RITSEC 2018 - Bucket 'o cash - Writeup
Forensicsにメモリイメージの解析問題があったのでこれだけやってみた.
RITSEC 2018 - Bucket 'o cash 175 (77 Solves)
与えられたファイルの先頭がEMiL(45 4D 69 4C) になっている. LiMEで取得した, 何らかのLinuxディストリビューションのメモリイメージっぽい.
Volatilityの標準のProfileにはLinux用のProfileが無いので, 以下のURLからダウンロードして使えるようにしておく.
Volatilityで解析していこうと思うが, 使用すべきProfileがどれか分からない.
メモリダンプに対してstringsコマンドを実行し, 文字列を眺めてみると以下のような文字列が確認できる.
Linux version 3.10.0-862.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Fri Apr 20 16:44:24 UTC 2018
使用するProfileは以下のCentOS 7用のもので良さそう.
LinuxCentos7-3_10_0-862_el7_x86_64x64 - A Profile for Linux Centos7-3.10.0-862.el7.x86_64 x64
※ 競技終了後に気付いたが, 競技の途中でOSについてのヒントが追加されていたっぽい
CentOS 7.5
limeinfoプラグインが実行できることを確認.
vol.py limeinfo --profile=LinuxCentos7-3_10_0-862_el7_x86_64x64 -f C:\Users\hamasho333\Desktop\memorydump.enc Volatility Foundation Volatility Framework 2.6 Memory Start Memory End Size ------------------ ------------------ ------------------ 0x0000000000001000 0x000000000009ebff 0x000000000009dc00 0x0000000000100000 0x000000000fedffff 0x000000000fde0000 0x000000000ff00000 0x000000000fffffff 0x0000000000100000
linux_pslistプラグインで実行されているプロセスの一覧を拾うと, flagというプロセスがいる.
vol.py --profile=LinuxCentos7-3_10_0-862_el7_x86_64x64 -f C:\Users\hamasho333\Desktop\memorydump.enc linux_pslist Volatility Foundation Volatility Framework 2.6 Offset Name Pid PPid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ---------- 0xffff8ed84fbd0000 systemd 1 0 0 0 0x000000000af64000 2018-11-15 22:26:37 UTC+0000 0xffff8ed84fbd0fd0 kthreadd 2 0 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84fbd1fa0 ksoftirqd/0 3 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84fbd3f40 kworker/0:0H 5 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84fbd4f10 kworker/u256:0 6 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84fbd5ee0 migration/0 7 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84fbd6eb0 rcu_bh 8 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b520000 rcu_sched 9 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b520fd0 lru-add-drain 10 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b521fa0 watchdog/0 11 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b08af70 kdevtmpfs 13 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b08bf40 netns 14 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b089fa0 khungtaskd 15 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b08cf10 writeback 16 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b08dee0 kintegrityd 17 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b08eeb0 bioset 18 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b0000 kblockd 19 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b0fd0 md 20 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b1fa0 edac-poller 21 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b2f70 kworker/0:1 22 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b5ee0 kswapd0 27 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b4f10 ksmd 28 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84b1b3f40 crypto 29 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84ec3eeb0 kthrotld 37 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84ec3cf10 kmpath_rdacd 39 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84ec3bf40 kaluad 40 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84ec3af70 kpsmoused 41 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84ec38fd0 ipv6_addrconf 43 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84004bf40 deferwq 56 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed840048fd0 kauditd 87 2 0 0 ------------------ 2018-11-15 22:26:37 