Suninatas Game 29

Posted on Edited on In Views: Disqus: Word count in article: 1.3k Reading time ≈ 5 mins.

challenges

Game 29

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Joon-hyeok asked Seong-joon to repair PC
After repairing, Seong-joon did something to PC
You should fix this PC.

Q1 : When you surf "www.naver.com", Web browser shows something wrong. Fix it and you can find a Key
Q2 : Installed Keylogger's location & filename(All character is lower case)
- ex) c:\windows
otepad.exe
Q3 : Download time of Keylogger
- ex) 2016-05-27_22:00:00 (yyyy-mm-dd_hh:mm:ss)
Q4 : What did Keylogger detect and save? There is a Key

Auth Key = lowercase(MD5(Key of Q1+Answer of Q2+Answer of Q3+Key of Q4))

俊赫让成俊修理电脑
修复后,成俊 对电脑做了一些事情
你应该修理这台电脑。

Q1 : 当您浏览“www.naver.com”时,Web 浏览器显示错误。修复它,你就可以找到一把钥匙
Q2:安装的键盘记录器的位置和文件名(所有字符均为小写)
- 例如)c:\windows
otepad.exe
Q3:键盘记录器的下载时间
- 例如) 2016-05-27_22:00:00 (yyyy-mm-dd_hh:mm:ss)
Q4:键盘记录器检测并保存了什么?有一把钥匙

Auth Key = 小写(MD5(Q1的密钥+Q2的答案+Q3的答案+Q4的密钥))
1
2
❯ file 'Windows7(SuNiNaTaS)'
Windows7(SuNiNaTaS): EGG archive data, version 1.0

EGG file (.egg) is a compressed archive file format developed by ESTsoft primarily for their ALZip software, commonly used in South Korea. It acts similar to a .ZIP file but offers superior Unicode support and efficient compression, frequently used for distributing large files,, and supports split volumes.

use bandizip btw, extract in windows guest

use libguestfs to mount btw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
~/Downloads/Windows7(SuNiNaTaS)
❯ la
total 8.0G
drwxr-xr-x 1 kita kita   28 Feb 15 14:08  caches/
-rw-r--r-- 1 kita kita 2.0M May 24  2016  vmware-0.log
-rw-r--r-- 1 kita kita 384K May 24  2016  vmware.log
-rw-r--r-- 1 kita kita  53M May 24  2016 'Windows 7-000001.vmdk'
-rw-r--r-- 1 kita kita 8.5K May 24  2016 'Windows 7.nvram'
-rw-r--r-- 1 kita kita 1.0G May 24  2016 'Windows 7-Snapshot2.vmem'
-rw-r--r-- 1 kita kita 2.1M May 24  2016 'Windows 7-Snapshot2.vmsn'
-rw-r--r-- 1 kita kita 6.9G May 24  2016 'Windows 7.vmdk'
-rw-r--r-- 1 kita kita  445 May 24  2016 'Windows 7.vmsd'
-rw-r--r-- 1 kita kita 3.2K May 24  2016 'Windows 7.vmx'
-rw-r--r-- 1 kita kita 4.6K May 24  2016 'Windows 7.vmxf'

~/Downloads/Windows7(SuNiNaTaS)
❯ paru -S libguestfs

~/Downloads/Windows7(SuNiNaTaS) took 30s
sudo guestmount -a "Windows 7.vmdk" -m /dev/sda1 --ro /mnt/win

sudo cat /mnt/win/Windows/System32/drivers/etc/hosts
[sudo] password for kita:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
       121.189.57.82    naver.com
       121.189.57.82    www.naver.com
#
#
#      C0ngr4tur4ti0ns!! This is a Keeeeeeeeeeey : what_the_he11_1s_keey
#
#
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

use volatility3 to extract btw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.pslist

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

...
1556	1344	v1tvr0.exe	0x87b8a030	3	101	1	False	2016-05-23 20:52:47.000000 UTC	N/A	Disabled
1564	1344	notepad.exe	0x87b893f8	1	63	1	False	2016-05-23 20:52:47.000000 UTC	N/A	Disabled
...

