2018 Otter CTF Writeup
1 - What the password? - 100pt
you got a sample of rick’s PC’s memory. can you get his user password?
format: CTF{…}
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 hashdump -s 0xfffff8a0016d4010
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
hivescan 해준걸 hashdump떠서 봤는데 이렇게 3개의 계정이 나왔다.
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 lsadump
Volatility Foundation Volatility Framework 2.6
DefaultPassword
0x00000000 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (...............
0x00000010 4d 00 6f 00 72 00 74 00 79 00 49 00 73 00 52 00 M.o.r.t.y.I.s.R.
0x00000020 65 00 61 00 6c 00 6c 00 79 00 41 00 6e 00 4f 00 e.a.l.l.y.A.n.O.
0x00000030 74 00 74 00 65 00 72 00 00 00 00 00 00 00 00 00 t.t.e.r.........
DPAPI_SYSTEM
0x00000000 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,...............
0x00000010 01 00 00 00 36 9b ba a9 55 e1 92 82 09 e0 63 4c ....6...U.....cL
0x00000020 20 74 63 14 9e d8 a0 4b 45 87 5a e4 bc f2 77 a5 .tc....KE.Z...w.
0x00000030 25 3f 47 12 0b e5 4d a5 c8 35 cf dc 00 00 00 00 %?G...M..5......
lsadump 떠줘서 가져왔다.
예시 : https://www.aldeid.com/wiki/Volatility/Retrieve-password
lsadump plugin : https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/registry/lsadump.py
FLAG : CTF{MortyIsReallyAnOtter}
2 - General Info - 75pt
Let’s start easy - whats the PC’s name and IP address?
format: CTF{flag}
PC name
hive스캔을 먼저 떠줬다.
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 hivelist
그리고 컴퓨터 이름이 저장된 레지스트리로 가서 가져왔다.
컴퓨터 이름 레지스트리 : HKLM\SYSTEM\ControlSet00X\Control\ComputerName\ActiveComputerName
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K \ControlSet001\\Control\\ComputerName\\ActiveComputerName
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ActiveComputerName (V)
Last updated: 2018-08-04 19:26:11 UTC+0000
Subkeys:
Values:
REG_SZ ComputerName : (V) WIN-LO6FAF3DTFE
FLAG : CTF{WIN-LO6FAF3DTFE}
PC IP
netscan 해줘서 local Adress를 가져왔다.
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan
FLAG : CTF{192.168.202.131}
3 - Play Time - 50pt
Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?
format: CTF{flag}
Game name
프로세스 목록들보면 LunarMs.exe라는 게임을 하고 있었다.
FLAG : CTF{LunarMS}
Server IP
netscan따서 192.168.202.131과 LunarMs의 Foreign Address를 가져왔다.
FLAG : CTF{77.102.199.102}
4 - Name Game - 100pt
We know that the account was logged in to a channel called Lunar-3. what is the account name?
format: CTF{flag}
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D .
먼저 LunarMS 게임을 덤프 떠서 가져온다. LunarMS의 pid는 708이다
strings -a 708.dmp > prob3.txt
거기서 strings로 따서 Lunar-3를 검색해보면 Lunar-3 밑에 0tt3r8r33z3
가 적혀있었다. FLAG같아서 인증했다.
FLAG : CTF{CTF{0tt3r8r33z3}}
5 - Name Game2 - 150pt
From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What’s rick’s character’s name?
format: CTF{…}
No solve
6 - Silly Rick - 100pt
Silly rick always forgets his email’s password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick’s email password?
format: CTF{flag}
복사 붙여넣기를 사용한다고 했다. clipboard 플러그인을 사용해서 해당 값을 가져왔다.
$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0x150133L 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0
FLAG : CTF{M@il_Pr0vid0rs}
7 - Hide And Seek - 100pt
The reason that we took rick’s PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)
BEAWARE! There are only 3 attempts to get the right flag!
format: CTF{flag}
FLAG : CTF{vmware-tray.exe}
10 - Bit 4 Bit - 100pt
We’ve found out that the malware is a ransomware. Find the attacker’s bitcoin address.
format: CTF{…}
vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -D dump/ -p 3720
https://transfer.sh/Dss8z/hidd.exe 이걸 사용해 비트코인 주소를 뽑아낼 수 있다.
FLAG : CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}
11 - Graphics is for the weak - 150pt
There’s something fishy in the malware’s graphics.
format: CTF{…}
dnspy를 이용해서 열면 확인할 수있다.
FLAG : CTF{S0_Just_M0v3_Socy}