UTC+0000 0xffff8ed84f362f70 mpt_poll_0 264 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f360fd0 mpt/0 265 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f363f40 ata_sff 266 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f364f10 scsi_eh_0 274 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f366eb0 scsi_tmf_0 275 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84e600000 scsi_eh_1 276 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84e602f70 scsi_tmf_1 279 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84e604f10 scsi_eh_2 281 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84e601fa0 scsi_tmf_2 282 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84e603f40 ttm_swap 285 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84e605ee0 irq/16-vmwgfx 287 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84df46eb0 kdmflush 358 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84df43f40 bioset 359 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84df42f70 kdmflush 369 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84df44f10 bioset 370 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84df45ee0 bioset 382 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f114f10 xfsalloc 383 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84004af70 xfs_mru_cache 384 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f361fa0 xfs-buf/dm-0 385 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed84f365ee0 xfs-data/dm-0 386 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc0000 xfs-conv/dm-0 387 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc0fd0 xfs-cil/dm-0 388 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc1fa0 xfs-reclaim/dm- 389 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc2f70 xfs-log/dm-0 390 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc3f40 xfs-eofblocks/d 391 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc4f10 xfsaild/dm-0 392 2 0 0 ------------------ 2018-11-15 22:26:38 UTC+0000 0xffff8ed845dc5ee0 kworker/0:1H 393 2 0 0 ------------------ 2018-11-15 22:26:39 UTC+0000 0xffff8ed84f112f70 systemd-journal 459 1 0 0 0x0000000009b52000 2018-11-15 22:26:41 UTC+0000 0xffff8ed845e29fa0 systemd-udevd 481 1 0 0 0x0000000000904000 2018-11-15 22:26:41 UTC+0000 0xffff8ed845e28fd0 lvmetad 482 1 0 0 0x00000000098da000 2018-11-15 22:26:41 UTC+0000 0xffff8ed84f111fa0 nfit 506 2 0 0 ------------------ 2018-11-15 22:26:42 UTC+0000 0xffff8ed8497edee0 xfs-buf/sda1 530 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed8497eeeb0 xfs-data/sda1 531 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed84df41fa0 xfs-conv/sda1 532 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed845dc6eb0 xfs-cil/sda1 533 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed8497eaf70 xfs-reclaim/sda 535 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed84f110fd0 xfs-log/sda1 538 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed84ec38000 xfs-eofblocks/s 541 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed8497ecf10 xfsaild/sda1 543 2 0 0 ------------------ 2018-11-15 22:26:43 UTC+0000 0xffff8ed84941dee0 auditd 599 1 0 0 0x00000000058aa000 2018-11-15 22:26:43 UTC+0000 0xffff8ed849418fd0 polkitd 626 1 999 998 0x0000000009444000 2018-11-15 22:26:44 UTC+0000 0xffff8ed84df40000 systemd-logind 628 1 0 0 0x00000000094f8000 2018-11-15 22:26:44 UTC+0000 0xffff8ed84956eeb0 dbus-daemon 630 1 81 81 0x00000000094fa000 2018-11-15 22:26:44 UTC+0000 0xffff8ed84956cf10 chronyd 636 1 998 996 0x0000000008b56000 2018-11-15 22:26:44 UTC+0000 0xffff8ed849568000 crond 647 1 0 0 0x0000000008f30000 2018-11-15 22:26:44 UTC+0000 0xffff8ed84941eeb0 login 652 1 0 1000 0x000000000a75c000 2018-11-15 22:26:44 UTC+0000 0xffff8ed849418000 firewalld 656 1 0 0 0x0000000008e04000 2018-11-15 22:26:44 UTC+0000 0xffff8ed84f360000 NetworkManager 657 1 0 0 0x0000000000a9c000 2018-11-15 22:26:46 UTC+0000 0xffff8ed849cdaf70 tuned 992 1 0 0 0x000000000a0d0000 2018-11-15 22:26:49 UTC+0000 0xffff8ed849cdcf10 rsyslogd 993 1 0 0 0x000000000a0c0000 2018-11-15 22:26:49 UTC+0000 0xffff8ed849cd8fd0 sshd 994 1 0 0 0x00000000097da000 2018-11-15 22:26:49 UTC+0000 0xffff8ed845e2af70 master 1128 1 0 0 0x000000000a0f0000 2018-11-15 22:26:50 UTC+0000 0xffff8ed845e2dee0 qmgr 1140 1128 89 89 0x0000000009584000 2018-11-15 22:26:50 UTC+0000 0xffff8ed845e2eeb0 bash 1263 652 1000 1000 0x000000000a74e000 2018-11-15 22:27:23 UTC+0000 0xffff8ed845b80fd0 sudo 1284 1263 0 0 0x0000000008cc2000 2018-11-15 22:27:25 UTC+0000 0xffff8ed845b86eb0 bash 1288 1284 0 0 0x00000000096d2000 2018-11-15 22:27:28 UTC+0000 0xffff8ed84941af70 pickup 1329 1128 89 89 0x000000000975c000 2018-11-15 22:27:50 UTC+0000 0xffff8ed849cd8000 tmux 1337 1288 0 0 0x0000000009d86000 2018-11-15 22:29:31 UTC+0000 0xffff8ed849cdbf40 tmux 1339 1 0 0 0x0000000009546000 2018-11-15 22:29:31 UTC+0000 0xffff8ed849cdeeb0 bash 1340 1339 0 0 0x0000000009d4e000 2018-11-15 22:29:31 UTC+0000 0xffff8ed84f113f40 bash 1355 1339 0 0 0x00000000058fe000 2018-11-15 22:29:35 UTC+0000 0xffff8ed84f110000 agetty 1370 1 0 0 0x0000000009d50000 2018-11-15 22:29:37 UTC+0000 0xffff8ed8402c9fa0 kworker/u256:1 1484 2 0 0 ------------------ 2018-11-15 22:35:17 UTC+0000 0xffff8ed849cddee0 dhclient 13153 657 0 0 0x0000000009c9a000 2018-11-15 22:42:42 UTC+0000 0xffff8ed8402cdee0 kworker/0:2 13476 2 0 0 ------------------ 2018-11-15 22:47:14 UTC+0000 0xffff8ed8402caf70 agetty 13480 1 0 0 0x00000000010bc000 2018-11-15 22:50:48 UTC+0000 0xffff8ed8402c8000 agetty 13481 1 0 0 0x0000000001050000 2018-11-15 22:50:49 UTC+0000 0xffff8ed8402c8fd0 kworker/0:0 13488 2 0 0 ------------------ 2018-11-15 22:52:15 UTC+0000 0xffff8ed8402cbf40 flag 13498 1355 0 0 0x0000000008e56000 2018-11-15 22:53:33 UTC+0000 0xffff8ed8402ceeb0 systemd-udevd 13500 481 0 0 0x0000000005f84000 2018-11-15 22:53:37 UTC+0000 0xffff8ed8402ccf10 insmod 13501 1340 0 0 0x0000000008e5a000 2018-11-15 22:53:39 UTC+0000
linux_bashプラグインでbashのhistoryを確認すると, /home/memes/flag.c をコンパイルして実行しているっぽい.
メモリダンプの取得にLinux Memory Extractorを使用しているという予想は正解だったっぽい.
vol.py --profile=LinuxCentos7-3_10_0-862_el7_x86_64x64 -f C:\Users\hamasho333\Desktop\memorydump.enc linux_bash Volatility Foundation Volatility Framework 2.6 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 1340 bash 2018-11-15 22:29:31 UTC+0000 exit 1340 bash 2018-11-15 22:29:31 UTC+0000 cp flag.c /home/memes/ 1340 bash 2018-11-15 22:29:31 UTC+0000 exit 1340 bash 2018-11-15 22:29:31 UTC+0000 cd /home/memes/ 1340 bash 2018-11-15 22:29:31 UTC+0000 ls 1340 bash 2018-11-15 22:29:31 UTC+0000 mv flag /home/memes/ 1340 bash 2018-11-15 22:29:31 UTC+0000 ls 1340 bash 2018-11-15 22:29:31 UTC+0000 chown memes:memes flag 1340 bash 2018-11-15 22:29:31 UTC+0000 chown memes:memes /home/memes/flag.c 1340 bash 2018-11-15 22:29:31 UTC+0000 exit 1340 bash 2018-11-15 22:30:27 UTC+0000 yum install git 1340 bash 2018-11-15 22:30:59 UTC+0000 git clone https://github.com/504ensicsLabs/LiME.git 1340 bash 2018-11-15 22:31:01 UTC+0000 ls 1340 bash 2018-11-15 22:31:05 UTC+0000 cd LiME/src/ 1340 bash 2018-11-15 22:31:07 UTC+0000 make 1340 bash 2018-11-15 22:31:18 UTC+0000 ls 1340 bash 2018-11-15 22:31:29 UTC+0000 yum install make 1340 bash 2018-11-15 22:34:07 UTC+0000 make kernelrelease 1340 bash 2018-11-15 22:34:40 UTC+0000 uname -r 1340 bash 2018-11-15 22:35:08 UTC+0000 yum install kernel-devel 1340 bash 2018-11-15 22:36:03 UTC+0000 make 1340 bash 2018-11-15 22:37:47 UTC+0000 uname -r 1340 bash 2018-11-15 22:38:41 UTC+0000 ls /lib/modules/ 1340 bash 2018-11-15 22:38:46 UTC+0000 ls /lib/modules/3.10.0-862.el7.x86_64/ 1340 bash 2018-11-15 22:38:51 UTC+0000 ls /lib/modules/3.10.0-862.el7.x86_64/build 1340 bash 2018-11-15 22:39:02 UTC+0000 ls 1340 bash 2018-11-15 22:39:07 UTC+0000 vim Makefile 1340 bash 2018-11-15 22:39:36 UTC+0000 make 1340 bash 2018-11-15 22:39:37 UTC+0000 Make 1340 bash 2018-11-15 22:39:39 UTC+0000 make 1340 bash 2018-11-15 22:40:26 UTC+0000 ls -la /lib/modules/3.10.0-862.el7.x86_64/build 1340 bash 2018-11-15 22:41:36 UTC+0000 ls /usr/src/kernels/ 1340 bash 2018-11-15 22:41:46 UTC+0000 unlink 1340 bash 2018-11-15 22:42:05 UTC+0000 unlink /lib/modules/3.10.0-862.el7.x86_64/build 1340 bash 2018-11-15 22:42:47 UTC+0000 ln -s /usr/src/kernels/3.10.0-862.14.4.el7.x86_64/ /lib/modules/3.10.0-862.el7.x86_64/build 1340 bash 2018-11-15 22:42:55 UTC+0000 ls -la /lib/modules/3.10.0-862.el7.x86_64/build/ 1340 bash 2018-11-15 22:43:03 UTC+0000 make 1340 bash 2018-11-15 22:43:08 UTC+0000 ls 1340 bash 2018-11-15 22:46:52 UTC+0000 ls 1340 bash 2018-11-15 22:46:52 UTC+0000 cd .. 1340 bash 2018-11-15 22:47:10 UTC+0000 cd .. 1340 bash 2018-11-15 22:47:20 UTC+0000 ls 1340 bash 2018-11-15 22:50:37 UTC+0000 insmod ./LiME/src/lime-3.10.0-862.el7.x86_64.ko "path=/home/memes/memorydump format=lime" 1340 bash 2018-11-15 22:52:03 UTC+0000 rmmod ./LiME/src/lime-3.10.0-862.el7.x86_64.ko 1340 bash 2018-11-15 22:52:21 UTC+0000 lsmod 1340 bash 2018-11-15 22:52:26 UTC+0000 lsmod | grep lime 1340 bash 2018-11-15 22:52:52 UTC+0000 rmmod lime 1340 bash 2018-11-15 22:52:57 UTC+0000 insmod ./LiME/src/lime-3.10.0-862.el7.x86_64.ko "path=/home/memes/memorydump format=lime" 1340 bash 2018-11-15 22:53:38 UTC+0000 rmmod lime 1340 bash 2018-11-15 22:53:40 UTC+0000 insmod ./LiME/src/lime-3.10.0-862.el7.x86_64.ko "path=/home/memes/memorydump format=lime" 1355 bash 2018-11-15 22:29:36 UTC+0000 exit 1355 bash 2018-11-15 22:29:36 UTC+0000 cp flag.c /home/memes/ 1355 bash 2018-11-15 22:29:36 UTC+0000 exit 1355 bash 2018-11-15 22:29:36 UTC+0000 cd /home/memes/ 1355 bash 2018-11-15 22:29:36 UTC+0000 ls 1355 bash 2018-11-15 22:29:36 UTC+0000 mv flag /home/memes/ 1355 bash 2018-11-15 22:29:36 UTC+0000 ls 1355 bash 2018-11-15 22:29:36 UTC+0000 chown memes:memes flag 1355 bash 2018-11-15 22:29:36 UTC+0000 chown memes:memes /home/memes/flag.c 1355 bash 2018-11-15 22:29:36 UTC+0000 exit 1355 bash 2018-11-15 22:30:06 UTC+0000 cd /home/memes 1355 bash 2018-11-15 22:30:06 UTC+0000 mes 1355 bash 2018-11-15 22:30:07 UTC+0000 ls 1355 bash 2018-11-15 22:30:10 UTC+0000 ./flag 1355 bash 2018-11-15 22:50:56 UTC+0000 ls 1355 bash 2018-11-15 22:51:05 UTC+0000 ls -la memorydump 1355 bash 2018-11-15 22:51:09 UTC+0000 rm memorydump 1355 bash 2018-11-15 22:51:19 UTC+0000 ./flag 1355 bash 2018-11-15 22:53:08 UTC+0000 ls 1355 bash 2018-11-15 22:53:30 UTC+0000 1355 bash 2018-11-15 22:53:30 UTC+0000 rm memorydump 1355 bash 2018-11-15 22:53:34 UTC+0000 ./flag
linux_procdumpプラグインでflagをダンプする.
vol.py --profile=LinuxCentos7-3_10_0-862_el7_x86_64x64 -f C:\Users\hamasho333\Desktop\memorydump.enc linux_procdump --pid 13498 --dump-dir C:\Users\hamasho333\Desktop\ Volatility Foundation Volatility Framework 2.6 Offset Name Pid Address Output File ------------------ -------------------- --------------- ------------------ ----------- 0xffff8ed8402cbf40 flag 13498 0x0000000000400000 C:\Users\hamasho333\Desktop\flag.13498.0x400000
ダンプしたELFファイルをざっと眺めてみたが, 壊れているように思えた.
