题目信息


提供了一个raw文件
用volatility进行取证

writeup

获取基本信息

outtime@TimeMac Downloads % volatility -f biodog.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/Users/outtime/Downloads/biodog.raw)
                      PAE type : PAE
                           DTB : 0xb00000L
                          KDBG : 0x8054d2e0L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-09-08 05:30:23 UTC+0000
     Image local date and time : 2021-09-08 13:30:23 +0800

然后试着用WinXPSP2x86作为目标

查看执行过的命令

outtime@TimeMac Downloads % volatility -f biodog.raw cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 580
CommandHistory: 0x565c60 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x524
**************************************************
CommandProcess: csrss.exe Pid: 580
CommandHistory: 0x566bb8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 5 LastAdded: 4 LastDisplayed: 4
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x4cc
Cmd #0 @ 0x3689ed8: git push -u origin master
Cmd #1 @ 0x566148: ok....
Cmd #2 @ 0x56aa08: then delete .git and flagfile
Cmd #3 @ 0x368a798: You can never find my account
Cmd #4 @ 0x56a580: hahaha!

直接给出了提示,和git相关,然后是说把.git文件也删了

找一下内存中的文件

volatility -f biodog.raw filescan
Volatility Foundation Volatility Framework 2.6
Offset(P)            #Ptr   #Hnd Access Name
------------------ ------ ------ ------ ----
0x0000000001c3cc40      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32
0x0000000001c3f9b8      2      1 ------ \Device\NamedPipe\Winsock2\CatalogChangeListener-43c-0
0x0000000001c483b8      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\wbem\provthrd.dll
0x0000000001c498c8      2      1 ------ \Device\Afd\Endpoint
0x0000000001c4a5a8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x0000000001c546c8      2      1 ------ \Device\NamedPipe\Ctx_WinStation_API_service
0x0000000001c56478      1      1 RW-rw- \Device\HarddiskVolume1\WINDOWS\WindowsUpdate.log
0x0000000001c56510      1      1 RW-rw- \Device\HarddiskVolume1\WINDOWS\WindowsUpdate.log
0x0000000001c565a8      1      1 RW-rw- \Device\HarddiskVolume1\WINDOWS\WindowsUpdate.log
0x0000000001c56640      1      1 RW-rw- \Device\HarddiskVolume1\WINDOWS\WindowsUpdate.log
0x0000000001c566d8      1      1 RW-rw- \Device\HarddiskVolume1\WINDOWS\WindowsUpdate.log
.....

内容非常多,这时候考眼力的时候到了(误
试着用grep找一下几个关键词

outtime@TimeMac Downloads % volatility -f biodog.raw filescan|grep -i 'flag'
Volatility Foundation Volatility Framework 2.6
outtime@TimeMac Downloads % volatility -f biodog.raw filescan|grep -i 'txt' 
Volatility Foundation Volatility Framework 2.6
0x00000000020bf6a0      1      0 RW-r-- \Device\HarddiskVolume1\Documents and Settings\Owner\桌面\ssh.txt
0x00000000021c01b0      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\ssh.txt
0x000000000231d6b0      4      2 -W-rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware VGAuth\logfile.txt.0
0x00000000024e0618      3      1 RW-r-- \Device\HarddiskVolume1\WINDOWS\SchedLgU.Txt
​‌‌‌​‌​​​​​‌‌​‌​‍​‌​‌‌‌​​‌‌‌‌​‌​‍​‌​​‌​​​‌​​​‌‌​‍​​‌‌​​​‌​​‌‌​‌​‍​‌‌‌‌‌‌​​​​‌​‌​‌‍‌​‌​‌​‌‌‍‌​​‌​‌‌​‍‌​​‌​​‌​‍‌​​‌‌​‌​‍‌​‌‌‌‌​‌‍‌​​‌​​‌‌‍‌​​‌​​​​‍‌​​‌‌​​​‍​​‌‌​‌​​​​​‌​​‌‍​‌​‌‌‌​‌​‌‌​‌‌​‍​‌‌‌​​​​‌​​​‌​‌‌‍​​​​​​​​‌‌‌‌​​‌‌‍​‌​‌‌​​​‌‌​​​​​‍​​‌​‌‌‌‌‌‌‌‌​​​‍​‌‌​​‌‌‌​‌‌​​‌‌‌‍​‌‌​​​‌‌‌​​​‌​‌‍​​‌‌‌‌‌‌‌‌​​‌‌‍‌​​‌​​‌​‍‌​​‌​‌‌​‍‌​​​‌‌​​‍‌​​‌‌‌​​‍‌‌​‌​​‌​‍​‌​‌‌‌​​‌‌‌‌​‌​‍​‌​​‌​​‌​‌​​‌‌‌‍​‌​‌‌​​​​‌​‌​​‌‍​‌‌‌​‌​​​​‌‌‌‌‌​‍‌‌​‌​​‌​‍‌‌​​‌‌​‌‍‌‌​​‌‌‌‌‍‌‌​​‌‌​‌‍‌‌​​‌‌‌​‍​​​​​​​​‌‌‌​‌​‌‍​‌​‌​​​​​‌‌​​​‌‍​​‌‌​​​‌​​‌​​​​‍​​‌‌‌‌‌‌‌‌​​‌​‍​​​​​​​​‌‌‌‌​​‌‌‍​​​‌​‌​‌‌​​‌‌‌​‍‌​​‌​​​​‍‌​​​‌​‌​‍‌​​​‌​‌‌‍‌​​​‌​‌‌‍‌​​‌​‌‌​‍‌​​‌​​‌​‍‌​​‌‌​‌​‍​‌‌​​​‌​‌‌‌​​​‌‍‌‌​​‌‌​‌‍‌‌​​‌‌‌‌‍‌‌​​‌‌​‌‍‌‌​​‌‌‌​‍‌‌​‌​​‌​‍‌‌​​‌‌‌​‍‌‌​​‌‌‌​‍‌‌​‌​​‌​‍‌‌​​‌‌‌‌‍‌‌​​‌​‌‌‍​​‌‌‌​‌‌​‌‌‌‌‌‌‍​‌​‌‌‌​​‌‌​​‌‌​‍​​​​​​​​‌‌‌‌​​‌‌‍​‌​‌‌​​​‌‌​​​​​‍​​‌‌​‌​​‌‌‌‌​​​‍​‌​‌​​​‌‌​​‌‌‌‌‍​‌​‌​​​‌​‌‌‌‌‌‌‍​​​​​​​​‌‌‌​​‌​‌‍‌​​‌​‌‌‌‍‌​​​‌​‌‌‍‌​​​‌​‌‌‍‌​​​‌‌‌‌‍‌​​​‌‌​​‍‌‌​​​‌​‌‍‌​‌​​​‌‌‍‌​‌​​​‌‌‍‌​​‌​‌‌​‍‌​​‌​​‌​‍‌​​​‌‌​‌‍‌​​‌‌‌​‌‍‌​​​‌‌‌​‍‌‌​‌​​​‌‍‌​​‌‌‌​​‍‌​​‌​​​‌‍‌​‌​​​‌‌‍‌​​‌‌​‌​‍‌​​​​‌‌‌‍‌​​​‌‌‌‌‍‌​‌​​​‌‌‍‌​​‌‌‌​​‍‌​​​‌​‌‌‍‌​​‌‌​​‌‍‌​‌​​​​​‍‌​​‌​​‌​‍‌​​‌​‌‌​‍‌​​​‌‌​​‍‌​​‌‌‌​​‍‌​‌​​​​​‍‌​‌‌‌‌​‌‍‌​​‌‌‌‌​‍‌​​‌‌‌​‌‍‌​​​​‌‌​‍‌​‌​​​​​‍‌​‌‌‌​​‌‍‌​​‌​​​​‍‌​​​‌‌​‌‍‌​​‌‌​‌​‍‌​​‌​​​‌‍‌​​‌​‌‌​‍‌​​​‌‌​​‍‌​​‌‌‌​​‍‌‌​‌​​​‌‍‌​​‌​‌‌‌‍‌​​​‌​‌‌‍‌​​‌​​‌​‍‌​​‌​​‌‌

