1. OtterCTF memory forensics
CTF address:
Localize it:
Just register and log in (note: because the mailbox is not verified, you can do it at will):
1 - What the password?
first question:
Localization:
Download the compressed package of OtterCTF.7z:
Is the OtterCTF.vmem image file
Volatility Introduction
Volatility is a very powerful memory forensics tool, which is a set of tools developed by hundreds of well-known security experts from all over the world. It can be used for system memory forensics such as windows, linux, mac osx, android. Volatility is an open source memory forensics framework, which can analyze the exported memory image, obtain the kernel data structure, and use the plug-in to obtain the details of the memory and the operating status of the system.
volatility工具的基本使用
命令格式
volatility -f [image] --profile=[profile] [plugin]
在分析之前,需要先判断当前的镜像信息,分析出是哪个操作系统
volatility -f xxx.vmem imageinfo
如果操作系统错误,是无法正确读取内存信息的,知道镜像后,就可以在--profile=中带上对应的操作系统
常用插件
下列命令以windows内存文件举例
查看用户名密码信息
volatility -f 1.vmem --profile=Win7SP1x64 hashdump
查看进程
volatility -f 1.vmem --profile=Win7SP1x64 pslist
查看服务
volatility -f 1.vmem --profile=Win7SP1x64 svcscan
查看浏览器历史记录
volatility -f 1.vmem --profile=Win7SP1x64 iehistory
查看网络连接
volatility -f 1.vmem --profile=Win7SP1x64 netscan
查看命令行操作
volatility -f 1.vmem --profile=Win7SP1x64 cmdscan
查看文件
volatility -f 1.vmem --profile=Win7SP1x64 filescan
查看文件内容
volatility -f 1.vmem --profile=Win7SP1x64 dumpfiles -Q 0xxxxxxxx -D ./
查看当前展示的notepad内容
volatility -f 1.vmem --profile=Win7SP1x64 notepad
提取进程
volatility -f 1.vmem --profile=Win7SP1x64 memdump -p xxx --dump-dir=./
屏幕截图
volatility -f 1.vmem --profile=Win7SP1x64 screenshot --dump-dir=./
查看注册表配置单元
volatility -f 1.vmem --profile=Win7SP1x64 hivelist
查看注册表键名
volatility -f 1.vmem --profile=Win7SP1x64 hivedump -o 0xfffff8a001032410
查看注册表键值
volatility -f 1.vmem --profile=Win7SP1x64 printkey -K "xxxxxxx"
查看运行程序相关的记录,比如最后一次更新时间,运行过的次数等。
volatility -f 1.vmem --profile=Win7SP1x64 userassist
最大程序提取信息
volatility -f 1.vmem --profile=Win7SP1x64 timeliner
windows:
1. Check the operating system
volatility_2.6.exe -f OtterCTF.vmem imageinfo
2. View password
first hash
volatility_2.6.exe -f OtterCTF.vmem --profile=Win7SP1x64 hashdump
518172d012f97d3a8fcc089615283940 This string of hashes is estimated to be impossible to solve, it is too complicated. . .
Another way: the lsadump module extracts passwords:
volatility_2.6.exe -f OtterCTF.vmem --profile=Win7SP1x64 lsadump
flag:CTF{MortyIsReallyAnOtter}
kali: same reason:
system message
vol.py -f OtterCTF.vmem imageinfo 
hash hash
vol.py -f OtterCTF.vmem --profile Win7SP1x64 hashdump
lasdump password
vol.py -f OtterCTF.vmem --profile Win7SP1x64 lsadump 
Mimikatz can also view the plaintext, but I didn't succeed. I don't know why it may be a python2 problem. . .
Submit flags:
2.General Info
Localization:
PC's ip and name:
Check network connections:
volatility_2.6.exe -f OtterCTF.vmem --profile=Win7SP1x64 netscan
kali:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 netscan
Although there are quite a lot of IPs, the ip should be 192.168.202.131 (because it’s just like this one)
CTF{192.168.202.131}
Check the hostname:
Check the registry:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 hivelist
see system
The host name information is in the record of system
View registry key names
Used to-o + 地址 printkey view specified records
vol.py -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey
Then follow up step by step:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001"
vol.py -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control"
vol.py -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control\ComputerName"
vol.py -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control\ComputerName\ComputerName"
If you are lucky, you will be the first to try it out directly:
CTF{WIN-LO6FAF3DTFE}
3.Play Time
Localization:
Game name and server ip:
View process:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 pslist A lot, blind guess. . .
LunarMS.exe, you can search and find that it is a game. . .
Use netscan to find out the ip address
vol.py -f OtterCTF.vmem --profile Win7SP1x64 netscan
At this:
CTF{LunarMS}
CTF{77.102.199.102}
4. Name Game
Localization:
This account is known to log into a channel called Lunar-3, find out the account name.
Get OtterCTF.vmem to WinHex for analysis:
First search for Lunar-3
followed by a string:
Use the strings command plus grep search, -C 5which means to find 5 records before and after the search, and you can also find suspicious strings
strings OtterCTF.vmem|grep Lunar-3 -C 5 
CTF{0tt3r8r33z3}
5.Name Game 2
It seems that it still revolves around the process of LunarMS:
Extract the process first: D save the current directory
vol.py -f OtterCTF.vmem --profile Win7SP1x64 memdump -p 708 -D ./
The process number PID can be seen in the previous pslist:
First analyze the hexadecimal value of the title:
0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2}
分析:0x 十六进制的标志 {6-8} {18} {2}间隔位数
64 ?? {6-8}未知 40 06 ?? {18} 5a 0c 00 {2}
只能搜索 5a 0c 00 好找一些Winhex tool:
Open 708.dmp and search for 5a 0c 00 first
Find it slowly. . . . . out M0rtyL0L
M0rtyL0L can also be found here , but the hexadecimal number next to it and the title are not correct. . .
