借着这道题再次温习了Volatility。首先解压出来是一个很大的pcap流量包。

以防万一我做的时候都给导出来了qwq看那个最大的(upload_file.php)就可以啦。

因为太大了不能拿notepad++打开,我用010打开看了下,开头PK很明显是压缩包。

删除开头的这个:

-----------------------------154555628677
Content-Disposition: form-data; name="file"; filename="data.zip"
Content-Type: application/octet-stream

删除结尾的这个:

-----------------------------154555628677
Content-Disposition: form-data; name="submit"

Submit
-----------------------------154555628677--

修改后缀得到一个压缩包。解压后得到一个名为data.vmem的文件。

接下来上Kali开始取证啦。以前的详细笔记:戳我

Volatility常用控件:戳我

volatility imageinfo -f data.vmem

volatility psscan -f data.vmem –profile=WinXPSP2x86

对cmd控件进行提取:

volatility cmdscan -f data.vmem –profile=WinXPSP2x86

得到一个passwd:weak_auth_top100

搜索镜像中的所有文件(filescan),匹配关键字“flag”:

volatility filescan -f data.vmem –profile=WinXPSP2x86 | grep -E ‘flag’

得到一个flag.img,将其导出:

volatility -f data.vmem –profile=WinXPSP2x86 dumpfiles -Q 0x0000000001155f90 -n –dump-dir=./

binwalk一下它可以得到一个加密压缩包,解压密码就是上面得到的weak_auth_top100。

解压得到usbdata.txt,接下来就是个很普通的usb轨迹分析题了,上脚本:

#!/usr/bin/env python


import sys
import os

normalkeys = { 0x04:"a",  0x05:"b",  0x06:"c", 0x07:"d", 0x08:"e", 0x09:"f", 0x0A:"g",  0x0B:"h", 0x0C:"i",  0x0D:"j", 0x0E:"k", 0x0F:"l", 0x10:"m", 0x11:"n",0x12:"o",  0x13:"p", 0x14:"q", 0x15:"r", 0x16:"s", 0x17:"t", 0x18:"u",0x19:"v", 0x1A:"w", 0x1B:"x", 0x1C:"y", 0x1D:"z",0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"`", 0x33:";",  0x34:"'",0x35:"`", 0x36:",",  0x37:"." , 0x38:"/"}

shiftkeys = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"!", 0x1F:"@", 0x20:"#", 0x21:"$", 0x22:"%",  0x23:"^", 0x24:"&", 0x25:"*", 0x26:"(", 0x27:")", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"_", 0x2E:"+", 0x2F:"{",  0x30:"}",  0x31:"|", 0x32:"~", 0x33:":",  0x34:"\"",0x35:"~", 0x36:"<",  0x37:">", 0x38:"?" }

nums = []
shift_press = []
keys = open('usbdata.txt')

for line in keys:
    shift_press.append(line[1])
    nums.append(int(line[6:8],16))
keys.close()

output = ""
m = 0
for n in nums:
    if n == 0 :
        m += 1
        continue
    if n in shiftkeys:
        if shift_press[m] == '2' : #shift is pressed
            output += shiftkeys[n]
            m += 1 
        elif shift_press[m] == '0' :
            output += normalkeys[n]
            m += 1
print 'output :\n' + output

运行得到flag。