发现有个ssh.txt把它拿出来看一下

outtime@TimeMac Downloads % volatility -f biodog.raw dumpfiles -Q 0x00000000020bf6a0 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x020bf6a0   None   \Device\HarddiskVolume1\Documents and Settings\Owner\桌面\ssh.txt
outtime@TimeMac Downloads % mv file.None.0x820bb7c8.dat ssh.txt
outtime@TimeMac Downloads % cat ssh.txt  
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmw8eqi/h23ABuRhhmx83LuRhw6m8C8k76Me0s7MNdvDP2ZB5hJUU
fZ4HxR5sEoQf6NyIcCDeznb8FAYAktm3cBlgof847aL661F0R5FtIfOJC/MwklRmXjYr46
6HNjQ0Ouu12znqBPJAaMkAaZXknqlEAxCRvyOQhg0bPSR3xxCM39TxpXRKd3tzhlBUQHZi
upgt6CF3TkBuIcKUPgZ7OgJ/7ES3FaiUOlpZdUYf/H3VwwQumuXPPwvT5QdRA9Myv/zbee
R9ddLJL84raHK6unuHjngGvWjhXUUQulta49HH55pyrFUViIvH1tfns/6BglTrYWRlFX3A
TNOVy2igHkhZI8M9GK5VUBwEo3kXcWRiK85vAWwmddBd9+c0NERahRg+SNbodsd1JFu0C9
kqJ8/HlOnDfPBsUpD0EY/EbzW5PKbkksp2Vp3z+S0y1aVpX2EJRhq2S5kEEU+V4LLN6uqu
CJzVLeG5Lpnn4V/Ekf/ZpJmmk1Pp9KGFw3tlOqTLAAAFkNMuPgLTLj4CAAAAB3NzaC1yc2
EAAAGBAJsPHqov4dtwAbkYYZsfNy7kYcOpvAvJO+jHtLOzDXbwz9mQeYSVFH2eB8UebBKE
H+jciHAg3s52/BQGAJLZt3AZYKH/OO2i+utRdEeRbSHziQvzMJJUZl42K+OuhzY0NDrrtd
s56gTyQGjJAGmV5J6pRAMQkb8jkIYNGz0kd8cQjN/U8aV0Snd7c4ZQVEB2YrqYLeghd05A
biHClD4GezoCf+xEtxWolDpaWXVGH/x91cMELprlzz8L0+UHUQPTMr/823nkfXXSyS/OK2
hyurp7h454Br1o4V1FELpbWuPRx+eacqxVFYiLx9bX57P+gYJU62FkZRV9wEzTlctooB5I
WSPDPRiuVVAcBKN5F3FkYivObwFsJnXQXffnNDREWoUYPkjW6HbHdSRbtAvZKifPx5Tpw3
zwbFKQ9BGPxG81uTym5JLKdlad8/ktMtWlaV9hCUYatkuZBBFPleCyzerqrgic1S3huS6Z
5+FfxJH/2aSZppNT6fShhcN7ZTqkywAAAAMBAAEAAAGAdfojEsorxpKKPRLX8PbnPb52xD
C46x7Jfmu0iaWKcRz4iEjsrHvhg1JiBxEGmW/992cUSHw6Ck1trq6CcTlF4PzuEVPnNKf0
0ma/WlTD/DkX5Qe7xRqCaNw+uJVqO0utEceWLp7595l6eD+3GJ77u9x96vcIba3ZoKUIPJ
UqrUNibEvRMFoy7oX3eBJWiFWK+P4gr6YG6HsNUJKDyE2WJKUSP+pogwoo/d0Qg7I/VBVK
N39PFnwUG5wcNP5EHezqWQVVln/dltDgOc5IldknTRt4Q3NDrSyNsRpv0EYI2gz+yRu/IE
RR9PHYjH5l6uYwowW34iGi/xloSxG5bDEWOe0eEANCjowiYYrmTLffIQ/AU9w4te/+eWd2
WV56LUuC6k4mEdNhtljMZR/0A+C5EkPzgsTEJEmYLYvqrNejM7Y1UKz3+YZ8m8rT4XcNmf
j5wfJd1TbCu0hB5kZC1DkybYQaMRNnZ3+PjwU2hZBTuh02F787nG5NFkpI96qkWxTBAAAA
wBdaxLNzl/7Dig/neTUAQLa/C1F2cpQt6RcJbzHodgxm8n75a/wdRI4/oCvGJkRgyAnyCE
tgfMnTQ4opmHf5k0U0R/wmCGivcGhg5KIBSSnp9mWt6qclJ8O6vZ5L3rKIgreWzGUDk8IT
W3Lcl5EO0sskpVvp65xncEdv3CefxXVTlkgp4PXgXcxPao633hWA6TAm2zZx7R6fJt0Ex4
x3lVG68ghRE/ZFbF48s8Gy+zRDyA5JEGPWxWddO623IVgG6AAAAMEAyX4CJKSxE5gvJdrw
lhx8dBbVQxw06fPoVlu/z/JTwkPdliuAdp30SV8WbmXUhLvv457WdqAMCwlGs/7xrCW21U
84+VeD9aGM61nSsT7kUzGjdvbjQiHCmys7dwuy/thCrpWFTxI4fjOEYHc3N8S+hBHQRJKk
mEYyBoI3eJ3NhUsGHr1V4LONBKkoUZyC+LjKev06m9qM6R0/0k4cB09pkDVinuFuGk5iDy
YKyjAGiAxFI9ACiZ5NLKTsdaEqtCPfAAAAwQDFAXbSxwbLYWDacBNUm4E7FZsYKkqoIAWQ
3uEQP5Sp7GrCU5dWraGB2wOkX+irMYGDfTk5qG8NLyYoSKVIZwA6ijDliWekL6XdPGJfKK
7xw64Nx6syc7oD7scSzTGNH0m1z+T2rjP3dMDDVhYMHksYcSxikyHNzLR9Z51hCOHeKb1O
8LNW4IrC6AYeXt8sHizSLIagncOuPtSkKiGdR5fn65fHomMzaVQsSJYvwNeSrKXu36NSJm
27AuL6DDE2vJUAAAAUc29uZzU1MjA4NTEwN0BxcS5jb20BAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

是一个私钥,不过没别的信息了。
正当没头绪的时候试着base64解了一下

outtime@TimeMac Downloads % cat ssh.txt|base64 -d
??? ӏԒ?HT?(F>??openssh-key-v1nonenone?ssh-rsa???/??p?a?7.?aé?
v??ِy??}??l??܈p ??v??ٷp`??8????QtG?m!?                        ?;?Ǵ??
$w?????tJw{s?PT@vb??-?!wN@n!”>{:?D???:ZYuF?}??.??????9??@h?i?䞩D??#??
                                                   ??Q?2???y?}u??/?+hr??{??x?h?]E?[Z????r?U?????????T?ade}?Lӕ?h?HY#?=?UP?yqdb+?ol&u?]??44DZ?>H??v?u$[?
                                                                                                                                                      ?*'?ǔ??|?lR????o5?<???vV???-2եi_a    F?K?O??????-?.???_đ?٤???S?????{e:????.>?.>ssh-rsa???/??p?a?7.?aé?
v??ِy??}??l??܈p ??v??ٷp`??8????QtG?m!?        ?;?Ǵ??
$w?????tJw{s?PT@vb??-?!wN@n!”>{:?D???:ZYuF?}??.??????9??@h?i?䞩D??#??
                                                   ??Q?2???y?}u??/?+hr??{??x?h?]E?[Z????r?U?????????T?ade}?Lӕ?h?HY#?=?UP?yqdb+?ol&u?]??44DZ?>H??v?u$[?
                                                                                                                                                      ?*'?ǔ??|?lR????o5?<???vV???-2եi_a    F?K?O??????-?.???_đ?٤???S?????{e:???u?#?+ƒ?=????=?v?0???~k????q??H?{?Rb?o??gH|:
P???M?$???h??4???f?ZT??9????h?>??j;K?ǖ.????zx??????}?m?٠<?*?CblK?0Z2??xV?U??? ???{
(?????TJ7O|4?D??YU?ݖ??9?H??'MCsC?,??o??
?????]?6»HA?FB?92m?1gg??6??S?6?;?nMJH???[??Zijs??Ê?y5@??!??hK?l19?B??"a??L??!?S?8???ygvY^z-K??N&?a?X?e??C???$I?-??ף3?5P????|????w
                                                       Qvr?-?    o1?v
                                                                    f?~?k?D???+?&D`?    K`|??C?)?w??E4G?h?ph`?I)??e??%'ú??K޲?????e??[rܗ???$?[??gpGo?'??uS?H)???]?Oj?????0&?6q??&?njw?Q?Q?El^<????4C?Ic??g];??!X???~$???/%??|t?C4???V[???S?Cݖ+?v??I_neԄ????v?