Kali is also available
hexdump command: -A -B is the specified number of columns
hexdump -C 708.dmp | grep "5a 0c 00" -A 3 -B 3
turn up:
and this:
CTF{M0rtyL0L}
6.Silly Rick
Find rick's email password:
The title says he always copy and paste the password
Then we look at the pasteboard:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 clipboard 
CTF{M@il_Pr0vid0rs}
7.Hide And Seek
Find the malware process name (including extension)
PID和PPID:
Process PID is an identifier automatically assigned by the system when the operating system runs a process. It is unique and is a non-zero integer. A PID will only identify one process.
PPID represents the PID of the parent process, that is, the corresponding process number of the parent process. When a process is created, the process that created it will be called the parent process, and the child process will refer to its parent process by PPID.
View process:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 pslist
Check the process and find that a process named Rick And Morty corresponds to the title
Moreover, in the process of vmware-tray.ex, the PPID is estimated to be larger than the PID.
View cmd history commands:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 cmdline 
Check the process command parameters of the process, and found that Rick And Morty downloaded vmware-tray.exe, the default download path is in the RarSFX directory, and executed it:
dlllist to view the list of dll files related to the process
vol.py -f OtterCTF.vmem --profile Win7SP1x64 dlllist -p 3720
CTF{vmware-tray.exe}
8.Path To Glory
This question is a bit unclear. . .
How did the malware get onto rick's PC? It should be a file you downloaded.
filescan to find this file
vol.py -f OtterCTF.vmem --profile Win7SP1x64 filescan|grep 'Rick And Morty'
There are three exe and three torrent files in total. To analyze the source, we need to pay attention to the torrent file, which may contain address information:
First save and view the file with the strings command string:
Unfortunately, neither the first nor the second has flag information:
0x000000007dae9350 The second one has information:
//保存
vol.py -f OtterCTF.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D ./
//查看
strings file.None.0xfffffa801b42c9e0.dat 
CTF{M3an_T0rren7_4_R!ck}
9. Path To Glory 2
let's continue. . .
I have no idea, let's read the article of the big guy.
The torrent file is downloaded through a web browser. First dump all the chrome processes:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 memdump -n chrome.exe -D ./chrome
strings ./chrome/* | grep 'Rick And Morty season 1 download.exe' -C 10 
At this:
During the process, flag.txt was found, which may be used in later levels
CTF{Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in}
10.Bit 4 Bit
Find the attacker's address
Two methods:
vmware-tray.exe pid 3720
Dump the malware:
Knowledge point: To dump a process in the memory, there are generally two ways
memdump: save in dmp format
procdump: extract directly
vol.py -f OtterCTF.vmem --profile Win7SP1x64 procdump -p 3720 -D ./kiss
Use IDA Pro for analysis Open executable.3720.exe
Method Two:
by matching
strings -e l OtterCTF.vmem | grep -i -A 5 "ransomware"
CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}
11.Graphic's For The Weak
Detached files:
foremost kiss/executable.3720.exe -v
foremost kiss/executable.3720.exe -o odic
-o 分离到odic目录 
Check
CTF{S0_Just_M0v3_Socy}
12.Recovery
Random password for encrypted files:
IDA looks at the function with password:
found that there computerName+"-"+userName+" "isWIN-LO6FAF3DTFE-Rick
strings command view:
-a --all:扫描整个文件而不是只扫描目标文件初始化和装载段
-f –print-file-name:在显示字符串前先显示文件名
-n –bytes=[number]:找到并且输出所有NUL终止符序列
- :设置显示的最少的字符数,默认是4个字符
-t --radix={o,d,x} :输出字符的位置,基于八进制,十进制或者十六进制
-o :类似--radix=o
-T --target= :指定二进制文件格式
-e --encoding={s,S,b,l,B,L} :选择字符大小和排列顺序:s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
@ :读取中选项
Also bring parameters -e, you need to 16-bitsearch for it, that is -el, or -eb, otherwise you can't find it.
strings -eb OtterCTF.vmem | grep WIN-LO6FAF3DTFE-Rick 
CTF{aDOBofVYUNVnmp7}
13.Closure
The last question is about decrypting rick's files:
It seems to have found a flag.txt in the front
Let's look it up:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 filescan|grep -i 'flag' 
It should be the second one extracted to the kiss directory:
vol.py -f OtterCTF.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007e410890 -D ./kiss
cat view is encrypted
The command line deletes with 0 bytes and saves it to flag2.png.lockad
Hexdump to check and still did not find the flag
tr < file.None.0xfffffa801b0532e0.dat -d '\000' > flag2.png.locked
hexdump -C flag2.png.locked
At this time, tools are needed:
This ransomware is known as HiddenTear, and the decryption program HiddenTearDecrypter can be found directly on the Internet
winhex operation:
shift+delete to delete:
successfully deleted
Renamed flag.png.locked
HiddenTearDecrypter:
The key is the flag aDOBofVYUNVnmp7 of 12 questions
Of course, it is also possible to crack:
It's just a little bit slower. . . . .
Or fill in the key directly:
For success:
flag.png.locked becomes falg.png
Opening is broken:
Change to flag.txt View:
Winhex view:
CTF{Im_Th@_B3S7_RicK_0f_Th3m_4ll}
Summarize:
So far, all 13 levels have been completed. The main tools used are volatility tools and some hexadecimal viewing tools, Winhex, as well as reverse IDA decompilation query, and the last HiddenTear ransomware. Everyone should know that the key can be cracked now. , and there are some basic kali queries and tool commands to master.
Recommended Blogs: