Forensics

pcap analysis1

考点:流量分析

流量包下载

第一题,因为英语太菜了,这里翻译一下,大致的意思就是被入侵了,然后分析一下,这个人在搜索引擎上查找了什么

image-20220408210409793

我们这里直接筛选http流量,随便点一个,看到使用的是百度,随便搜索一个名字,就可以看到,wd对应的值就是我们搜索的内容,

image-20220408211238126

image-20220408211344064

image-20220408211438318

这里我们直接用简单方法,文件导出首选项,下面有全部的url,这里直接抄就行了。

image-20220408212025332

OFPPT-CTF{charles_geschickter}

pcap analysis2

wireshark提取ftp流量包

这里我们可以看到许多ftp的协议,我们直接帅选ftp的流量,往下翻一番,随便找个request包,右键追踪流就可以看到了,

image-20220408212631031

因为题目的要求是相同文件名,后缀不同,所以就是这两个文件,接下来提取这两包

image-20220408212848843

这里直接搜索lytton-crypt.bin下面ftpdata就是数据,直接追踪

image-20220408213524053

调成原始数据,save

image-20220408213738041

lytton-crypt.bin

MD5: 4da8e81ee5b08777871e347a6b296953
SHA1: 5f88cfb5e469154782aa84a6b649007423c8b196
SHA256: 22190203d1789b181eb7230ceeafffe440b33883e185470b7cf64ab22fb3ba9f
CRC32: 2859590343

lytton-crypt.exe 同理

image-20220408213950236

MD5: 9cb9b11484369b95ce35904c691a5b28
SHA1: 4463adb39c4381b87c76180543c401c2bfa89962
SHA256: b7da7228ac44bd90aedf34660a04d15bf1ddf84c1a4823234c3abf506a254b8b
CRC32: 3745826804

OFPPT-CTF{9cb9b11484369b95ce35904c691a5b28|4da8e81ee5b08777871e347a6b296953}

pcap analysis3

The attacker cracked a password belonging to the victim. Submit the flag as: OFPPT-CTF{password}.

这题就比较简单了,说攻破了密码,我们刚刚在ftp服务器上看到了登陆的痕迹,去找一下密码,直接搜索tcp和200就行,或者utf8也可以,追踪一下,就可以看到登录成功了

image-20220408215301907

image-20220408215400191

USER cgeschickter

331 Password required

PASS darkangel

230 User logged in.

OFPPT-CTF{darkangel}

pcap analysis4

4这里说执行了一个文件
The attacker made a fatal mistake, and in doing so, gave control of his computer to… someone. he shouldn’t have run that malicious program.

我们在搜索http流量时,找到一个secret_decoder.bin,搜索这个关键字时,发现

image-20220408215914265

image-20220408220108310

.106的机器在105上执行了命令

使用wget -O下载并以不同的文件名保存

这里我们可以看到wget了一个文件且重命名了,之后改了权限,然后增加了定时任务,说明执行的就是这个secret_decoder.bin文件

image-20220408220220107

这里因为他在最后http请求了这个文件,我们直接导出就行,和ftp导出一样.

image-20220408220615646

导出之后取一下文件md5就行了

MD5: 42e419a6391ca79dc44d7dcef1efc83b
SHA1: e96c5e687d827f5a250fc643d1e9ff46e2c531bc
SHA256: 358489fcab70c3f10c4628e09c1ccbd001915f6adfa7fa97a1be0fb5fbab8198
CRC32: 2929409365

image-20220408205826205
image-20220408205858332

OFPPT-CTF{42e419a6391ca79dc44d7dcef1efc83b}

pcapanalysis5

The attacker started by performing a port scan of the victim computer.
Identify the open TCP ports discovered on the victim’s machine? Enter the flag as the open ports, separated by commas, no spaces, in numerical order. Disregard port numbers > 10000. Example: OFPPT-CTF{80,110,111,143,443,2049} Use the PCAP file from ‘pcap analysis’ challenge.

这里我们先推断一下,因为在数据包中106的ip对103的ip进行了ftp密码爆破,所以106为攻击者,103为受害者且假设的为ftp服务。
筛选一下目的ipip.dst == 192.168.100.103

image-20220409211513430

image-20220409212805266

可以看到在扫描端口,往下拉一拉会看到请求成功的端口,一共有五个。这里我的方法不推荐,下面这个是一个大师傅的方法,链接https://hhyleung.github.io/writeups/ofppt-ctf-2022/#pcap-analysis-6

image-20220409213029038

A port scan is usually done with the TCP handshake, which ends with SYN, ACK if the port is opened. >The filter tcp.flags.ack == 1 and tcp.flags.syn == 1 was used to filter out the completed >handshakes and it was found that ports 21, 135, 139, 445, and 3389 were opened.

