决赛不能联网…手上有只有vol2.6,这道题完全死了

文章目录

  • [2021首届“陇剑杯”网络安全大赛 决赛]内存取证 writeup
    • 产品密钥
    • 匿名邮箱
    • 远控后门
    • 数据清除时间

[2021首届“陇剑杯”网络安全大赛 决赛]内存取证 writeup

附件:mem_sec.vmem

1.一日运维人员针对被入侵主机进行了一次内存分析,请根据内存镜像进行分析并回答下述问题。请根据u盘里的mem_sec.zip文件进行分析。取证人员首先对主机信息进行核实,该内存主机的产品密钥是__K3KHX-TCQKF-WGFXC-7T3BJ-9TPJC__。(答案格式字符全部大写)

2.经过入侵分析发现该主机的使用人员曾经访问过匿名邮箱的网址是__________。(答案包含http://或者https://,答案最后没有/)

1https://mail.td??? 2john@uuf.me

3.经过入侵分析该主机曾被植入远控后门,该远控后门被植入时的文件路径为________。(填写绝对路径)
C:\Users\Ado\Downloads\steam.exe C:\users\ado\downloads\steam.exe

4.经过入侵分析该主机曾使用工具进行过痕迹清除,最后一次进行数据清除的时间是_______。(时区为UTC+8,填写格式为yyyy-mm-dd hh:mm:ss)

vmem是虚拟机的内存文件,因为该题是win10的虚拟机,只有vol3可以解析(https://blog.csdn.net/weixin_46081055/article/details/120524660)

产品密钥

产品密钥在注册表中可以看到
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform右侧的 BackupProductKeyDefault值

$ python3 vol.py -f mem_sec.vmem windows.registry.hivelistVolatility 3 Framework 1.2.1
Progress:  100.00               PDB scanning finished
Offset  FileFullPath    File output0x8084a980e000          Disabled
0x8084a9849000  \REGISTRY\MACHINE\SYSTEM        Disabled
0x8084a9881000  \REGISTRY\MACHINE\HARDWARE      Disabled
0x8084ac204000  \SystemRoot\System32\Config\SECURITY    Disabled
0x8084ac232000  \SystemRoot\System32\Config\DEFAULT     Disabled
0x8084ac230000  \SystemRoot\System32\Config\SAM Disabled
0x8084ac206000  \SystemRoot\System32\Config\SOFTWARE    Disabled
0x8084ad13e000  \Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD  Disabled
0x8084ad392000  \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT        Disabled
0x8084ad522000  \SystemRoot\System32\Config\BBI Disabled
0x8084ad4e3000  \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT  Disabled
0x8084aea0c000  \??\C:\Windows\AppCompat\Programs\Amcache.hve   Disabled
0x8084aea26000  \??\C:\Users\Ado\ntuser.dat     Disabled
0x8084ae973000  \??\C:\Users\Ado\AppData\Local\Microsoft\Windows\UsrClass.dat   Disabled
0x8084af0b1000  \REGISTRY\A\{FE82E83E-F53E-4F85-85C5-C721392AB949}      Disabled
0x8084af152000  \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat   Disabled
0x8084af1d2000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled
0x8084af1de000  \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat   Disabled
0x8084aea5a000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.18362.449.0_neutral__8wekyb3d8bbwe\ActivationStore.dat        Disabled
0x8084af3dd000  \REGISTRY\A\{6cc7ad55-7bbf-baae-93d4-e961bbc241ec}      Disabled
0x8084af997000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\InputApp_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat      Disabled
0x8084af90e000  \??\C:\Users\Ado\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat    Disabled
0x8084b270f000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.18362.449_neutral__cw5n1h2txyewy\ActivationStore.dat  Disabled
0x8084b2bf0000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat   Disabled
0x8084b2c1a000  \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat       Disabled
0x8084b39e9000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\ActivationStore.dat    Disabled
0x8084b3a03000  \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat      Disabled
0x8084b3a77000  \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_5.1902.361.0_x64__8wekyb3d8bbwe\ActivationStore.datDisabled
0x8084b3a96000  \??\C:\Users\Ado\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\Settings\settings.dat        Disabled
0x8084b3d4a000  \??\C:\Windows\System32\config\COMPONENTS       Disabled
0x8084b3d7b000  \SystemRoot\System32\config\DRIVERS     Disabled

