[OtterCTF 2018]

What the password?

问题描述：

you got a sample of rick’s PC’s memory. can you get his user password?

先使用imageinfo查看系统版本：

python2 vol.py -f OtterCTF.vmem imageinfo

hashdump获取密码的LM和NTLM:

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 hashdump

mimikatz获取明文密码：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 mimikatz

CTF{MortyIsReallyAnOtter}

General Info

描述：

Let’s start easy - whats the PC’s name and IP address?（让我们从简单的开始–电脑的名称和IP地址是什么？）

查看IP地址：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 netscan

即IP为192.168.202.131

查看注册表：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 hivelist

发现有SYSTEM

进行查看：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey

跟着一直解析，知道最后看到主机名

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001"

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control\ComputerName\ComputerName"

即主机名为WIN-LO6FAF3DTFE

• WIN-LO6FAF3DTFE-192.168.202.131

Play Time

Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?（瑞克只是喜欢玩一些好的老式电子游戏，你能告诉他在玩哪个游戏吗？ 服务器的IP地址是什么？）

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 netscan

• LunarMS-77.102.199.102

Name Game

描述

We know that the account was logged in to a channel called Lunar-3. what is the account name?（我们知道该账户登录了一个名为Lunar-3的频道。什么是账户名称？）

0tt3r8r33z3

Name Game 2

From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What’s rick’s character’s name?（通过一点研究，我们发现，登录的字符的用户名总是在这个签名之后。0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} 瑞克的角色叫什么名字？）

先获得LunarMS.exe的pid:

然后将LunarMS.exe转储出来：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 memdump -p 708 -D ./

使用Hexdump搜索：

hexdump -C 708.dmp | grep "5a 0c 00" -A 3 -B 3

M0rtyL0L

Silly Rick

题目描述：

Silly rick always forgets his email’s password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick’s email password?（愚蠢的瑞克总是忘记他的电子邮件的密码，所以他使用在线存储密码服务来存储他的密码。他总是复制和粘贴密码，这样他就不会弄错。里克的电子邮件密码是什么？）

提到了粘贴，联想到粘贴板：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 clipboard

M@il_Pr0vid0rs

Hide And Seek

The reason that we took rick’s PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)（我们提取瑞克的电脑内存转储的原因是有一个恶意软件感染。请找到恶意软件的进程名称（包括扩展名））

进程：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 pstree

发现有个程序的ppid比pid还大，说明可能是异常进程

查看这个进程的DLL：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 dlllist -p 3720

发现是在Temp目录下运行的，说明是异常程序

vmware-tray.exe

Path To Glory

How did the malware got to rick’s PC? It must be one of rick old illigal habits…（恶意软件是如何进入里克的电脑的？这一定是瑞克的一个老习惯…）

查看与Rick相关联的文件

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 filescan|grep Rick

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007dae9350  -D ./

M3an_T0rren7_4_R!cke

需要将e去掉，即M3an_T0rren7_4_R!ck

strings的效果比cat好

Path To Glory 2

Continue the search after the the way that malware got in.（在恶意软件进入后继续搜索。）

把所有的chrome进程转储下来：

vol.py --plugin=/root/misc_tools/volatility/volatility/plugins -f OtterCTF.vmem --profile Win7SP1x64 memdump -n chrome -D ./chromeps

搜索download.exe.torren:

strings ./chromeps/* |grep "download.exe.torren" -A 10 -B 10

Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@inYear