![[ctf-d] 플래그를 찾아라! write-up](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2F1HrmF%2FbtrXVRExWtn%2FJ1SeKHJKXcFR347ImDieik%2Fimg.png)
windows 11 환경에서 풀이를 진행하였습니다.
문제파일을 다운받아 반디집으로 압축을 풀어준 뒤 Volatility3 툴을 사용합니다.
IMAGEINFO
vol.py -f “/path/to/file” windows.info버전은 windows10 입니다
Is64Bit True
IsPAE False
primary 0 WindowsIntel32e
memory_layer 1 Elf64Layer
base_layer 2 FileLayer
KdVersionBlock 0xf80185d1de80
Major/Minor 15.10240
MachineType 34404
KeNumberProcessors 1
SystemTime 2016-04-04 16:17:53
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Sat Jul 18 04:07:48 2015
PSLIST
vol.py -f “/path/to/file” windows.pslist
결과는 아래와 같습니다.
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xe00032553780 126 - N/A False 2016-04-04 16:12:33.000000 N/A Disabled
268 4 smss.exe 0xe0003389c040 2 - N/A False 2016-04-04 16:12:33.000000 N/A Disabled
344 336 csrss.exe 0xe0003381b080 8 - 0 False 2016-04-04 16:12:33.000000 N/A Disabled
404 336 wininit.exe 0xe000325ba080 1 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
412 396 csrss.exe 0xe000325c7080 9 - 1 False 2016-04-04 16:12:34.000000 N/A Disabled
460 396 winlogon.exe 0xe00033ec6080 2 - 1 False 2016-04-04 16:12:34.000000 N/A Disabled
484 404 services.exe 0xe00033efb440 3 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
492 404 lsass.exe 0xe00033f08080 6 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
580 484 svchost.exe 0xe00033ec5780 16 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
612 484 svchost.exe 0xe00034202280 9 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
712 460 dwm.exe 0xe000341cb640 8 - 1 False 2016-04-04 16:12:34.000000 N/A Disabled
796 484 svchost.exe 0xe00034222780 45 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
828 484 VBoxService.ex 0xe000342a7780 10 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
844 484 svchost.exe 0xe000342ad780 8 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
852 484 svchost.exe 0xe000342c0080 6 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
892 484 svchost.exe 0xe000342dd780 18 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
980 484 svchost.exe 0xe000342bc780 17 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
608 484 svchost.exe 0xe00034377780 17 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
1072 484 spoolsv.exe 0xe000343e7780 8 - 0 False 2016-04-04 16:12:34.000000 N/A Disabled
1092 484 svchost.exe 0xe000343e9780 23 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1148 796 rundll32.exe 0xe0003442a780 1 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1224 1148 CompatTelRunne 0xe00034494780 9 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1276 484 svchost.exe 0xe00034495780 10 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1564 484 svchost.exe 0xe0003461d780 5 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1616 484 wlms.exe 0xe000345da780 2 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1628 484 MsMpEng.exe 0xe00034623780 24 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1832 484 cygrunsrv.exe 0xe000343b2340 4 - 0 False 2016-04-04 16:12:35.000000 N/A Disabled
1976 1832 cygrunsrv.exe 0xe0003479b780 0 - 0 False 2016-04-04 16:12:36.000000 2016-04-04 16:12:36.000000 Disabled
2004 1976 conhost.exe 0xe000347aa780 2 - 0 False 2016-04-04 16:12:36.000000 N/A Disabled
2028 1976 sshd.exe 0xe000347c1080 3 - 0 False 2016-04-04 16:12:36.000000 N/A Disabled
1772 484 svchost.exe 0xe00033e00780 3 - 0 False 2016-04-04 16:12:37.000000 N/A Disabled
92 796 sihost.exe 0xe00033f1f780 10 - 1 False 2016-04-04 16:12:37.000000 N/A Disabled
1532 796 taskhostw.exe 0xe0003259b3c0 9 - 1 False 2016-04-04 16:12:37.000000 N/A Disabled
2272 484 NisSrv.exe 0xe000339d4340 6 - 0 False 2016-04-04 16:12:38.000000 N/A Disabled
2312 460 userinit.exe 0xe000336e8780 0 - 1 False 2016-04-04 16:12:38.000000 2016-04-04 16:13:04.000000 Disabled
2336 2312 explorer.exe 0xe000336e3780 31 - 1 False 2016-04-04 16:12:38.000000 N/A Disabled
2456 580 RuntimeBroker. 0xe0003374f780 6 - 1 False 2016-04-04 16:12:38.000000 N/A Disabled
2664 484 SearchIndexer. 0xe00033a39080 13 - 0 False 2016-04-04 16:12:39.000000 N/A Disabled
2952 580 ShellExperienc 0xe00033a79780 41 - 1 False 2016-04-04 16:12:39.000000 N/A Disabled
3144 580 SearchUI.exe 0xe00033b57780 38 - 1 False 2016-04-04 16:12:40.000000 N/A Disabled
3636 1224 DismHost.exe 0xe00033e1d780 2 - 0 False 2016-04-04 16:12:47.000000 N/A Disabled
3992 484 svchost.exe 0xe000348e9780 6 - 0 False 2016-04-04 16:12:52.000000 N/A Disabled
3324 2336 VBoxTray.exe 0xe000348c6780 10 - 1 False 2016-04-04 16:12:55.000000 N/A Disabled
1692 2336 OneDrive.exe 0xe00034b08780 10 - 1 True 2016-04-04 16:12:55.000000 N/A Disabled
4092 2336 mspaint.exe 0xe00034b0f780 3 - 1 False 2016-04-04 16:13:21.000000 N/A Disabled
628 484 svchost.exe 0xe00034ade080 1 - 1 False 2016-04-04 16:14:43.000000 N/A Disabled
2012 2336 notepad.exe 0xe0003472b080 1 - 1 False 2016-04-04 16:14:49.000000 N/A Disabled
3032 580 WmiPrvSE.exe 0xe000349e4780 6 - 0 False 2016-04-04 16:16:37.000000 N/A Disabled
332 796 taskhostw.exe 0xe000349285c0 10 - 1 False 2016-04-04 16:17:40.000000 N/A Disabled이 중 그림판인 mspaint를 덤프해줍니다.
(pid: 4092)
MEMDUMP
vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>결과로 나온 dmp 파일을 data 파일로 바꿔준 다음
GIMP 툴로 열어줍니다.
아래와 같이 오프셋, 크기, 너비를 잘 조절해주면
플래그 획득!
레퍼런스
https://blog.onfvp.com/post/volatility-cheatsheet/
Volatility 3 CheatSheet
Comparing commands from Vol2 > Vol3
blog.onfvp.com
'write-up(forensic) > ctf-d' 카테고리의 다른 글
| [ctf-d] Three Thieves Threw Trumpets Through Trees write-up (0) | 2023.02.02 |
|---|---|
| [ctf-d] Find Key(moon) write-up (0) | 2023.02.02 |
| [ctf-d] Find Key(butterfly) write-up (0) | 2022.12.23 |
| [ctf-d] 우리는 이 파일에 플래그를... write-up (0) | 2022.11.04 |
| [ctf-d] 사진 속에서 빨간색이… write-up (0) | 2022.11.03 |