加上ip就更清晰了tcp.flags.ack == 1 and tcp.flags.syn == 1 and ip.addr == 192.168.100.103

image-20220409214123092

OFPPT-CTF{21,135,139,445,3389}

pcap analysis6

The attacker might have just bit off more than he can chew! he encountered a competitor that is counter-attacking his system!
The competitor executed a command to attain persistence on the attacker’s computer. This command will allow the adversary to regain a connection to the computer even after reboot. What is the packet number where this command was executed? For example: OFPPT-CTF{93721}. Use the PCAP file from ‘pcap analysis’ challenge.

前面我们知道加了计划任务,也就是直接搜sudo 就可以了,该包的号为160468

image-20220409214555530

OFPPT-CTF{160468}

Windows memory dump

A Windows computer has been infected. The attacker managed to exploit a portion of a database backup that contains sensitive employee and customer private information. All memory dump challenges use the same file.
Inspect the memory dump and tell us the Windows Major Operating System Version, bit version, and the image date/time (UTC, no spaces or special characters). Submit the flag as OFPPT-CTF{OS_BIT_YYYYMMDDhhmmss}. Example: OFPPT-CTF{WindowsXP_32_20220120095959} File: 1.5 GB Decompressed: 5 GB

这里取证题,第一次遇到win10的镜像,记录一下

先看一下镜像信息┌──(root💀bohemian)-[/tools/volatility] └─# python2 vol.py -f ../ctf/ofppt/physmemraw imageinfo
由于这个文件很大 5G,扫描扫了很久,查不多五分钟,我一度以为是我操作不对。后来发现不是,单纯的是因为文件大

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀bohemian)-[/tools/volatility]
└─# python2 vol.py -f ../ctf/ofppt/physmemraw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win10x64_19041
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/tools/ctf/ofppt/physmemraw)
                      PAE type : No PAE
                           DTB : 0x1aa000L
                          KDBG : 0xf8005e600b20L
          Number of Processors : 4
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff8005ba60000L
                KPCR for CPU 1 : 0xffff82804f9c0000L
                KPCR for CPU 2 : 0xffff82804f5e8000L
                KPCR for CPU 3 : 0xffff82804f7ca000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-09-07 14:57:44 UTC+0000
     Image local date and time : 2021-09-07 07:57:44 -0700

我们可以看到是64位的win10,所以flag

OFPPT-CTF{Windows10_64_20210907145744}

Windows memory dump2

envars 显示进程的环境变量 
1
2
3
4
5
6
7
8
9
10
11
┌──(root💀bohemian)-[/tools/volatility]
└─# python2 vol.py -f ../ctf/ofppt/physmemraw --profile=Win10x64_19041 envars | grep COMPUTE
Volatility Foundation Volatility Framework 2.6.1
     568 wininit.exe          0x000002760e625ed0 COMPUTERNAME                   DESKTOP-IT8QNRI
     644 winlogon.exe         0x000002a6290b71e0 COMPUTERNAME                   DESKTOP-IT8QNRI
     668 services.exe         0x0000018faf8027f0 COMPUTERNAME                   DESKTOP-IT8QNRI
     708 lsass.exe            0x00000234422027f0 COMPUTERNAME                   DESKTOP-IT8QNRI
     832 svchost.exe          0x000001e39d6027f0 COMPUTERNAME                   DESKTOP-IT8QNRI
     952 svchost.exe          0x000001c6c2e027f0 COMPUTERNAME                   DESKTOP-IT8QNRI
     996 svchost.exe          0x000002da882027f0 COMPUTERNAME                   DESKTOP-IT8QNRI
     428 dwm.exe              0x0000019f91800fe0 COMPUTERNAME                   DESKTOP-IT8QNRI

OFPPT-CTF{DESKTOP-IT8QNRI}

Windows memory dump3

Using the memory dump file from Window memory dump challenge, find out the name of the malicious process.
Submit the flag as OFPPT-CTF{process-name_pid} (include the file extension). Example: OFPPT-CTF{svchost.exe_1234}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀bohemian)-[/tools/volatility]
└─# python2 vol.py -f ../ctf/ofppt/physmemraw --profile=Win10x64_19041 pstree                                                                         130 ⨯
Volatility Foundation Volatility Framework 2.6.1
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xffff9a077fead080:wininit.exe                       568    456      1      0 2021-09-07 14:24:53 UTC+0000
. 0xffff9a077ff1d080:lsass.exe                        708    568     13      0 2021-09-07 14:24:55 UTC+0000
. 0xffff9a077ff54140:fontdrvhost.ex                   864    568      5      0 2021-09-07 14:24:55 UTC+0000

...