导出注册表,生成report(SAM和NT都没取下来)

$ python3 vol.py -f mem_sec.vmem  windows.registry.hivelist --dump --filter "\REGISTRY\MACHINE\SYSTEM"Volatility 3 Framework 1.2.1
Progress:  100.00               PDB scanning finished
Offset  FileFullPath    File output0x8084a9849000  \REGISTRY\MACHINE\SYSTEM        registry.SYSTEM.0x8084a9849000.hivepython3 vol.py -f mem_sec.vmem  windows.registry.hivelist --dump --filter "\SystemRoot\System32\Config\SOFTWARE"



Product key: K3KHX-TCQKF-WGFXC-7T3BJ-9TPJC

匿名邮箱

filescan找到谷歌浏览器历史记录文件,filedumps下来

0xcf0e4c04ab20   \Users\Ado\AppData\Local\Google\Chrome\User Data\Default\History    216


可以看到嫌疑人访问过这几个临时邮箱

远控后门

他有两个steam,一个是正常安装的(C:\Program Files (x86)\下的),另一个是downloads下面的
正常的steam会开启很多子进程(steamhelper之类),恶意程序则没有

python3 vol.py -f mem_sec.vmem windows.cmdline

结果:

6864 steam.exe   Required memory at 0xbf1b88 is inaccessible (swapped)
6932    steamwebhelper  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=zh_CN" "-cachedir=C:\Users\Ado\AppData\Local\Steam\htmlcache" "-steampid=6864" "-buildid=1631237534" "-steamid=0" "-cachedir=C:\Users\Ado\AppData\Local\Steam\htmlcache" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu
6960    steamwebhelper  Required memory at 0x23777471d18 is inaccessible (swapped)
6996    steamservice.e  Required memory at 0x101a020 is inaccessible (swapped)
7072    steamwebhelper  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=zh-CN --buildid=1631237534 --steamid=0 --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --service-request-channel-token=8367268148546171292 --mojo-platform-channel-handle=1512 --ignored=" --type=renderer " /prefetch:2
6356    steamwebhelper  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=zh-CN --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=zh-CN --buildid=1631237534 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --service-request-channel-token=3596301750699654214 --mojo-platform-channel-handle=1524 /prefetch:8
…………
5004    steam.exe   "C:\Users\Ado\Downloads\steam.exe"
…………
7140    steamwebhelper  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=zh-CN --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1631237534 --steamid=0 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7050656953433046572 --renderer-client-id=7 --mojo-platform-channel-handle=3260 /prefetch:1
1124    steamwebhelper  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=zh-CN --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1631237534 --steamid=0 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11198636302058458110 --renderer-client-id=8 --mojo-platform-channel-handle=3524 /prefetch:1
8208    steamwebhelper  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1504,1780523561363773034,14588998028209356534,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=zh-CN --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1631237534 --steamid=0 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=15708242794114963385 --renderer-client-id=9 --mojo-platform-channel-handle=3680 /prefetch:1

数据清除时间

第二问的历史记录可以知道,嫌疑人下载过无影无踪

扫描文件
python3 vol.py -f mem_sec.vmem windows.filescan > 1/f1ile.txt 导出ntfs元文件
0xcf0e46c3b1e0  \$Extend\$UsnJrnl:$J:$DATA  216
0xcf0e46c3b4c0  \$LogFile   216
0xcf0e4934d0a0  \$Mft   216python3 vol.py -f mem_sec.vmem windows.dumpfiles --virtaddr 0xcf0e46c3b1e0

生成报告

但是并没有看到实锤…
userassist看一下历史运行

python3 vol.py -f "/home/p3/qztool/volatility3/mem_sec.vmem" windows.registry.userassist > user.txt

[2021首届“陇剑杯”网络安全大赛 决赛]内存取证writeup相关推荐

  1. [2021首届“陇剑杯”网络安全大赛] webshell

    [2021首届"陇剑杯"网络安全大赛] webshell 题目描述 单位网站被黑客挂马,请您从流量中分析出webshell,进行回答: 1.黑客登录系统使用的密码是___Admin ...

