内存取证闯关Memlabs-5

MemLabs Lab 5 - Black Tuesday

题目描述

We received this memory dump from our client recently. Someone accessed his system when he was not there and he found some rather strange files being accessed. Find those files and they might be useful. I quote his exact statement,

我们最近从客户那里收到了这个内存转储。有人在他不在的时候访问了他的系统,他发现了一些相当奇怪的文件被访问。找到这些文件,它们可能会有用。我引用他的原话,

The names were not readable. They were composed of alphabets and numbers but I wasn't able to make out what exactly it was.

这些名字不可读。它们由字母和数字组成,但我无法弄清楚它到底是什么。

Also, he noticed his most loved application that he always used crashed every time he ran it. Was it a virus?

此外,他注意到他最喜欢的应用程序每次运行时都会崩溃。是病毒吗?

Note-1: This challenge is composed of 3 flags. If you think 2nd flag is the end, it isn't!! 😛

注 1:此挑战由 3 个flag组成。如果你认为 2nd Flag 就是结束,那它就不是!!

Note-2: There was a small mistake when making this challenge. If you find any string which has the string "L4B_3_D0n3*!!" in it, please change it to "L4B_5_D0n3!!*" and then proceed.

注 2:在进行此挑战时有一个小错误。如果您发现任何字符串中包含字符串 “L4B_3_D0n3*!!”,请将其更改为 “L4B_5_D0n3*!!”,然后继续。

Note-3: You'll get the stage 2 flag only when you have the stage 1 flag.

注 3:只有当您拥有阶段 1 flag时,您才会获得阶段 2 flag。

原下载链接:MemLabs_Lab5

备用下载链接请查看内存取证闯关Memlabs-1

解题步骤

flag1

查看操作系统版本

vol.py -f MemoryDump_Lab5.raw imageinfo

image-20241218111745947

在尝试查看cmd相关记录时看到一个压缩包,有点可疑

vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 cmdline

image-20241218135952004

同时在前面看到浏览器启动记录

image-20241218140041809

那么查看下浏览器历史记录吧

vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 iehistory

image-20241218140349761

接了一个比较全的图,都是可疑文件,这个音频文件名就很有问题

image-20241218140520469

上密码学快速解决工具,base64加密,解密得到flag

查阅了一下,这是第一个flag

还记得第二个注意事项吗,记得改完后提交

flag2

这样我们大概就能排除掉音频文件了

依次检索,查看是否含有这些文件

vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan  | grep -E 'Password.png|SW1wb3J0YW50.rar|Hidden.kdbx'

image-20241218141309953

提取压缩包吧

vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003eed56f0 -D ../Desktop 

mv file.None.0xfffffa80010b44f0.dat 1.zip

image-20241218141453764

这是一个真加密压缩包,还记得第三个注意事项吗

把修改后的第一个flag作为密码填入,得到一张图片

image-20241218141850052

第二个flag到手

flag3

还记得第一个注意事项吗,并不是只有两个flag哦

再回过头来看看cmdline的最后两条,某个进程有点问题哦

image-20241218142204393

按照顺序尝试提取一下这两个进程程序

image-20241218142546508

这里需要IDA来分析

image-20241218143453614

取值,拼接,得到bi0s{M3m_l4B5_OVeR_!}

后面那个似乎不能提取出来,我没有尝试,拿到flag就做完了

答案

题目 答案
flag1 flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}
flag2 flag{W1th_th1s_$taGe_2_1s_cOmPL3T3_!!}
flag3 bi0s{M3m_l4B5_OVeR_!}
posted @ 2024-12-18 14:41  kriton  阅读(251)  评论(0)    收藏  举报