高校战“疫”网络安全分享赛-MISC-ez_mem&usb writeup

MISC-ez_mem&usb

binwalk发现两个压缩包，提取后但无法打开。

使用Wireshark提取，得到一个镜像文件‘’data.vmem‘’

使用volatility进行分析

volatility -f data.vmem imageinfo

volatility -f data.vmem --profile=WinXPSP2x86 pslist

找到两个关键进程

查看iehistory

没有信息的，查看cmd

volatility -f data.vmem --profile=WinXPSP2x86 cmdscan

发现passwd

weak_auth_top100

使用editbox查看输入框内容

volatility -f data.vmem --profile=WinXPSP2x86 editbox

访问的地址是C:\Documents and Settings\Administrator

猜测到需要提取的文件内容地址

filescan插件搜索文件，grep过滤包含Administrator的地址

volatility -f data.vmem --profile=WinXPSP2x86 filescan | grep "Administrator"

发现关键文件flag.img,提取出来

volatility -f data.vmem --profile=WinXPSP2x86 dumpfiles -Q 0x0000000001155f90 --dump-dir=./

得到文件file.None.0xff425090.dat，修改后缀为img

使用之前得到的passwd解密

得到usb流量

使用脚本进行提取

mappings={0x04:"A",0x05:"B",0x06:"C",0x07:"D",0x08:"E",0x09:"F",0x0A:"G",0x0B:"H",0x0C:"I",0x0D:"J",0x0E:"K",0x0F:"L",0x10:"M",0x11:"N",0x12:"O",0x13:"P",0x14:"Q",0x15:"R",0x16:"S",0x17:"T",0x18:"U",0x19:"V",0x1A:"W",0x1B:"X",0x1C:"Y",0x1D:"Z",0x1E:"1",0x1F:"2",0x20:"3",0x21:"4",0x22:"5",0x23:"6",0x24:"7",0x25:"8",0x26:"9",0x27:"0",0x28:"\n",0x2a:"[DEL]",0X2B:"",0x2C:"",0x2D:"-",0x2E:"=",0x2F:"[",0x30:"]",0x31:"\\",0x32:"~",0x33:";",0x34:"'",0x36:",",0x37:"."}

nums=[]

keys=open('usbdata.txt')

forlineinkeys:

ifline[0]!='0'orline[1]!='0'orline[3]!='0'orline[4]!='0'orline[9]!='0'orline[10]!='0'orline[12]!='0'orline[13]!='0'orline[15]!='0'orline[16]!='0'orline[18]!='0'orline[19]!='0'orline[21]!='0'orline[22]!='0':

continue

nums.append(int(line[6:8],16))

keys.close()

output=""

forninnums:

ifn==0:

continue

ifninmappings:

output+=mappings[n]

else:

output+='[unknown]'

print'output:\n'+output

得到flag