下载到的是一个.vmem文件.
https://pan.baidu.com/s/1x8YDL6IJkB7wEFJAtcHOBw
使用volatility获取信息进行取证.
volatility -f '/root/DATABASE/191009/mem.vmem' imageinfo
之后通过尝试确定profiles=Win2003SP1x86
volatility notepad -f '/root/DATABASE/191009/mem.vmem'
读取记事本信息,提示
hello hust
flag is not here
I can only tell you that I downloaded a file and the password of the compressed package is in it
volatility -f '/root/文档/mem.vmem' --profile=Win2003SP1x86 hivelist
扫注册表
volatility -f '/root/文档/mem.vmem' --profile=Win2003SP1x86 pslist
扫进程
volatility -f '/root/文档/mem.vmem' --profile=Win2003SP1x86 filesscan
扫文件,有
0x00000000032b2a30 1 0 R--rw- \Device\HarddiskVolume1\MyDownloads\Download\password.txt
dump出来之后是个RGB文档,辨识出是二维码.
使用如下脚本进行转换:
from PIL import Image
x = 256 #x坐标 通过对txt里的行数进行整数分解
y = 256 #y坐标 x * y = 行数
im = Image.new("RGB", (x, y)) #创建图片
file = open('password_with_rgb.txt') #打开rbg值的文件
#通过每个rgb点生成图片
for i in range(0, x):
for j in range(0, y):
line = file.readline() #获取一行的rgb值
rgb = line.split(",") #分离rgb,文本中逗号后面有空格
im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2]))) #将rgb转化为像素
im.show()
im.save('password.jpg')
#也可用im.save('flag.jpg')保存下来
来源:https://blog.csdn.net/ssjjtt1997/article/details/78450816
扫码得到密码
p@@@ssw02d2333
注意到
0x00000000014fcad8 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\welcome.zip
dump下来
解压得到flag.txt
ZmxhZ3tkZDVhNGUxcjNfOGQ0cWU1ZjJfYTVkYWZ3cjVnfQ==
b64之后得到flag.
flag{dd5a4e1r3_8d4qe5f2_a5dafwr5g}
技术参考
https://www.4hou.com/technology/5860.html
https://www.restran.net/2017/08/10/memory-forensics-tool-volatility/
https://mengsec.com/2018/10/20/CTF-Volatility/
https://www.jianshu.com/p/6438bc3302c8