|
| 1 | +# Cat hunting |
| 2 | + |
| 3 | +__PROBLEM__ |
| 4 | + |
| 5 | +We got an anonymous note that a student is downloading illegal contents like 'cat pictures' ! We confiscated his PC and got a memory dump before returning it. Your job now is to follow his traces and find out how he gets them. |
| 6 | + |
| 7 | +[Link](http://www.mediafire.com/file/60dkm1poq7uy2oo/cat_hunting.zip/file) |
| 8 | + |
| 9 | + |
| 10 | +__SOLUTION__ |
| 11 | + |
| 12 | +This was very bad challenges maybe because of the description or I don't know what but it was just bad. |
| 13 | + |
| 14 | +Wasted few hours after that we found the right path. |
| 15 | + |
| 16 | +So we are given the memdump so let start with simple `imageinfo` |
| 17 | + |
| 18 | +```bash |
| 19 | +➜ vol.py -f cat_hunting imageinfo |
| 20 | +Volatility Foundation Volatility Framework 2.6 |
| 21 | +INFO : volatility.debug : Determining profile based on KDBG search... |
| 22 | + Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 |
| 23 | + AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) |
| 24 | + AS Layer2 : FileAddressSpace (/home/mzfr/Downloads/cats/cat_hunting) |
| 25 | + PAE type : No PAE |
| 26 | + DTB : 0x187000L |
| 27 | + KDBG : 0xf800027f90a0L |
| 28 | + Number of Processors : 1 |
| 29 | + Image Type (Service Pack) : 1 |
| 30 | + KPCR for CPU 0 : 0xfffff800027fad00L |
| 31 | + KUSER_SHARED_DATA : 0xfffff78000000000L |
| 32 | + Image date and time : 2019年03月20日 14:27:22 UTC+0000 |
| 33 | + Image local date and time : 2019年03月20日 15:27:22 +0100 |
| 34 | +``` |
| 35 | + |
| 36 | +So let's do the `pstree` to see what all process are running: |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +We can see that firefox is running and if someone was downloading an image it must be through the browser. So let's dump firefox history by using the firefoxhistory plugin. |
| 41 | + |
| 42 | +I tried but I got nothing. I tried dumping the firefox process but failed. Tried looking into the memory of the dump but nothing. |
| 43 | + |
| 44 | +Then after some time we decided to trace back the firefox, see what trace it has left. |
| 45 | + |
| 46 | +Running netscan, gives us the `IP` |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | +I tried that IP and that host was up and I was prompted a login page. |
| 51 | + |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +If the host is up and we were asked to find the origin of the images in the description then we might have to login to get the flag. But in order to do so we need logins. Let's try `mimikatz` plugin. |
| 56 | + |
| 57 | + |
| 58 | + |
| 59 | +Now we have the creds and the url so we login into the account and find lot of images there but one wasn't rendering properly. |
| 60 | + |
| 61 | + |
| 62 | + |
| 63 | +So we visit the URL and save it and after opening that file we get a b64 |
| 64 | + |
| 65 | +``` |
| 66 | +c2VjdXJpbmV0c3tkMjU3MzZmZWJmZDgwOWVjNGViYTc2YjBhYWU5ZWFiMH0K |
| 67 | +``` |
| 68 | + |
| 69 | +Decode it |
| 70 | + |
| 71 | +```bash |
| 72 | +➜ echo "c2VjdXJpbmV0c3tkMjU3MzZmZWJmZDgwOWVjNGViYTc2YjBhYWU5ZWFiMH0K" | base64 -d |
| 73 | +securinets{d25736febfd809ec4eba76b0aae9eab0} |
| 74 | +``` |
| 75 | + |
| 76 | +FLAG - <span style="color: red">`securinets{d25736febfd809ec4eba76b0aae9eab0}`</span> |
0 commit comments