processes are associated with VCRUNTIME140.dll? |
dlllist看看有几个VCRUNTIME140.dll即可,管道符过滤下看得更清楚。
answer:5
question8
1 | After dumping the infected process, what is its md5 hash? |
用procdump把exe给dump下来,然后用md5sum命令检验md5即可。
answer:690ea20bc3bdfb328e23005d9a80c290
question9
1 | What is the LM hash of Bob's account? |
hashdump即可。
answer:aad3b435b51404eeaad3b435b51404ee
question10
1 | What memory protection constants does the VAD node at 0xfffffa800577ba10 have? |
vadinfo即可,gerp -A 10多看点。
answer:PAGE_READONLY
question11
1 | What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have? |
和上一题一样的解法。
answer:PAGE_NOACCESS
question12
1 | There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension) |
因为是在运行的进程,就先pslist看了下,然后发现个wscript.exe的,看了下cmdline发现确实就是这个,答案就在对应的cmdline中
answer:vhjReUDEuumrX
question13
1 | An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension) |
timeliner命令vol.py -f Triage-Memory.mem --profile=Win7SP1x64 timeliner | grep "2019-03-07 23:06:58" -B 5 -A 5进行恢复查找即可。
answer:Skype.exe
question14
1 | What was written in notepad.exe at the time when the memory dump was captured? |
将notepad的vad给dump下来,用vaddump命令,然后strings命令strings -e l vads/* > str.txt,直接找flag即可。
answer:flag
question15
1 | What is the short name of the file at file record 59045? |
这个要通过mftparser来找:python2 vol.py -f ../Triage-Memory.mem --profile=Win7SP1x64 mftparser | grep 59045 -A 10
answer:EMPLOY~1.XLS
question16
1 | This box was exploited and is running meterpreter. What was the infected PID? |
就是那个恶意进程的PID。
answer:3496
Insider
question1
1 | What distribution of Linux is being used on this machine? |
送分题就没啥好写的。
answer:kali
question2
1 | What is the MD5 hash of the apache access.log? |
access.log是空的,那就没啥好说的了。
answer:d41d8cd98f00b204e9800998ecf8427e
question3
1 | It is believed that a credential dumping tool was downloaded? What is the file name of the download? |
定位/root/Downloads即可。
answer:mimikatz_trunk.zip
question4
1 | There was a super-secret file created. What is the absolute path? |
直接翻阅/root/.bash_history就可以找到了。
answer:/root/Desktop/SuperSecretFile.txt
question5
1 | What program used didyouthinkwedmakeiteasy.jpg during execution? |
同样是看bash的历史记录即可。
answer:binwalk
question6
1 | What is the third goal from the checklist Karen created? |
文件就在桌面上,直接看就行了。
answer:profit
question7
1 | How many times was apache run? |
access.log都是空的,你说能有运行吗。
answer:0
question8
1 | It is believed this machine was used to attack another. What file proves this? |
irZLAohL.jpeg这张图直接石锤好吧。
answer:irZLAohL.jpeg
question9
1 | Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting? |
看/root/Documents/firstscript_fixed,真有点脑洞这里,文件中最后一行是echo "Heck yeah! I can write bash too Young",所以答案就是Young。
answer:Young
question10
1 | A user su'd to root at 11:26 multiple times. Who was it? |
定位/var/log/auth.log中,按时间去找就可以找到了。
answer:postgres
question11
1 | Based on the bash history, what is the current working directory? |
看bash历史即可。
answer:/root/Documents/myfirsthack/