ELFファイルの後ろに更にELFファイルがくっつく形になっていたりと, 変な感じがするのでファイルを手動で取り出したいと考えた.
linux_elfsプラグインでflagの展開されている領域のサイズを確認すると, 2101296バイトっぽい.
memorydump.encをバイナリエディタで開き, flagに該当すると思われる箇所(0x1434c40~0x1635C70)を手動で切り出した.
vol.py --profile=LinuxCentos7-3_10_0-862_el7_x86_64x64 -f C:\Users\hamasho333\Desktop\memorydump.enc linux_elfs Volatility Foundation Volatility Framework 2.6 Pid Name Start End Elf Path Needed -------- ----------------- ------------------ ------------------ ------------------------------------------------------------ ------ 656 firewalld 0x0000000000400000 0x0000000000601030 /usr/bin/python2.7 657 NetworkManager 0x00007fa06d733000 0x00007fa06daff1e0 /usr/usr/lib64/libc-2.17.so 1340 bash 0x00007f680cce6000 0x00007f680d0b21e0 /usr/lib64/libc-2.17.so 1355 bash 0x00007f30bc2bd000 0x00007f30bc6891e0 /usr/lib64/libc-2.17.so 13153 dhclient 0x00007fd4e8007000 0x00007fd4e822c288 /usr/usr/lib64/liblzma.so.5.2.2 13153 dhclient 0x00007fd4ec40d000 0x00007fd4ec7d91e0 /usr/usr/lib64/libc-2.17.so 13480 agetty 0x00007fc2ce9be000 0x00007fc2ced8a1e0 /usr/lib64/libc-2.17.so 13481 agetty 0x00007f6039b7a000 0x00007f6039f461e0 /usr/lib64/libc-2.17.so 13498 flag 0x0000000000400000 0x0000000000601030 /home/memes/flag libc.so.6 13498 flag 0x0000000000400000 0x0000000000601030 /home/memes/flag libc.so.6 13498 flag 0x00007f517f0cf000 0x00007f517f49b1e0 libc.so.6 ld-linux-x86-64.so.2 13501 insmod 0x00007fe69c86f000 0x00007fe69ca8a488 libpthread.so.0 libc.so.6,ld-linux-x86-64.so.2 13501 insmod 0x00007fe69ca8b000 0x00007fe69ce571e0 libc.so.6 ld-linux-x86-64.so.2 13501 insmod 0x00007fe69d06e000 0x00007fe69d283208 libz.so.1 libc.so.6 13501 insmod 0x00007fe69d284000 0x00007fe69d4a9288 liblzma.so.5 libpthread.so.0,libc.so.6
切り出したELFファイルも先のflagファイルと同様に壊れてそうだが, 正しく解釈されている(っぽい)関数の個数がこっちの方が多い.
ハードコードされている文字列をmovしている箇所がある.
48 B8 55 6B 6C 55 55 30+ mov rax, 44563055556C6B55h 48 89 DF mov rdi, rbx B9 07 00 00 00 mov ecx, 7 48 89 04 24 mov [rsp+88h+var_88], rax 48 B8 65 30 30 7A 62 54+ mov rax, 794254627A303065h 48 C7 44 24 20 43 67 3D+ mov [rsp+88h+var_68], 3D3D6743h 48 89 44 24 08 mov [rsp+88h+var_80], rax 48 B8 65 56 39 47 4D 48+ mov rax, 7A49484D47395665h 48 89 44 24 10 mov [rsp+88h+var_78], rax 48 B8 62 6E 4D 78 59 33+ mov rax, 394E3359784D6E62h 48 89 44 24 18 mov [rsp+88h+var_70], rax 48 89 E8 mov rax, rbp F3 48 AB rep stosq C6 44 24 32 37 mov [rsp+88h+var_56], 37h C7 07 00 00 00 00 mov dword ptr [rdi], 0 48 89 E7 mov rdi, rsp E8 5B FF FF FF call sub_400400 EB 99 jmp short loc_400440
文字列"==gC9N3YxMnbzIHMG9VeyBTbz00eDV0UUlkU"を反転させてBase64デコードするとFLAGが得られた.
RITSEC{M3m0ry_F0r3ns1cs}
(多分きちんと解析しなくとも, stringsコマンドとエスパーぢからで解ける問題だったと思うし, 最初にダンプしたflagのコードを再定義してやるのでも良かった気がする)