❯ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.cmdline
Volatility 3 Framework 2.27.0
Progress:  100.00		PDB scanning finished
PID	Process	Args
...
1556	v1tvr0.exe	"C:\v196vv8\v1tvr0.exe"
...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[root@kita233 v196vv8]# ls -al
total 2470
drwxrwxrwx 1 root root    4096 May 24  2016 .
drwxrwxrwx 1 root root    8192 May 24  2016 ..
drwxrwxrwx 1 root root       0 May 24  2016 a12
-rwxrwxrwx 1 root root  294400 Jul 22  2009 four.dll
-rwxrwxrwx 1 root root      33 May 24  2016 ftc.gyy
-rwxrwxrwx 1 root root    4137 Jul  7  2010 kco.dat
-rwxrwxrwx 1 root root      22 May 24  2016 ssitisys.gyy
-rwxrwxrwx 1 root root       9 May 24  2016 te.dat
-rwxrwxrwx 1 root root 1594368 Jul  7  2010 v1tvr0.exe
drwxrwxrwx 1 root root       0 May 24  2016 v1valv
-rwxrwxrwx 1 root root     276 May 24  2016 v1vasyv.gyy
-rwxrwxrwx 1 root root  613376 Jul  7  2010 v1vmg00v.exe

# get wrong time, need time of Birth
[root@kita233 v196vv8]# stat v1tvr0.exe
  File: v1tvr0.exe
  Size: 1594368   	Blocks: 3120       IO Block: 4096   regular file
Device: 0,81	Inode: 109         Links: 1
Access: (0777/-rwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-05-24 03:26:09.330498800 +0800
Modify: 2010-07-07 06:50:09.109375000 +0800
Change: 2016-05-24 03:26:09.361698900 +0800
 Birth: -

# get MFT (Master File Table), same wrong time
❯ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.mftscan.MFTScan | grep -i "v1tvr0.exe"
* 0xe8b38b0100.0FILE	50282	1DB scanFile finArchive	FILE_NAME	2016-05-23 19:26:09.000000 UTC	2016-05-23 19:26:09.000000 UTC	2016-05-23 19:26:09.000000 UTC	2016-05-23 19:26:09.000000 UTC	v1tvr0.exe

# need to check browser download history
# notice user use ie browser, and ie browser store info in index.dat
[root@kita233 win]# find . -name "index.dat" -exec strings -f {} \; | grep -i "exe"
...
./Users/training/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat: Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe <- notice spy keylogger
...

[root@kita233 win]# cp ./Users/training/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat /home/kita/

use pasco btw, a tool to Examines the contents of Internet Explorer's cache files for forensic purposes.

or use index

1
2
3
4
❯ pasco index.dat | grep exe
...
URL     Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe       05/24/2016 03:25:06     05/24/2016 03:25:06
...
1
2
3
4
5
6
7
8
9
[root@kita233 24052016 #training]# cat z1.dat | head

 4:31:48	19

 4:37:57	How did you know pAsS\orD? Wow... Kee22 ls "blackkey is a Good man"

 4:38:58	notepd

 4:44:13	pa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Q1 : 当您浏览“www.naver.com”时,Web 浏览器显示错误。修复它,你就可以找到一把钥匙

#      C0ngr4tur4ti0ns!! This is a Keeeeeeeeeeey : what_the_he11_1s_keey
# what_the_he11_1s_keey

Q2:安装的键盘记录器的位置和文件名(所有字符均为小写)
- 例如)c:\windows
otepad.exe

# 1556	v1tvr0.exe	"C:\v196vv8\v1tvr0.exe"
# c:\v196vv8\v1tvr0.exe

Q3:键盘记录器的下载时间
- 例如) 2016-05-27_22:00:00 (yyyy-mm-dd_hh:mm:ss)

URL     Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe       05/24/2016 03:25:06     05/24/2016 03:25:06
# need to change time zone to UTC +9, now is UTC +8
2016-05-24_04:25:06

Q4:键盘记录器检测并保存了什么?有一把钥匙

#  4:37:57	How did you know pAsS\orD? Wow... Kee22 ls "blackkey is a Good man"
# blackkey is a Good man

Auth Key = 小写(MD5(Q1的密钥+Q2的答案+Q3的答案+Q4的密钥))

what_the_he11_1s_keeyc:\v196vv8\v1tvr0.exe2016-05-24_04:25:06blackkey is a Good man

use cyberchef btw md5
970f891e3667fce147b222cc9a8699d4