CTFtime.org / HCTF 2018 / eazy dump / Writeup

> forensics
>
> tools:https://github.com/volatilityfoundation/volatility
### 1.First, we just need to look what is in the file.
```
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# python vol.py -f mem.data imagenfo
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
ERROR : volatility.debug : You must specify something to do (try -h)
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# ls
1.out AUTHORS.txt contrib dump LICENSE.txt MANIFEST.in PKG-INFO pyinstaller.spec resources tools user.out vol.py
2.out CHANGELOG.txt CREDITS.txt LEGAL.txt Makefile mem.data pyinstaller README.txt setup.py uer.out volatility
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# python vol.py -f mem.data imageinfo
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/root/aaa/20181110/volatility/mem.data)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80004035070L
Number of Processors : 4
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80004036d00L
KPCR for CPU 1 : 0xfffff880009ee000L
KPCR for CPU 2 : 0xfffff88004568000L
KPCR for CPU 3 : 0xfffff880045dd000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-11-07 08:26:52 UTC+0000
Image local date and time : 2018-11-07 16:26:52 +0800
```
### 2. Dump all the running processes to see if there was any interesting software running.
`python vol.py -f mem.data --profile=Win7SP0x64 psscan`

```
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x0000000000505340 spoolsv.exe 1096 472 0x000000000b1f9000 2018-11-07 08:12:37 UTC+0000
0x0000000000b0ab30 svchost.exe 648 472 0x000000000c79f000 2018-11-07 08:12:35 UTC+0000
0x000000000116e560 mspaint.exe 2768 1696 0x0000000003b05000 2018-11-07 08:16:05 UTC+0000 <- this one
0x0000000001210b30 taskhost.exe 1452 472 0x0000000006092000 2018-11-07 08:12:37 UTC+0000
0x0000000002757390 wordpad.exe 1804 1696 0x000000000a876000 2018-11-07 08:15:35 UTC+0000 <- this one
0x0000000003399b30 SearchIndexer. 2476 472 0x0000000001362000 2018-11-07 08:12:46 UTC+0000
0x00000000033f4b30 explorer.exe 1696 1548 0x000000000bfb0000 2018-11-07 08:12:38 UTC+0000
0x00000000038fd800 WmiPrvSE.exe 3052 648 0x000000000d18a000 2018-11-07 08:12:59 UTC+0000
0x0000000003d1e060 csrss.exe 424 408 0x0000000003d0f000 2018-11-07 08:12:33 UTC+0000
0x00000000042ab630 dllhost.exe 1716 472 0x000000000093d000 2018-11-07 08:12:40 UTC+0000
0x000000000449f060 wininit.exe 416 344 0x0000000004510000 2018-11-07 08:12:33 UTC+0000
0x00000000046bb570 WmiPrvSE.exe 1392 648 0x0000000002bd3000 2018-11-07 08:12:40 UTC+0000
0x0000000005733b30 vmtoolsd.exe 2028 1696 0x000000000babd000 2018-11-07 08:12:39 UTC+0000
0x000000000636f880 lsm.exe 524 416 0x000000000e447000 2018-11-07 08:12:33 UTC+0000
0x000000000670cb30 WmiApSrv.exe 1228 472 0x00000000042be000 2018-11-07 08:13:05 UTC+0000
0x00000000077b7b30 services.exe 472 416 0x000000000e217000 2018-11-07 08:12:33 UTC+0000
0x000000000836f060 conhost.exe 2932 364 0x000000000727e000 2018-11-07 08:26:51 UTC+0000 2018-11-07 08:26:52 UTC+0000
0x00000000089da060 sppsvc.exe 1040 472 0x000000000c494000 2018-11-07 08:14:39 UTC+0000
0x00000000089da630 wmpnetwk.exe 2724 472 0x000000000dbd0000 2018-11-07 08:12:47 UTC+0000
0x00000000092ef060 vmtoolsd.exe 1356 472 0x00000000083d2000 2018-11-07 08:12:37 UTC+0000
0x000000000960db30 dwm.exe 1628 884 0x000000000c5dc000 2018-11-07 08:12:38 UTC+0000
0x00000000097ddb30 lsass.exe 516 416 0x000000000a43f000 2018-11-07 08:12:33 UTC+0000
0x000000000980db30 svchost.exe 844 472 0x00000000048aa000 2018-11-07 08:12:35 UTC+0000
0x0000000009937b30 vmacthlp.exe 704 472 0x0000000009d4c000 2018-11-07 08:12:35 UTC+0000
0x000000000999f060 csrss.exe 364 344 0x000000000841f000 2018-11-07 08:12:33 UTC+0000
0x000000000a65e060 svchost.exe 1376 472 0x000000000095f000 2018-11-07 08:14:39 UTC+0000
0x000000000b3a39e0 svchost.exe 288 472 0x0000000009767000 2018-11-07 08:12:36 UTC+0000
0x000000000b996b30 svchost.exe 2568 472 0x0000000002e83000 2018-11-07 08:12:46 UTC+0000
0x000000000c42b060 VGAuthService. 1300 472 0x00000000070e6000 2018-11-07 08:12:37 UTC+0000
0x000000000d0ebb30 svchost.exe 884 472 0x000000000b3b0000 2018-11-07 08:12:36 UTC+0000
0x000000000d8b0670 winlogon.exe 504 408 0x000000000d895000 2018-11-07 08:12:33 UTC+0000
0x000000000d9cbb30 svchost.exe 520 472 0x00000000025ad000 2018-11-07 08:12:37 UTC+0000
0x000000000dd83b30 msdtc.exe 2236 472 0x000000000dd76000 2018-11-07 08:12:42 UTC+0000
0x000000000dd8fb30 audiodg.exe 1000 844 0x000000000dab6000 2018-11-07 08:12:36 UTC+0000
0x000000000e2d7b30 svchost.exe 912 472 0x000000000c056000 2018-11-07 08:12:36 UTC+0000
0x000000000e36d060 svchost.exe 1124 472 0x000000000b408000 2018-11-07 08:12:37 UTC+0000
0x000000000eab2b30 svchost.exe 748 472 0x000000000a1d8000 2018-11-07 08:12:35 UTC+0000
0x000000000f0729d0 smss.exe 276 4 0x00000000088ec000 2018-11-07 08:12:31 UTC+0000
0x000000000f207470 svchost.exe 2472 472 0x000000000108d000 2018-11-07 08:16:06 UTC+0000
0x000000000f4feb30 cmd.exe 2824 1356 0x00000000092a9000 2018-11-07 08:26:51 UTC+0000 2018-11-07 08:26:52 UTC+0000
0x000000000f59ab30 MineSweeper.ex 312 1696 0x0000000003854000 2018-11-07 08:15:39 UTC+0000
0x000000000ff22040 System 4 0 0x0000000000187000 2018-11-07 08:12:31 UTC+0000
```

### 3.dump them to our local directory

`mkdir dump`

` python vol.py -f mem.data --profile=Win7SP0x64 memdump -p 2768 -D dump/`

```
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# cd dump
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility/dump# ls
2768.dmp
```
### 4.now let's use another tool.
`https://www.gimp.org/`
It's icon is a lovely dog!
rename our file to 2768.data

### 5.open it with our ~~dog~~ GIMP

click your mouse randomly![](https://xzfile.aliyuncs.com/media/upload/picture/20181113075334-2a5e9d28-e6d6-1.png)

### 6. I prefer use word2016 to rotate the picture
then I have the flag.

Thanks.

By: godspeedcurry from AAA

Original writeup (https://hctf.io/).

eazy dump

Comments

Sign in with