[2021首届“陇剑杯”网络安全大赛 决赛]内存取证writeup
决赛不能联网…手上有只有vol2.6,这道题完全死了
文章目录
- [2021首届“陇剑杯”网络安全大赛 决赛]内存取证 writeup
- 产品密钥
- 匿名邮箱
- 远控后门
- 数据清除时间
[2021首届“陇剑杯”网络安全大赛 决赛]内存取证 writeup
附件:mem_sec.vmem
1.一日运维人员针对被入侵主机进行了一次内存分析,请根据内存镜像进行分析并回答下述问题。请根据u盘里的mem_sec.zip文件进行分析。取证人员首先对主机信息进行核实,该内存主机的产品密钥是__K3KHX-TCQKF-WGFXC-7T3BJ-9TPJC__。(答案格式字符全部大写)
2.经过入侵分析发现该主机的使用人员曾经访问过匿名邮箱的网址是__________。(答案包含http://或者https://,答案最后没有/)
1https://mail.td??? 2john@uuf.me
3.经过入侵分析该主机曾被植入远控后门,该远控后门被植入时的文件路径为________。(填写绝对路径)
C:\Users\Ado\Downloads\steam.exe C:\users\ado\downloads\steam.exe4.经过入侵分析该主机曾使用工具进行过痕迹清除,最后一次进行数据清除的时间是_______。(时区为UTC+8,填写格式为yyyy-mm-dd hh:mm:ss)
vmem是虚拟机的内存文件,因为该题是win10的虚拟机,只有vol3可以解析(https://blog.csdn.net/weixin_46081055/article/details/120524660)
产品密钥
产品密钥在注册表中可以看到
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
右侧的 BackupProductKeyDefault值
$ python3 vol.py -f mem_sec.vmem windows.registry.hivelistVolatility 3 Framework 1.2.1
Progress: 100.00 PDB scanning finished
Offset FileFullPath File output0x8084a980e000 Disabled
0x8084a9849000 \REGISTRY\MACHINE\SYSTEM Disabled
0x8084a9881000 \REGISTRY\MACHINE\HARDWARE Disabled
0x8084ac204000 \SystemRoot\System32\Config\SECURITY Disabled
0x8084ac232000 \SystemRoot\System32\Config\DEFAULT Disabled
0x8084ac230000 \SystemRoot\System32\Config\SAM Disabled
0x8084ac206000 \SystemRoot\System32\Config\SOFTWARE Disabled
0x8084ad13e000 \Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD Disabled
0x8084ad392000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Disabled
0x8084ad522000 \SystemRoot\System32\Config\BBI Disabled
0x8084ad4e3000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Disabled
0x8084aea0c000 \??\C:\Windows\AppCompat\Programs\Amcache.hve Disabled
0x8084aea26000 \??\C:\Users\Ado\ntuser.dat Disabled
0x8084ae973000 \??\C:\Users\Ado\AppData\Local\Microsoft\Windows\UsrClass.dat Disabled
0x8084af0b1000 \REGISTRY\A\{FE82E83E-F53E-4F85-85C5-C721392AB949} Disabled
0x8084af152000 \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat Disabled
0x8084af1d2000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled
0x8084af1de000 \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat Disabled
0x8084aea5a000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.18362.449.0_neutral__8wekyb3d8bbwe\ActivationStore.dat Disabled
0x8084af3dd000 \REGISTRY\A\{6cc7ad55-7bbf-baae-93d4-e961bbc241ec} Disabled
0x8084af997000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\InputApp_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled
0x8084af90e000 \??\C:\Users\Ado\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat Disabled
0x8084b270f000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.18362.449_neutral__cw5n1h2txyewy\ActivationStore.dat Disabled
0x8084b2bf0000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled
0x8084b2c1a000 \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat Disabled
0x8084b39e9000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\ActivationStore.dat Disabled
0x8084b3a03000 \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat Disabled
0x8084b3a77000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_5.1902.361.0_x64__8wekyb3d8bbwe\ActivationStore.datDisabled
0x8084b3a96000 \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\Settings\settings.dat Disabled
0x8084b3d4a000 \??\C:\Windows\System32\config\COMPONENTS Disabled
0x8084b3d7b000 \SystemRoot\System32\config\DRIVERS Disabled
导出注册表,生成report(SAM和NT都没取下来)
$ python3 vol.py -f mem_sec.vmem windows.registry.hivelist --dump --filter "\REGISTRY\MACHINE\SYSTEM"Volatility 3 Framework 1.2.1
Progress: 100.00 PDB scanning finished
Offset FileFullPath File output0x8084a9849000 \REGISTRY\MACHINE\SYSTEM registry.SYSTEM.0x8084a9849000.hivepython3 vol.py -f mem_sec.vmem windows.registry.hivelist --dump --filter "\SystemRoot\System32\Config\SOFTWARE"
Product key: K3KHX-TCQKF-WGFXC-7T3BJ-9TPJC
匿名邮箱
filescan找到谷歌浏览器历史记录文件,filedumps下来
0xcf0e4c04ab20 \Users\Ado\AppData\Local\Google\Chrome\User Data\Default\History 216
可以看到嫌疑人访问过这几个临时邮箱
远控后门
他有两个steam,一个是正常安装的(C:\Program Files (x86)\下的),另一个是downloads下面的
正常的steam会开启很多子进程(steamhelper之类),恶意程序则没有
python3 vol.py -f mem_sec.vmem windows.cmdline
结果:
