Suninatas Game 30

Posted on Edited on In Views: Disqus: Word count in article: 668 Reading time ≈ 2 mins.

challenges

Game 30

one of the most interesting game, be sure to try it first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
General Kim's PC was hacked by Hacker
Here is a Memory Dump at that time, You should find what Hacker did

Q1 : IP Address of General Kim's PC
Q2 : Which secret document did Haker read?
Q3 : What is content of secret document? There is a "Key"

Auth Key = lowercase(MD5(Answer of Q1+Answer of Q2+Key of Q3))

金将军的电脑被黑客入侵了。
以下是当时的内存转储文件,你应该能从中找出黑客的操作。
问题1:金将军电脑的IP地址
问题2:黑客读取了哪份秘密文件?
问题3:秘密文件的内容是什么?其中包含一个“密钥”。
认证密钥 = lowercase(MD5(问题1的答案+问题2的答案+问题3的密钥))
1
2
❯ file 'MemoryDump(SuNiNaTaS)'
MemoryDump(SuNiNaTaS): data

use volatility3 btw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
❯ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.info
Volatility 3 Framework 2.27.0
Progress:  100.00		PDB scanning finished
Variable	Value

Kernel Base	0x82e43000
DTB	0x185000
Symbols	file:///home/kita/ctf/symbolTables/windows/ntkrpamp.pdb/5D0FE9918B274161A7ECA7C0D056BDF6-2.json.xz
Is64Bit	False
IsPAE	True
layer_name	0 WindowsIntelPAE
memory_layer	1 FileLayer
KdDebuggerDataBlock	0x82f6cc28
NTBuildLab	7601.18044.x86fre.win7sp1_gdr.13
CSDVersion	1
KdVersionBlock	0x82f6cc00
Major/Minor	15.7601
MachineType	332
KeNumberProcessors	1
SystemTime	2016-05-24 09:47:40+00:00
NtSystemRoot	C:\Windows
NtProductType	NtProductWinNt
NtMajorVersion	6
NtMinorVersion	1
PE MajorOperatingSystemVersion	6
PE MinorOperatingSystemVersion	1
PE Machine	332
PE TimeDateStamp	Sat Jan  5 02:46:00 2013

❯ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.netscan
Volatility 3 Framework 2.27.0
Progress:  100.00		PDB scanning finished
Offset	Proto	LocalAddr	LocalPort	ForeignAddr	ForeignPort	State	PID	Owner	Created

...
0x3f270450	TCPv4	192.168.197.138	139	0.0.0.0	0	LISTENING	4	System	N/A
0x3f270768	UDPv4	192.168.197.138	137	*	0		4	System	2016-05-24 09:22:27.000000 UTC
0x3fdd5620	TCPv4	192.168.197.138	49248	113.29.189.142	80	ESTABLISHED	-	-	-

ip seem to be 192.168.197.138

1
2
3
4
5
6
7
8
9
10
❯ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.cmdline
Volatility 3 Framework 2.27.0
Progress:  100.00		PDB scanning finished
PID	Process	Args

4	System	-
...
1640	v1tvr0.exe	"C:\v196vv8\v1tvr0.exe"
3728	notepad.exe	notepad  C:\Users	raining\Desktop\SecreetDocumen7.txt
...

file named SecreetDocumen7.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.filescan | grep "SecreetDocumen7.txt"
0x3df2ddd8 100.0\Users	raining\Desktop\SecreetDocumen7.txt

❯ vol -f 'MemoryDump(SuNiNaTaS)' -s ~/ctf/symbolTables windows.dumpfiles --phy 0x3df2ddd8
Volatility 3 Framework 2.27.0
Progress:  100.00		PDB scanning finished
Cache	FileObject	FileName	Result

DataSectionObject	0x3df2ddd8	SecreetDocumen7.txt	file.0x3df2ddd8.0x85d7d150.DataSectionObject.SecreetDocumen7.txt.dat

❯ xxd file.0x3df2ddd8.0x85d7d150.DataSectionObject.SecreetDocumen7.txt.dat
00000000: 4865 6c6c 6f2c 204e 6963 6520 746f 206d  Hello, Nice to m
00000010: 6565 7420 796f 752e 0d0a 446f 2079 6f75  eet you...Do you
00000020: 2077 616e 6e61 2067 6574 2061 204b 6579   wanna get a Key
00000030: 3f0d 0a48 6572 6520 6973 2074 6865 204b  ?..Here is the K
00000040: 6579 2079 6f75 2077 616e 742e 0d0a 4b65  ey you want...Ke
00000050: 7920 6973 2022 3472 6d79 5f34 6972 666f  y is "4rmy_4irfo
00000060: 7263 655f 4e34 7679 2200 0000 0000 0000  rce_N4vy".......
...

content of secret document is 4rmy_4irforce_N4vy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
金将军的电脑被黑客入侵了。
以下是当时的内存转储文件,你应该能从中找出黑客的操作。
问题1:金将军电脑的IP地址
192.168.197.138

问题2:黑客读取了哪份秘密文件?

SecreetDocumen7.txt


问题3:秘密文件的内容是什么?其中包含一个“密钥”。

4rmy_4irforce_N4vy

认证密钥 = lowercase(MD5(问题1的答案+问题2的答案+问题3的密钥))

192.168.197.138SecreetDocumen7.txt4rmy_4irforce_N4vy

use cyberchef btw md5
c152e3fb5a6882563231b00f21a8ed5f