この大会は2023/7/8 14:00(JST)~2023/7/10 2:00(JST)に開催されました。
今回もチームで参戦。結果は1829点で382チーム中77位でした。
自分で解けた問題をWriteupとして書いておきます。
Sanity (Misc)
Discordに入り、#announcementチャネルのトピックを見ると、フラグが書いてあった。
crew{1n54n1ty_0r_s4n1ty}
Encrypt10n (Forensics)
メモリダンプがあるので、それから暗号化ソフトウェアで使用しているパスワードを分析する。
$ volatility -f dump.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/dump.raw) PAE type : PAE DTB : 0x185000L KDBG : 0x82b3db78L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x839a5000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2023-02-16 12:03:16 UTC+0000 Image local date and time : 2023-02-16 14:03:16 +0200 $ volatility -f dump.raw --profile=Win7SP1x86_23418 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x844ea030:wininit.exe 392 324 3 77 2023-02-16 12:00:54 UTC+0000 . 0x85764030:lsm.exe 516 392 10 149 2023-02-16 12:00:55 UTC+0000 . 0x85749868:services.exe 496 392 8 228 2023-02-16 12:00:54 UTC+0000 .. 0x85a26030:svchost.exe 384 496 8 93 2023-02-16 12:01:05 UTC+0000 ... 0x8573dd20:winlogon.exe 456 384 6 114 2023-02-16 12:00:54 UTC+0000 ... 0x84ef5030:csrss.exe 400 384 9 223 2023-02-16 12:00:54 UTC+0000 .... 0x844ba6e0:conhost.exe 4080 400 2 51 2023-02-16 12:03:14 UTC+0000 .. 0x8586da80:svchost.exe 832 496 15 265 2023-02-16 12:00:57 UTC+0000 ... 0x857d1030:dwm.exe 1296 832 6 114 2023-02-16 12:00:59 UTC+0000 .. 0x857d6030:spoolsv.exe 1288 496 15 270 2023-02-16 12:00:59 UTC+0000 .. 0x85856030:vm3dservice.ex 1836 496 5 60 2023-02-16 12:01:03 UTC+0000 ... 0x841e5678:vm3dservice.ex 1880 1836 3 44 2023-02-16 12:01:03 UTC+0000 .. 0x85837898:svchost.exe 1560 496 11 146 2023-02-16 12:01:00 UTC+0000 .. 0x857bd510:svchost.exe 624 496 11 362 2023-02-16 12:00:56 UTC+0000 ... 0x85bba030:WmiPrvSE.exe 2860 624 15 319 2023-02-16 12:01:25 UTC+0000 ... 0x85ac8b00:WmiPrvSE.exe 232 624 10 193 2023-02-16 12:01:06 UTC+0000 .. 0x857c7030:svchost.exe 1324 496 21 310 2023-02-16 12:00:59 UTC+0000 .. 0x85b97d20:svchost.exe 2480 496 15 232 2023-02-16 12:01:15 UTC+0000 .. 0x841d1030:VGAuthService. 1720 496 4 85 2023-02-16 12:01:01 UTC+0000 .. 0x85c53030:WmiApSrv.exe 3004 496 6 112 2023-02-16 12:01:30 UTC+0000 .. 0x85809510:svchost.exe 704 496 7 298 2023-02-16 12:00:56 UTC+0000 .. 0x85875460:svchost.exe 880 496 47 1013 2023-02-16 12:00:57 UTC+0000 .. 0x85857d20:vmtoolsd.exe 1856 496 14 291 2023-02-16 12:01:03 UTC+0000 .. 0x858c2420:svchost.exe 1092 496 18 389 2023-02-16 12:00:58 UTC+0000 .. 0x84d54d20:sppsvc.exe 3736 496 6 154 2023-02-16 12:03:05 UTC+0000 .. 0x85941c28:dllhost.exe 1744 496 18 200 2023-02-16 12:01:05 UTC+0000 .. 0x85872bb0:svchost.exe 856 496 22 731 2023-02-16 12:00:57 UTC+0000 .. 0x85b2a030:VSSVC.exe 2276 496 7 118 2023-02-16 12:01:11 UTC+0000 .. 0x841f4470:SearchIndexer. 2148 496 14 604 2023-02-16 12:01:08 UTC+0000 ... 0x85b855f8:SearchFilterHo 2392 2148 6 104 2023-02-16 12:01:13 UTC+0000 ... 0x85b80cb8:SearchProtocol 2372 2148 9 284 2023-02-16 12:01:13 UTC+0000 .. 0x85a6e5d0:dllhost.exe 876 496 21 191 2023-02-16 12:01:05 UTC+0000 .. 0x85ab6260:msdtc.exe 1128 496 15 154 2023-02-16 12:01:06 UTC+0000 .. 0x84d567f0:svchost.exe 3776 496 15 353 2023-02-16 12:03:05 UTC+0000 .. 0x857c4d20:taskhost.exe 1400 496 10 197 2023-02-16 12:00:59 UTC+0000 .. 0x85bc5398:wmpnetwk.exe 2632 496 11 212 2023-02-16 12:01:16 UTC+0000 .. 0x85859920:svchost.exe 784 496 23 510 2023-02-16 12:00:56 UTC+0000 ... 0x8588f370:audiodg.exe 960 784 6 132 2023-02-16 12:00:57 UTC+0000 . 0x85763030:lsass.exe 508 392 7 578 2023-02-16 12:00:55 UTC+0000 0x84cae358:csrss.exe 340 324 8 550 2023-02-16 12:00:53 UTC+0000 0x8413a938:System 4 0 88 520 2023-02-16 12:00:48 UTC+0000 . 0x84e481c8:smss.exe 252 4 2 29 2023-02-16 12:00:49 UTC+0000 0x857a5d20:explorer.exe 1384 1276 33 923 2023-02-16 12:00:59 UTC+0000 . 0x844fcd20:DumpIt.exe 4072 1384 2 38 2023-02-16 12:03:14 UTC+0000 . 0x85c596c0:TrueCrypt.exe 3196 1384 2 67 2023-02-16 12:02:07 UTC+0000 . 0x841d7118:vmtoolsd.exe 1736 1384 10 181 2023-02-16 12:01:02 UTC+0000
暗号化ソフトウェアはTrueCrypt。
$ volatility -f dump.raw --profile=Win7SP1x86_23418 truecryptsummary Volatility Foundation Volatility Framework 2.6 Registry Version TrueCrypt Version 7.0a Password Strooooong_Passwword at offset 0x8d23de44 Process TrueCrypt.exe at 0x85c596c0 pid 3196 Service truecrypt state SERVICE_RUNNING Kernel Module truecrypt.sys at 0x8d20a000 - 0x8d241000 Symbolic Link Volume{a2e4e949-a9a8-11ed-859c-50eb71124999} -> \Device\TrueCryptVolumeZ mounted 2023-02-16 12:02:56 UTC+0000 Driver \Driver\truecrypt at 0x3f02fc98 range 0x8d20a000 - 0x8d240980 Device TrueCrypt at 0x84e2a9d8 type FILE_DEVICE_UNKNOWN
パスワードは以下であることがわかった。
Strooooong_Passwword
crew{Strooooong_Passwword}
Encrypt10n (part2) (Forensics)
暗号化ドライブのファイルflagがあるので、先ほど見つけたパスワードを使ってフラグを見つける。
TrueCryptを使ってflagをマウントする。エクスプローラで見ると、flaaaaaaaaaaaaaaaaaaaaaaaag.txtが入っている。
中身は以下のように書いてある。
Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFac2JETlhhMk0xVjBaS2MySkVUbGhoTWsweFZtcEJlRll5U2tWVWJHaG9UV3N3ZUZadGNFdFRNVWw1VTJ0V1ZXSkhhRzlVVmxaM1ZsWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1UyMTRVMkpIZHpGV1ZFb3dWakZhV0ZOcmJGSmlSMmhZV1d4b2IwMHhXbGRYYlhSWFRWZDBObGxWV2xOVWJGcFlaSHBDVjAxdVVuWlZha1pYWkVaT2MxZHNhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZaM1ZqSktWVkpZWkZkaGExcFlXa1ZhVDJNeFpITmhSMnhUVFcxb1dsWXhaRFJWTVZsNFUydGthbEp0VWxsWmJGWmhZMVpzY2xkdFJteFdia0pIVmpKNFQxWlhTa2RqUm14aFUwaENSRlpxU2tabFZsSlpZVVprVTFKWVFrbFhXSEJIVkRKU1YxZHVUbFJpVjJoeldXeG9iMWRXV1hoYVJGSnBUV3RzTkZkclZtdFdiVXB5WTBac1dtSkhhRlJXTVZwWFkxWktjbVJHVWxkaWEwcElWbXBLZWs1V1dsaFRhMXBxVWxkb1dGUlhOVU5oUmxweFVtMUdUMkpGV2xwWlZWcGhZVWRGZUdOSE9WaGhNVnBvVmtSS1QyTXlUa1phUjJoVFRXMW9lbGRYZUc5aU1XUnpWMWhvWVZKR1NuQlVWM1J6VFRGU1ZtRkhPVmhTTUhCNVZHeGFjMWR0U2toaFJsSlhUVVp3VkZacVJuZFNWa1p5VDFkc1UwMHlhRmxXYlhCTFRrWlJlRmRzYUZSaVJuQnhWV3hrVTFsV1VsWlhiVVpPVFZad2VGVXlkREJXTVZweVkwWndXR0V4Y0hKWlZXUkdaVWRPU0U5V1pHaGhNSEJ2Vm10U1MxUnRWa2RqUld4VllsZG9WRlJYTlc5V1ZtUlhWV3M1VWsxWFVucFdNV2h2V1ZaS1IxTnNaRlZXYkZwNlZGUkdVMk15UmtaUFYyaHBVbGhDTmxkVVFtRmpNV1IwVTJ0a1dHSlhhRmhaVkVaM1ZrWmFjVkp0ZEd0U2EzQXdXbFZhYTJGV1NuTmhNMmhYWVRGd2FGWlVSbFpsUm1SMVUyczFXRkpZUW5oV1Z6QjRZakZaZUZWc2FFOVdlbXh6V1d0YWQyVkdWWGxrUkVKWFRWWndlVll5ZUhkWGJGcFhZMGhLVjJGcldreFdha3BQVWpKS1IxcEdaRTVOUlhCS1ZqRmFVMU14VlhoWFdHaFlZbXhhVjFsc2FHOVdSbXhaWTBaa1dGWnNjRmxaTUZVMVlWVXhXRlZ1Y0ZkTlYyaDJWMVphUzFJeFRuTmFSbFpYWWtadmVsWkdWbUZaVjFKR1RsWmFVRll5YUhCVmJHaENaREZrVjFadE9WVk5WbkF3VlcwMVMxWkhTbGhoUm1oYVZrVmFNMVpyV21GalZrcDFXa1pPVGxacmIzZFhiRlpyWXpGVmVWTnVTbFJoTTFKWVZGYzFiMWRHYkZWU2EzQnNVbTFTZWxsVldsTmhSVEZaVVc1b1YxWXphSEpXVkVaclVqRldjMkZGT1ZkaGVsWjVWMWQwWVdReVZrZFdibEpyVWtWS2IxbFljRWRsVmxKelZtNU9XR0pHY0ZoWk1GSlBWMnhhV0ZWclpHRldNMmhJV1RJeFIxSXlSa2hoUlRWWFYwVktSbFpxU2pSV01XeFhWVmhvWVZKWFVsWlpiWFIzWWpGV2NWTnRPVmRTYlhoNVZtMDFhMVl4V25OalNHaFdWak5vY2xaclZYaFhSbFp6WVVaa1RtRnNXazFXYWtKclV6Rk9SMVp1VWxCV2JGcFlXV3RvUTJJeFdrZFdiVVphVm14c05WVnRkRzlWUmxsNVlVWm9XbGRJUWxoVk1GcGhZMVpPY1ZWc1drNVdNVWwzVmxSS05GWXhWWGxUYTJSVVlsVmFWbFp0ZUhkTk1WcHlWMjFHYWxacmNEQlZiVEV3VmpKS2NsTnJiRmROYmxKeVdYcEdWbVF3TVVsaVIwWnNZVEZ3V1ZkWGVHOVJNVkpIVld4YVlWSldjSE5WYlRGVFYyeHNjbGRzVG1oU1ZFWjZWVEkxYjFZeFdYcGhSMmhoVWtWYVlWcFZXbXRrVmxaMFpVWk9XRkpyY0ZwV2ExcGhXVlpzVjFSclpGZGlhelZYV1cxek1WWXhXblJsUjBaWFlrWktWMVpYTlV0VlZsWlZUVVJyUFE9PQ==
何回もbase64デコードすると、フラグになった。
#!/usr/bin/env python3 from base64 import * enc = 'Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFac2JETlhhMk0xVjBaS2MySkVUbGhoTWsweFZtcEJlRll5U2tWVWJHaG9UV3N3ZUZadGNFdFRNVWw1VTJ0V1ZXSkhhRzlVVmxaM1ZsWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1UyMTRVMkpIZHpGV1ZFb3dWakZhV0ZOcmJGSmlSMmhZV1d4b2IwMHhXbGRYYlhSWFRWZDBObGxWV2xOVWJGcFlaSHBDVjAxdVVuWlZha1pYWkVaT2MxZHNhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZaM1ZqSktWVkpZWkZkaGExcFlXa1ZhVDJNeFpITmhSMnhUVFcxb1dsWXhaRFJWTVZsNFUydGthbEp0VWxsWmJGWmhZMVpzY2xkdFJteFdia0pIVmpKNFQxWlhTa2RqUm14aFUwaENSRlpxU2tabFZsSlpZVVprVTFKWVFrbFhXSEJIVkRKU1YxZHVUbFJpVjJoeldXeG9iMWRXV1hoYVJGSnBUV3RzTkZkclZtdFdiVXB5WTBac1dtSkhhRlJXTVZwWFkxWktjbVJHVWxkaWEwcElWbXBLZWs1V1dsaFRhMXBxVWxkb1dGUlhOVU5oUmxweFVtMUdUMkpGV2xwWlZWcGhZVWRGZUdOSE9WaGhNVnBvVmtSS1QyTXlUa1phUjJoVFRXMW9lbGRYZUc5aU1XUnpWMWhvWVZKR1NuQlVWM1J6VFRGU1ZtRkhPVmhTTUhCNVZHeGFjMWR0U2toaFJsSlhUVVp3VkZacVJuZFNWa1p5VDFkc1UwMHlhRmxXYlhCTFRrWlJlRmRzYUZSaVJuQnhWV3hrVTFsV1VsWlhiVVpPVFZad2VGVXlkREJXTVZweVkwWndXR0V4Y0hKWlZXUkdaVWRPU0U5V1pHaGhNSEJ2Vm10U1MxUnRWa2RqUld4VllsZG9WRlJYTlc5V1ZtUlhWV3M1VWsxWFVucFdNV2h2V1ZaS1IxTnNaRlZXYkZwNlZGUkdVMk15UmtaUFYyaHBVbGhDTmxkVVFtRmpNV1IwVTJ0a1dHSlhhRmhaVkVaM1ZrWmFjVkp0ZEd0U2EzQXdXbFZhYTJGV1NuTmhNMmhYWVRGd2FGWlVSbFpsUm1SMVUyczFXRkpZUW5oV1Z6QjRZakZaZUZWc2FFOVdlbXh6V1d0YWQyVkdWWGxrUkVKWFRWWndlVll5ZUhkWGJGcFhZMGhLVjJGcldreFdha3BQVWpKS1IxcEdaRTVOUlhCS1ZqRmFVMU14VlhoWFdHaFlZbXhhVjFsc2FHOVdSbXhaWTBaa1dGWnNjRmxaTUZVMVlWVXhXRlZ1Y0ZkTlYyaDJWMVphUzFJeFRuTmFSbFpYWWtadmVsWkdWbUZaVjFKR1RsWmFVRll5YUhCVmJHaENaREZrVjFadE9WVk5WbkF3VlcwMVMxWkhTbGhoUm1oYVZrVmFNMVpyV21GalZrcDFXa1pPVGxacmIzZFhiRlpyWXpGVmVWTnVTbFJoTTFKWVZGYzFiMWRHYkZWU2EzQnNVbTFTZWxsVldsTmhSVEZaVVc1b1YxWXphSEpXVkVaclVqRldjMkZGT1ZkaGVsWjVWMWQwWVdReVZrZFdibEpyVWtWS2IxbFljRWRsVmxKelZtNU9XR0pHY0ZoWk1GSlBWMnhhV0ZWclpHRldNMmhJV1RJeFIxSXlSa2hoUlRWWFYwVktSbFpxU2pSV01XeFhWVmhvWVZKWFVsWlpiWFIzWWpGV2NWTnRPVmRTYlhoNVZtMDFhMVl4V25OalNHaFdWak5vY2xaclZYaFhSbFp6WVVaa1RtRnNXazFXYWtKclV6Rk9SMVp1VWxCV2JGcFlXV3RvUTJJeFdrZFdiVVphVm14c05WVnRkRzlWUmxsNVlVWm9XbGRJUWxoVk1GcGhZMVpPY1ZWc1drNVdNVWwzVmxSS05GWXhWWGxUYTJSVVlsVmFWbFp0ZUhkTk1WcHlWMjFHYWxacmNEQlZiVEV3VmpKS2NsTnJiRmROYmxKeVdYcEdWbVF3TVVsaVIwWnNZVEZ3V1ZkWGVHOVJNVkpIVld4YVlWSldjSE5WYlRGVFYyeHNjbGRzVG1oU1ZFWjZWVEkxYjFZeFdYcGhSMmhoVWtWYVlWcFZXbXRrVmxaMFpVWk9XRkpyY0ZwV2ExcGhXVlpzVjFSclpGZGlhelZYV1cxek1WWXhXblJsUjBaWFlrWktWMVpYTlV0VlZsWlZUVVJyUFE9PQ==' while True: try: enc = b64decode(enc) except: break flag = enc.decode() print(flag)
crew{Tru33333_Crypt_w1th_V014t1l1ty!}
Attaaaaack1 (Forensics)
メモリダンプのプロファイルを答える問題。
$ volatility -f memdump.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/memdump.raw) PAE type : PAE DTB : 0x185000L KDBG : 0x82b7ab78L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x80b96000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2023-02-20 19:10:54 UTC+0000 Image local date and time : 2023-02-20 21:10:54 +0200
Win7SP1x86_23418
Attaaaaack2 (Forensics)
稼働しているプロセスの数を答える問題。
$ volatility -f memdump.raw --profile=Win7SP1x86_23418 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x860a8c78:csrss.exe 352 344 9 462 2023-02-20 19:01:20 UTC+0000 0x855dfd20:wininit.exe 404 344 3 76 2023-02-20 19:01:20 UTC+0000 . 0x85ea2368:services.exe 480 404 8 220 2023-02-20 19:01:20 UTC+0000 .. 0x86071818:svchost.exe 1280 480 19 312 2023-02-20 19:01:22 UTC+0000 .. 0x8629e188:SearchIndexer. 2276 480 12 581 2023-02-20 19:01:31 UTC+0000 .. 0x8630b228:wmpnetwk.exe 2404 480 9 212 2023-02-20 19:01:32 UTC+0000 .. 0x85fae030:svchost.exe 908 480 18 715 2023-02-20 19:01:21 UTC+0000 .. 0x86251bf0:dllhost.exe 400 480 15 196 2023-02-20 19:01:26 UTC+0000 .. 0x860ba030:taskhost.exe 1428 480 9 205 2023-02-20 19:01:22 UTC+0000 .. 0x860b73c8:svchost.exe 1420 480 10 146 2023-02-20 19:01:22 UTC+0000 .. 0x919e2958:svchost.exe 752 480 22 507 2023-02-20 19:01:21 UTC+0000 ... 0x84df2458:audiodg.exe 1556 752 6 129 2023-02-20 19:10:50 UTC+0000 .. 0x85f89640:svchost.exe 2476 480 13 369 2023-02-20 19:03:25 UTC+0000 .. 0x843068f8:sppsvc.exe 2248 480 4 146 2023-02-20 19:03:25 UTC+0000 .. 0x85fb7670:svchost.exe 952 480 34 995 2023-02-20 19:01:22 UTC+0000 .. 0x85ef0a90:svchost.exe 700 480 8 280 2023-02-20 19:01:21 UTC+0000 .. 0x8629e518:msdtc.exe 2168 480 14 158 2023-02-20 19:01:31 UTC+0000 .. 0x861fc700:svchost.exe 580 480 6 91 2023-02-20 19:01:25 UTC+0000 .. 0x85ff1380:svchost.exe 1104 480 18 391 2023-02-20 19:01:22 UTC+0000 .. 0x8619dd20:vm3dservice.ex 1848 480 4 60 2023-02-20 19:01:24 UTC+0000 ... 0x861b5360:vm3dservice.ex 1908 1848 2 44 2023-02-20 19:01:24 UTC+0000 .. 0x8603a030:spoolsv.exe 1236 480 13 270 2023-02-20 19:01:22 UTC+0000 .. 0x841d7500:VGAuthService. 1636 480 3 84 2023-02-20 19:01:23 UTC+0000 .. 0x861a9030:vmtoolsd.exe 1884 480 13 290 2023-02-20 19:01:24 UTC+0000 .. 0x862cca38:svchost.exe 2576 480 15 232 2023-02-20 19:01:33 UTC+0000 .. 0x85f9c3a8:svchost.exe 868 480 13 309 2023-02-20 19:01:21 UTC+0000 ... 0x861321c8:dwm.exe 1576 868 5 114 2023-02-20 19:01:23 UTC+0000 .. 0x85f4d030:svchost.exe 632 480 10 357 2023-02-20 19:01:21 UTC+0000 ... 0x85351030:WmiPrvSE.exe 3020 632 11 242 2023-02-20 19:01:45 UTC+0000 ... 0x86261030:WmiPrvSE.exe 1748 632 10 204 2023-02-20 19:01:25 UTC+0000 . 0x85ea8610:lsass.exe 488 404 6 568 2023-02-20 19:01:20 UTC+0000 . 0x85eab718:lsm.exe 496 404 10 151 2023-02-20 19:01:20 UTC+0000 0x843658d0:cmd.exe 2112 2876 1 20 2023-02-20 19:03:40 UTC+0000 0x84368798:cmd.exe 2928 2876 1 20 2023-02-20 19:03:40 UTC+0000 0x84398998:runddl32.exe 300 2876 10 2314 2023-02-20 19:03:40 UTC+0000 . 0x84390030:notepad.exe 2556 300 2 58 2023-02-20 19:03:41 UTC+0000 0x8550b030:csrss.exe 416 396 9 268 2023-02-20 19:01:20 UTC+0000 . 0x84365c90:conhost.exe 1952 416 2 49 2023-02-20 19:03:40 UTC+0000 . 0x84f3d878:conhost.exe 3664 416 2 51 2023-02-20 19:10:52 UTC+0000 . 0x84384d20:conhost.exe 2924 416 2 49 2023-02-20 19:03:40 UTC+0000 0x85eacb80:winlogon.exe 508 396 5 115 2023-02-20 19:01:20 UTC+0000 0x8419c020:System 4 0 89 536 2023-02-20 19:01:19 UTC+0000 . 0x962f2020:smss.exe 268 4 2 29 2023-02-20 19:01:19 UTC+0000 0x8613c030:explorer.exe 1596 1540 29 842 2023-02-20 19:01:23 UTC+0000 . 0x84f1caf8:DumpIt.exe 2724 1596 2 38 2023-02-20 19:10:52 UTC+0000 . 0x853faac8:ProcessHacker. 3236 1596 9 416 2023-02-20 19:02:37 UTC+0000 . 0x86189d20:vmtoolsd.exe 1736 1596 8 179 2023-02-20 19:01:23 UTC+0000
プロセスの数は47
47
Attaaaaack4 (Forensics)
疑わしいプロセスの名前とPIDを答える問題。
$ volatility -f memdump.raw --profile=Win7SP1x86_23418 cmdline Volatility Foundation Volatility Framework 2.6 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 268 Command line : \SystemRoot\System32\smss.exe ************************************************************************ csrss.exe pid: 352 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ wininit.exe pid: 404 Command line : wininit.exe ************************************************************************ csrss.exe pid: 416 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ services.exe pid: 480 Command line : C:\Windows\system32\services.exe ************************************************************************ lsass.exe pid: 488 Command line : C:\Windows\system32\lsass.exe ************************************************************************ lsm.exe pid: 496 Command line : C:\Windows\system32\lsm.exe ************************************************************************ winlogon.exe pid: 508 Command line : winlogon.exe ************************************************************************ svchost.exe pid: 632 Command line : C:\Windows\system32\svchost.exe -k DcomLaunch ************************************************************************ svchost.exe pid: 700 Command line : C:\Windows\system32\svchost.exe -k RPCSS ************************************************************************ svchost.exe pid: 752 Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted ************************************************************************ svchost.exe pid: 868 Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted ************************************************************************ svchost.exe pid: 908 Command line : C:\Windows\system32\svchost.exe -k LocalService ************************************************************************ svchost.exe pid: 952 Command line : C:\Windows\system32\svchost.exe -k netsvcs ************************************************************************ svchost.exe pid: 1104 Command line : C:\Windows\system32\svchost.exe -k NetworkService ************************************************************************ spoolsv.exe pid: 1236 Command line : C:\Windows\System32\spoolsv.exe ************************************************************************ svchost.exe pid: 1280 Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork ************************************************************************ svchost.exe pid: 1420 Command line : C:\Windows\System32\svchost.exe -k utcsvc ************************************************************************ taskhost.exe pid: 1428 Command line : "taskhost.exe" ************************************************************************ dwm.exe pid: 1576 Command line : "C:\Windows\system32\Dwm.exe" ************************************************************************ explorer.exe pid: 1596 Command line : C:\Windows\Explorer.EXE ************************************************************************ VGAuthService. pid: 1636 Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" ************************************************************************ vmtoolsd.exe pid: 1736 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr ************************************************************************ vm3dservice.ex pid: 1848 Command line : C:\Windows\system32\vm3dservice.exe ************************************************************************ vmtoolsd.exe pid: 1884 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ************************************************************************ vm3dservice.ex pid: 1908 Command line : vm3dservice.exe -n ************************************************************************ svchost.exe pid: 580 Command line : C:\Windows\system32\svchost.exe -k bthsvcs ************************************************************************ WmiPrvSE.exe pid: 1748 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ dllhost.exe pid: 400 Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} ************************************************************************ msdtc.exe pid: 2168 Command line : C:\Windows\System32\msdtc.exe ************************************************************************ SearchIndexer. pid: 2276 Command line : C:\Windows\system32\SearchIndexer.exe /Embedding ************************************************************************ wmpnetwk.exe pid: 2404 Command line : "C:\Program Files\Windows Media Player\wmpnetwk.exe" ************************************************************************ svchost.exe pid: 2576 Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation ************************************************************************ WmiPrvSE.exe pid: 3020 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ ProcessHacker. pid: 3236 Command line : "C:\Program Files\Process Hacker 2\ProcessHacker.exe" ************************************************************************ sppsvc.exe pid: 2248 Command line : C:\Windows\system32\sppsvc.exe ************************************************************************ svchost.exe pid: 2476 Command line : C:\Windows\System32\svchost.exe -k secsvcs ************************************************************************ cmd.exe pid: 2112 Command line : "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\0xSh3rl0ck\Desktop\System.bin" +s +h ************************************************************************ cmd.exe pid: 2928 Command line : "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\0xSh3rl0ck\Desktop" +s +h ************************************************************************ conhost.exe pid: 1952 Command line : \??\C:\Windows\system32\conhost.exe "-3175449452038949163999334680-2564649551435719529150929393310393384351404520859 ************************************************************************ conhost.exe pid: 2924 Command line : \??\C:\Windows\system32\conhost.exe "128637717-10272659771319264208-13939888493888983522030632973-384382940-360122030 ************************************************************************ runddl32.exe pid: 300 Command line : "C:\Users\0XSH3R~1\AppData\Local\Temp\MSDCSC\runddl32.exe" ************************************************************************ notepad.exe pid: 2556 Command line : notepad ************************************************************************ audiodg.exe pid: 1556 Command line : C:\Windows\system32\AUDIODG.EXE 0x710 ************************************************************************ DumpIt.exe pid: 2724 Command line : "C:\Users\0xSh3rl0ck\Downloads\DumpIt.exe" ************************************************************************ conhost.exe pid: 3664 Command line : \??\C:\Windows\system32\conhost.exe "-2993250832850365241757651776-84288431850826965717147700111776318472-1338572108
ユーザプロファイルのAppData\Local\Tempで動作しているのが怪しいプロセス。
runddl32.exe_300
Attaaaaack5 (Forensics)
Attaaaaack4のプロセスとは別に怪しいプロセスを答える問題。
プロセスツリーでrunddl32.exeの下にあるプロセスがもう一つのプロセス。
notepad.exe
Feedback Form (Misc)
アンケートに答えたら、フラグが表示された。
crew{CSN3RD_say5_d0n7_f0rg3t_to_vo7e_on_ctftime_d9c6f7762f5911f}