Wargame/CTF(Capture The Flag)

seccon2016 - Memory Analysis_100

๐“›๐“พ๐“ฌ๐“ฎ๐“ฝ๐“ฎ_๐“ข๐“ฝ๐“ฎ๐“ต๐“ต๐“ช 2016. 12. 13. 22:24
728x90
๋ฐ˜์‘ํ˜•

Memory Analysis

100 points

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!

memoryanalysis.zip
The challenge files are huge, please download it first. 

Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc 


์ด๊ฒƒ์ด ๋ฌธ์ œ์ธ๋ฐ ... ํŒŒ์ผ์„ ๋ฐ›์œผ๋ฉด 



์ด๋ฏธ์ง€ ํŒŒ์ผ ํ•˜๋‚˜๋ฅผ ๋ฐ›์„ ์ˆ˜ ์žˆ๋‹ค.

ํžŒํŠธ 1๋ฒˆ์„ ๋ณด๋ฉด ๋ณผ๋ผํ‹ธ๋ฆฌํ‹ฐ๋ฅผ ์ด์šฉํ•˜์—ฌ ํ‘ธ๋Š” ๊ฒƒ๊ฐ™๋‹ค.


๋จผ์ € ์ด๋ฏธ์ง€ ์ •๋ณด๋ฅผ ๋ณด๊ธฐ์œ„ํ•ด imageinfo๋ผ๋Š” ๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•˜์—ฌ ์ •๋ณด๋ฅผ ๋ณธ๋‹ค.

๊ทธ๋Ÿผ WinXPSP3x86์ด๋ผ๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.


๋‹ค์Œ์€  ์‹คํ–‰๋˜๊ณ  ์žˆ๋Š” ํ”„๋กœ์„ธ์Šค๋ฅผ ๋ณด๊ธฐ์œ„ํ•ด pstree๋ผ๋Š” ๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•˜์—ฌ ํ”„๋กœ์„ธ์Šค ์ •๋ณด๋ฅผ ๋ณธ๋‹ค.



๋ณด๋˜์ค‘  svchost, IEXPLORE๋ผ๋Š” ํ”„๋กœ์„ธ์Šค๋ฅผ ํ™•์ธํ•˜๊ณ  ์—ฐ๊ฒฐ์ƒํƒœ๋ฅผ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•ด connscan ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ™•์ธํ•˜๋‹ˆ Pid 1080 ์ด ์ˆ˜์ƒํ•˜๊ฒŒ ์—ฌ๊ฒจ์กŒ๋‹ค.


๊ทธ ํ›„ ํžŒํŠธ 2๋ฒˆ์„ ๋ณด๋ฉด ํ˜ธ์ŠคํŠธ ํŒŒ์ผ์„ ์ฒดํฌํ•˜๋ผ๋Š” ๊ฒƒ์„ ๋ณด๊ณ  filescan์„ ์ด์šฉํ•˜์—ฌ ํ˜ธ์ŠคํŠธ ํŒŒ์ผ์„ ์ฐพ์•„


ํŒŒ์ผ์„ ๋คํ”„ ํ•ด ๋ณด์•˜๋‹ค.



ํŒŒ์ผ์„ ์„œ๋ธŒ๋ผ์ž„ ํ…์ŠคํŠธ๋กœ ์—ด์–ด ํ™•์ธ์„ ํ•˜๋‹ˆ


153.127.200.178 ์•„์ดํ”ผ crattack.tistory.com์„ ํ™•์ธํ•˜์—ฌ 


yarascan ์„ ์ด์šฉํ•˜์—ฌ ์•„๊นŒ ์ˆ˜์ƒํ•˜๊ฒŒ ๋ณธ Pid 1080์„ ์Šค์บ”์„ ํ•ด๋ณด์•˜๋‹ค.


๊ทธ๋Ÿฌ๋˜ ์ค‘ crattack.tistory.com/entry/Data-Science-import-pandas-as-pd ๋ฅผ ์ฐพ๊ฒŒ ๋˜์–ด curl์„ ์ด์šฉํ•˜์—ฌ ์ •๋ณด๋ฅผ ํ™•์ธ ํ–ˆ์ง€๋งŒ 

ํ”Œ๋ž˜๊ทธ๊ฐ€ ์—†์—ˆ๋‹ค...


๊ทธ๋Ÿฌ๋˜ ์ค‘ ์ƒ๊ฐ๋‚œ 153์œผ๋กœ ์‹œ์ž‘ํ•˜๋Š” ์•„์ดํ”ผ๋ฅผ ์ฃผ๊ณ  ๋‹ค์‹œ ์‹œ๋„ ํ•˜๋‹ˆ 



๋šœ๋‘ฅ!!! :) 


728x90
๋ฐ˜์‘ํ˜•
์ €์ž‘์žํ‘œ์‹œ