考古
Category: General Skills
Source: 祥云杯2021
Author: unknown
Score: 15
Description
小明在家里翻到一台很古老的xp笔记本,换电池之后发现可以正常开机,但是发现硬盘空间不足。清理过程中却发生了一些不愉快的事情...
Solution
Windows system image forensics.
The given memory file is a Windows XP SP3 image file.
Using volatility
to find information in the image, the followings are important:
1. consoles
Gives some information about hacked by 1cepeak.
2. pslist
Find 2 processes, Oneclickcleanup & DumpIt
3. filescan
Find the Oneclickcleanup.exe
We should know that DumpIt
is the process used to create system image, and this is not related to the solution.
Then we should reverse Oneclickcleanup.exe
and find the next step.
First, we find a key this_a_key
. The process uses this key to encrypt data.
We get yet another file using reverse.
The given file is a doc
file with MS Word 6.0
. An old version of document. After the scan and analysis, no macro is found in the doc file, and as well as the hidden character.
After struggling several hours, I happened checked the xor brute force
of the file, and I found something interesting.
This part of the document can be xor
using key 0x2d
and gives the flag.
Flag
flag{8bedfdbb-ba42-43d1-858c-c2a5-5012d309}
Reference
Writeup by Enderaoe Lyther