  2. 首届“陇剑杯”网络安全大赛线上赛圆满结束

    9月14日,集结了各行业领域3020支战队.11135名网络安全精英的首届"陇剑杯"网络安全大赛线上赛圆满结束,成功拉开将于9月25日在甘肃兰州新区举行的总决赛战幕.届时,涵盖网络 ...

  3. 首届“陇剑杯”网络安全大赛题目wifi详解

    写文章只是为了记录自己的学习,不是粘贴复制就完事了 参考 https://www.cnblogs.com/GKLBB/p/15315725.html https://www.nctry.com/244 ...

  4. 2021陇剑杯线上——机密内存取证

    这学期已经告一段落,这篇博客记录一下这学期电子取证专业课的大作业成果,仅供参考.(因为事情真的太多

  5. 首届“网刃杯”网络安全大赛部分WP

    这是之前打比赛写的WP,供大家参考 藏在S7里的秘密 1.修复流量包 下载流量包打开后发现提示错报 The file"S7.pcap" isn't a capture file i ...

  6. 2021第四届红帽杯网络安全大赛-线上赛Writeup

    文章目录 MISC 签到 colorful code WEB find_it framework WebsiteManger ezlight 记录一下被锤爆的一天-orz MISC 签到 签到抢了个二 ...

  7. 2021年“深育杯“网络安全大赛Writeup

    Misc 签到题 下载附件得到一张二维码 扫码关注,后台回复签到即可获得flag flag: SangFor{AaKjtQr_OjJpdA3QwBV_ndsKdn3vPgc_} Login 下载附件e ...

  8. 2021第二届“祥云杯”网络安全大赛 部分Writeup

    文章目录 MISC ChieftainsSecret 鸣雏恋 层层取证 shuffle_code Reverse Rev_Dizzy ​​​​​​​ MISC ChieftainsSecret 题目描 ...

  9. [陇剑杯2021] 复现

    签到 此时正在进行的可能是__________协议的网络攻击.(如有字母请全部使用小写,填写样例:http.dns.ftp) NSSCTF{http} jwt-1 昨天,单位流量系统捕获了黑客攻击流量 ...

最新文章

  1. nginx处理web请求分析
  2. html中嵌套iframe页面_selenium表单切换(iframe)
  3. Maven : error: missing or invalid dependency detected while loading class file 'RDD.class'
  4. 利用MPI实现并行排序算法PSRS
  5. Google出品,必属精品
  6. 兜兜转转,回到原点,Hello Mr.my yesterday
  7. 百度文库中的文字不能复制,怎么办?
  8. javaFX系列之web组件:史上最简单的javaFX浏览器实现(web component组件)
  9. 设置自定义电脑屏幕分辨率
  10. Swift语言中的@available 和 #available
  11. 互联网发展的三个阶段
  12. ElasticSearch 7.15.2 使用java canal 接入实现灵活化增量数据准实时同步
  13. 深度剖析Java集合之Stack
  14. Livezilla安装配置, APE(Ajax Push Engine)安装配置
  15. 贝壳DMP平台建设实践
  16. 折腾开源WRT的AC无线路由之路-1
  17. 狼、羊、菜、农夫过河问题 穷举 Python实现
  18. Android 使用高德SDK实现导航笔记,android热更新原理
  19. 网络丢包问题的原因及解决办法
  20. 在创业公司做运营,我总结了这些经验

热门文章

  1. win10开启显示:你的电脑/设备需要修复,错误代码:0xc0000225
  2. 适合的才是最好的:记一次内网安装feather经历
  3. 4PCS、super4PCS粗配准算法理解
  4. 五子棋 手打稍加改变自慕课网hyman
  5. ios系统升级记录适配篇
  6. Mac M1 上 丝滑跑 Docker
  7. retrofit原理面试,2021最新百度、头条等公司Android社招面试题目,含答案解析
  8. 莫以物喜 、莫以己悲!
  9. 金河电站被困216小时女工获救生还记
  10. 考勤登记管理系统(参考答案)