                                                   F???%??O8?W?????Yұ>?S1?v??B!›+;w
                                                                                ???B???O8~3?`w77ľ??D???F2?7x?ͅK?U್?(Q?????z?:?ڌ???NOi?5b??nNb&
?0?
ǫ2s????1?I?????3?t??V?î?a`?pT??;?*J? ???????j?S?V?????_?1??}99?o
                     Kq,b?!?̴}g???)?N?V????^?,,?,???î>Ԥ*!?G???Ǣc3iT,H?/?ג???ߣR&m???
I!?D?@LB?c?%                                                                                                                                                                                                outtime@TimeMac Downloads % cat ssh.txt|base64 -d|strings
???
?(F>??openssh-key-v1
none
none
ssh-rsa
?/??p
7.?aé?
?;?Ǵ??
v???
p ??v?
`??8????QtG
Tf^6+?
644:??9?
?@h?
=$w?
???tJw{s
PT@vb?
-?!wN@n!?
:ZYuF
?}??
?2???y?}u??/?+hr??{
?h?]E
?[Z????
?????
T?ade
}?L?
HY#?=
qdb+?o
l&u?]??44DZ
>H??v?u$[?
?*'??
??|?lR
?o5?<??
??-2եi_a
????
?-?.
??_?
S???
?{e:??
ssh-rsa
?/??p
7.?aé?
?;?Ǵ??
v???
p ??v?
`??8????QtG
Tf^6+?
644:??9?
?@h?
=$w?
???tJw{s
PT@vb?
-?!wN@n!?
:ZYuF
?}??
?2???y?}u??/?+hr??{
?h?]E
?[Z????
?????
T?ade
}?L?
HY#?=
qdb+?o
l&u?]??44DZ
>H??v?u$[?
?*'??
??|?lR
?o5?<??
??-2եi_a
????
?-?.
??_?
S???
?{e:??
????=?v?0??
?~k?
H?{?
o??g
Mm??
q9E???
S?4???f?ZT??9
h?>?
j;K?
zx??
???}??
m?٠?
*?CblK?0Z2?
?? ??
??9?H
xCsC?,
? DQ???
~e??0?
??!??
?L??!
?S?8???ygvY^z-K
?a?X?e
??$I
?ף3?5P???
???w
????]?6»HA?FB?92m
JH???[
Zijs
o1?v
f?~?k?
??+?&D`?
K`|??C
E4G?&
h?ph`?
I)??e??%'ú?
??$?[??
gpGo?'
H)???]?Oj
?0&?6q?
?El^<????4C?
c??g];??!X
/%??
4???V[???S?C?
F???%??O8?W
?Yұ>?S1?v??B!?
???B?
`w77ľ
?U?
???z?:
M,??u?*?#?
?a`?p
*J? 
??j?S
?_?1
}99?o
/&(H?Hg
g?/??<b_(??î
ǫ2s?
I?????3?t??V
!?̴}g
??)?N?V?
î>Ԥ*!
Ǣc3iT,H
???ߣR&m?
song552085107@qq.com
???CC8?
I!?D

第一次解码发现还是看不懂,便用strings直接全转成ascii看,发现有一个邮箱。
确实是左看右看想不出头绪,后面想到git便在github上搜...

找到文件




然后把它下载下来打开,发现是一个微信小程序的源码

找到flag

东西很长很长,搜一些关键词flagZmxhZw==都没有,便又开始拼眼力了
大概在2000多行看到了中文(快速翻动的时候中文真的很显眼)

Z([3,'这是地图组件测试'],['./pages/index/index.wxml',2,7])
Z([3,'地图'],['./pages/index/index.wxml',4,7])
Z([3,'这也是测试'],['./pages/index/index.wxml',7,7])
Z([3,'什么,你想要f\x5cl\x5ca\x5cg?'],['./pages/index/index.wxml',9,7])
Z([3,'U2FuZ0ZvcntTMF8zYXp5XzJfY3JhY2tfbm9vYl9wbGF5ZXJ9'],['./pages/index/index.wxml',10,7])
})(__WXML_GLOBAL__.ops_cached.$gwx_1);return __WXML_GLOBAL__.ops_cached.$gwx_1
}

算是运气好吧

outtime@TimeMac Downloads % echo "U2FuZ0ZvcntTMF8zYXp5XzJfY3JhY2tfbm9vYl9wbGF5ZXJ9" | base64 -d
SangFor{S0_3azy_2_crack_noob_player}

搞定!