6864 steam.exe Required memory at 0xbf1b88 is inaccessible (swapped)
6932 steamwebhelper "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=zh_CN" "-cachedir=C:\Users\Ado\AppData\Local\Steam\htmlcache" "-steampid=6864" "-buildid=1631237534" "-steamid=0" "-cachedir=C:\Users\Ado\AppData\Local\Steam\htmlcache" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu
6960 steamwebhelper Required memory at 0x23777471d18 is inaccessible (swapped)
6996 steamservice.e Required memory at 0x101a020 is inaccessible (swapped)
7072 steamwebhelper "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=zh-CN --buildid=1631237534 --steamid=0 --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --service-request-channel-token=8367268148546171292 --mojo-platform-channel-handle=1512 --ignored=" --type=renderer " /prefetch:2
6356 steamwebhelper "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=zh-CN --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=zh-CN --buildid=1631237534 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --service-request-channel-token=3596301750699654214 --mojo-platform-channel-handle=1524 /prefetch:8
…………
5004 steam.exe "C:\Users\Ado\Downloads\steam.exe"
…………
7140 steamwebhelper "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=zh-CN --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1631237534 --steamid=0 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7050656953433046572 --renderer-client-id=7 --mojo-platform-channel-handle=3260 /prefetch:1
1124 steamwebhelper "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=zh-CN --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1631237534 --steamid=0 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11198636302058458110 --renderer-client-id=8 --mojo-platform-channel-handle=3524 /prefetch:1
8208 steamwebhelper "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=zh-CN --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1631237534 --steamid=0 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=15708242794114963385 --renderer-client-id=9 --mojo-platform-channel-handle=3680 /prefetch:1
数据清除时间
第二问的历史记录可以知道,嫌疑人下载过无影无踪
扫描文件
python3 vol.py -f mem_sec.vmem windows.filescan > 1/f1ile.txt 导出ntfs元文件
0xcf0e46c3b1e0 \$Extend\$UsnJrnl:$J:$DATA 216
0xcf0e46c3b4c0 \$LogFile 216
0xcf0e4934d0a0 \$Mft 216python3 vol.py -f mem_sec.vmem windows.dumpfiles --virtaddr 0xcf0e46c3b1e0
生成报告
但是并没有看到实锤…
userassist看一下历史运行
python3 vol.py -f "/home/p3/qztool/volatility3/mem_sec.vmem" windows.registry.userassist > user.txt
[2021首届“陇剑杯”网络安全大赛 决赛]内存取证writeup相关推荐
- [2021首届“陇剑杯”网络安全大赛] webshell
[2021首届"陇剑杯"网络安全大赛] webshell 题目描述 单位网站被黑客挂马,请您从流量中分析出webshell,进行回答: 1.黑客登录系统使用的密码是___Admin ...
- 首届“陇剑杯”网络安全大赛线上赛圆满结束
9月14日,集结了各行业领域3020支战队.11135名网络安全精英的首届"陇剑杯"网络安全大赛线上赛圆满结束,成功拉开将于9月25日在甘肃兰州新区举行的总决赛战幕.届时,涵盖网络 ...
- 首届“陇剑杯”网络安全大赛题目wifi详解
写文章只是为了记录自己的学习,不是粘贴复制就完事了 参考 https://www.cnblogs.com/GKLBB/p/15315725.html https://www.nctry.com/244 ...
- 2021陇剑杯线上——机密内存取证
这学期已经告一段落,这篇博客记录一下这学期电子取证专业课的大作业成果,仅供参考.(因为事情真的太多
- 首届“网刃杯”网络安全大赛部分WP
这是之前打比赛写的WP,供大家参考 藏在S7里的秘密 1.修复流量包 下载流量包打开后发现提示错报 The file"S7.pcap" isn't a capture file i ...
- 2021第四届红帽杯网络安全大赛-线上赛Writeup
文章目录 MISC 签到 colorful code WEB find_it framework WebsiteManger ezlight 记录一下被锤爆的一天-orz MISC 签到 签到抢了个二 ...
- 2021年“深育杯“网络安全大赛Writeup
Misc 签到题 下载附件得到一张二维码 扫码关注,后台回复签到即可获得flag flag: SangFor{AaKjtQr_OjJpdA3QwBV_ndsKdn3vPgc_} Login 下载附件e ...
- 2021第二届“祥云杯”网络安全大赛 部分Writeup
文章目录 MISC ChieftainsSecret 鸣雏恋 层层取证 shuffle_code Reverse Rev_Dizzy MISC ChieftainsSecret 题目描 ...
- [陇剑杯2021] 复现
签到 此时正在进行的可能是__________协议的网络攻击.(如有字母请全部使用小写,填写样例:http.dns.ftp) NSSCTF{http} jwt-1 昨天,单位流量系统捕获了黑客攻击流量 ...
最新文章
- nginx处理web请求分析
- html中嵌套iframe页面_selenium表单切换(iframe)
- Maven : error: missing or invalid dependency detected while loading class file 'RDD.class'
- 利用MPI实现并行排序算法PSRS
- Google出品,必属精品
- 兜兜转转,回到原点,Hello Mr.my yesterday
- 百度文库中的文字不能复制,怎么办?
- javaFX系列之web组件:史上最简单的javaFX浏览器实现(web component组件)
- 设置自定义电脑屏幕分辨率
- Swift语言中的@available 和 #available
- 互联网发展的三个阶段
- ElasticSearch 7.15.2 使用java canal 接入实现灵活化增量数据准实时同步
- 深度剖析Java集合之Stack
- Livezilla安装配置, APE(Ajax Push Engine)安装配置
- 贝壳DMP平台建设实践
- 折腾开源WRT的AC无线路由之路-1
- 狼、羊、菜、农夫过河问题 穷举 Python实现
- Android 使用高德SDK实现导航笔记,android热更新原理
- 网络丢包问题的原因及解决办法
- 在创业公司做运营,我总结了这些经验