Seccon 2016 100_memoryanalysis Writeup

LeeDoHyun · March 27, 2020

quesion.txt

Memory forensics
Where is the website that fake svchost is accessing?

Hint: http://www.volatilityfoundation.org/

메모리 포렌식 문제입니다. 힌트가 volatility인걸 보면, volatility를 사용해야 될꺼같습니다.

pslist

C:\Users\leedohyun\Downloads\volatility>volatility_2.6_win64_standalone.exe pslist -f forensic_100.raw
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit         
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8660 System                    4      0     58      259 ------      0                                             
0x81a18020 smss.exe                540      4      3       19 ------      0 2016-12-06 05:27:04 UTC+0000                
0x81ef6da0 csrss.exe               604    540     11      480      0      0 2016-12-06 05:27:07 UTC+0000                
0x82173da0 winlogon.exe            628    540     24      541      0      0 2016-12-06 05:27:07 UTC+0000                
0x8216e670 services.exe            672    628     15      286      0      0 2016-12-06 05:27:07 UTC+0000                
0x81f8c9a0 lsass.exe               684    628     26      374      0      0 2016-12-06 05:27:07 UTC+0000                
0x82154880 vmacthlp.exe            836    672      1       25      0      0 2016-12-06 05:27:08 UTC+0000                
0x81e18da0 svchost.exe             848    672     20      216      0      0 2016-12-06 05:27:08 UTC+0000                
0x82151ca8 svchost.exe             936    672     10      272      0      0 2016-12-06 05:27:08 UTC+0000                
0x82312450 svchost.exe            1036    672     87     1514      0      0 2016-12-06 05:27:08 UTC+0000                
0x81f92778 svchost.exe            1088    672      7       83      0      0 2016-12-06 05:27:08 UTC+0000                
0x81e41928 svchost.exe            1320    672     12      183      0      0 2016-12-06 05:27:10 UTC+0000                
0x8231f698 explorer.exe           1556   1520     15      466      0      0 2016-12-06 05:27:10 UTC+0000                
0x81f0dbe0 spoolsv.exe            1644    672     15      133      0      0 2016-12-06 05:27:10 UTC+0000                
0x81e4f560 svchost.exe            1704    672      5      107      0      0 2016-12-06 05:27:10 UTC+0000                
0x81f65da0 svchost.exe            1776    672      2       23      0      0 2016-12-06 05:27:10 UTC+0000                
0x821f8438 vmtoolsd.exe           1856   1556      3      129      0      0 2016-12-06 05:27:11 UTC+0000                
0x82170da0 ctfmon.exe             1872   1556      1       87      0      0 2016-12-06 05:27:11 UTC+0000                
0x81f00558 VGAuthService.e         196    672      2       60      0      0 2016-12-06 05:27:13 UTC+0000                
0x81e4b4b0 vmtoolsd.exe            312    672      9      265      0      0 2016-12-06 05:27:13 UTC+0000                
0x81e886f0 GoogleUpdate.ex         372   1984      7      138      0      0 2016-12-06 05:27:13 UTC+0000                
0x82062b20 wuauclt.exe             488   1036      7      132      0      0 2016-12-06 05:27:13 UTC+0000                
0x81e89200 wmiprvse.exe            596    848     12      255      0      0 2016-12-06 05:27:13 UTC+0000                
0x82267900 rundll32.exe           1712   1556      2      144      0      0 2016-12-06 05:27:16 UTC+0000                
0x81f46238 alg.exe                2028    672      7      104      0      0 2016-12-06 05:27:16 UTC+0000                
0x81e56228 wscntfy.exe             720   1036      1       37      0      0 2016-12-06 05:27:18 UTC+0000                
0x8225bda0 IEXPLORE.EXE            380   1776     22      385      0      0 2016-12-06 05:27:19 UTC+0000                
0x8229f7e8 IEXPLORE.EXE           1080    380     19      397      0      0 2016-12-06 05:27:21 UTC+0000                
0x81f2cb20 wuauclt.exe            3164   1036      5      107      0      0 2016-12-06 05:28:15 UTC+0000                
0x819b4380 tcpview.exe            3308   1556      2       84      0      0 2016-12-06 05:28:42 UTC+0000                
0x8216a5e8 DumpIt.exe             3740   1556      1       25      0      0 2016-12-06 05:28:46 UTC+0000 

프로세스 리스트에 인터넷 사용기록이 있는것을 확인할 수 있습니다. 커넥션 로그를 봐야 될꺼같습니다.

C:\Users\leedohyun\Downloads\volatility>volatility_2.6_win64_standalone.exe connections -f forensic_100.raw
Volatility Foundation Volatility Framework 2.6
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x8213bbe8 192.168.88.131:1034       153.127.200.178:80        1080

153.127.200.178:80 이라는 곳으로 연결하는것을 확인할 수 있습니다.

[email protected]  ~/Downloads  strings forensic_100.raw|grep 153.127.200.178
153.127.200.178    crattack.tistory.com attack.tistory.com
153.127.200.178    crattack.tistory.com
153.127.200.178:80

strings로 보면 다음과 같이 crattack.tistory.com 사이트에 접속시 153.127.200.178아이피로 경유지를 바꿔버리는것을 알 수 있습니다. 다시 crattack.tistory.com를 strings로 보겠습니다.

[email protected]  ~/Downloads  strings forensic_100.raw|grep crattack.tistory.com
Host: crattack.tistory.com
Referer: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Host: crattack.tistory.com
Access-Control-Allow-Origin: http://crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
Host: crattack.tistory.com
http://crattack.tistory.com/trackback/90W
153.127.200.178    crattack.tistory.com attack.tistory.com
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/rss
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
\http://crattack.tistory.com/plugin/CallBack_bootstrapperSrc?nil_profile=tistory&nil_type=copied_post
g;http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
153.127.200.178    crattack.tistory.com
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
"C:\Program Files\Internet Explorer\iexplore.exe" http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
crattack.tistory.com
crattack.tistory.com
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
:2016120620161207: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
:2016120620161207: [email protected]:Host: crattack.tistory.com
:2016120620161207: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
://crattack.tistory.com/favicon.ico
tp://crattack.tistory.com/favicon.ico
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
w:2016120620161207: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
://crattack.tistory.com/favicon.ico
w:2016120620161207: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
http:crattack.tistory.com
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
tp://crattack.tistory.com/favicon.ico
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
http://crattack.tistory.com/favicon.ico
crattack.tistory.com
>Visited: [email protected]://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
crattack.tistory.com:http
crattack.tistory.com

http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd으로 이동하는데 crattack.tistory.com 도메인에 연결하면 153.127.200.178으로 연결이 되기때문에

http://153.127.200.178/entry/Data-Science-import-pandas-as-pd 이렇게 요청을 보냅니다. 지금은 플래그를 확인할 수 없지만 그당시에는 이쪽에서 플래그를 확인할 수 있다고합니다.

flag SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

Twitter, Facebook