 0xffff9a07843ab080:userinit.exe                     8180   2252      3      0 2021-09-07 14:55:55 UTC+0000



┌──(root💀bohemian)-[/tools/volatility]
└─# python2 vol.py -f ../ctf/ofppt/physmemraw --profile=Win10x64_19041 cmdline | grep 8180
Volatility Foundation Volatility Framework 2.6.1
userinit.exe pid:   8180

OFPPT-CTF{userinit.exe_8180}

Windows memory dump4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

┌──(root💀bohemian)-[/tools/volatility]
└─# python2 vol.py -f ../ctf/ofppt/physmemraw --profile=Win10x64_19041 dumpfiles --pid 8180 --dump-dir=../ctf/ofppt/                                    1 ⨯
Volatility Foundation Volatility Framework 2.6.1
ImageSectionObject 0xffff9a077f6d01a0   8180   \Device\HarddiskVolume2\Windows\SysWOW64\sechost.dll
DataSectionObject 0xffff9a077f61f0d0   8180   \Device\HarddiskVolume2\Windows\System32\locale.nls
ImageSectionObject 0xffff9a07857d4280   8180   \Device\HarddiskVolume2\Windows\Temp\userinit.exe
ImageSectionObject 0xffff9a0784c4e590   8180   \Device\HarddiskVolume2\Windows\SysWOW64\cryptsp.dll
ImageSectionObject 0xffff9a0784c6fa60   8180   \Device\HarddiskVolume2\Windows\System32\icuin.dll
ImageSectionObject 0xffff9a0784c6f740   8180   \Device\HarddiskVolume2\Windows\System32\icuuc.dll
DataSectionObject 0xffff9a0785d549b0   8180   \Device\HarddiskVolume2\Windows\System32\en-US\WWAHost.exe.mui
DataSectionObject 0xffff9a0785d5ba30   8180   \Device\HarddiskVolume2\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2106.12410.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1114333211-2247716564-2192578087-1001-MergedResources-0.pri
DataSectionObject 0xffff9a077fefc730   8180   \Device\HarddiskVolume2\Windows\Globalization\Sorting\SortDefault.nls
DataSectionObject 0xffff9a078480c5f0   8180   \Device\HarddiskVolume2\Windows\System32\en-US\edgehtml.dll.mui
DataSectionObject 0xffff9a0780c1ced0   8180   \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat
DataSectionObject 0xffff9a0780d38620   8180   \Device\HarddiskVolume2\Windows\System32\en-US\KernelBase.dll.mui
DataSectionObject 0xffff9a07809f4a30   8180   \Device\HarddiskVolume2\Windows\System32\en-US\dnsapi.dll.mui
DataSectionObject 0xffff9a078482feb0   8180   \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-1114333211-2247716564-2192578087-1001.dat

ImageSectionObject 0xffff9a07857d4280 8180 \Device\HarddiskVolume2\Windows\Temp\userinit.exe

未出,借一下大师傅的writeup

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ vol -f physmemraw windows.dumpfiles --pid 8180

Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished  
Cache   FileObject      FileName        Result

ImageSectionObject      0x9a077f6d01a0  sechost.dll     file.0x9a077f6d01a0.0x9a077f0ddb20.ImageSectionObject.sechost.dll.img
ImageSectionObject      0x9a07857d4280  userinit.exe    file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img
ImageSectionObject      0x9a0784c4e590  cryptsp.dll     file.0x9a0784c4e590.0x9a0784bbca20.ImageSectionObject.cryptsp.dll.img
...

└─$ sha1sum file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img
962d96f30c8f126cbcdee6eecc5e50c3a408402b  file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img

Flag: OFPPT-CTF{962d96f30c8f126cbcdee6eecc5e50c3a408402b}

web

php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

if (isset($_GET['hash'])) {
    if ($_GET['hash'] === "10932435112") {
        die('Not so easy mate.');
    }

    $hash = sha1($_GET['hash']);
    $target = sha1(10932435112);
    if($hash == $target) {
        include('flag.php');
        print $flag;
    } else {
        print "csictf{loser}";
    }
} else {
    show_source(__FILE__);
}

?>

 ?hash=aaroZmOk

参考https://hhyleung.github.io/writeups/ofppt-ctf-2022/

一直在路上