Đề bài
Giải
Bài này cho mình một memory files, vậy đầu tiên mình sẽ xem danh sách tiến trình trước
Volatility 3 Framework 2.26.2
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x8378ed28 87 475 N/A False 2022-12-15 06:08:19.000000 UTC N/A Disabled
252 4 smss.exe 0x83e7e020 2 29 N/A False 2022-12-15 06:08:19.000000 UTC N/A Disabled
320 312 csrss.exe 0x843cf980 9 375 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
356 312 wininit.exe 0x837f6280 3 79 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
368 348 csrss.exe 0x84402d28 7 203 1 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
396 348 winlogon.exe 0x84409030 3 110 1 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
452 356 services.exe 0x844577a0 9 213 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
468 356 lsass.exe 0x8445e030 7 591 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
476 356 lsm.exe 0x8445f030 10 142 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
584 452 svchost.exe 0x84488030 10 347 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
644 452 VBoxService.ex 0x844a2030 11 116 0 False 2022-12-15 06:08:19.000000 UTC N/A Disabled
696 452 svchost.exe 0x844ab478 7 243 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
752 452 svchost.exe 0x844c3030 18 457 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
864 452 svchost.exe 0x845f5030 16 399 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
904 452 svchost.exe 0x845fcd28 15 311 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
928 452 svchost.exe 0x84484d28 23 956 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
992 452 svchost.exe 0x8e013488 5 114 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
1116 452 svchost.exe 0x8e030a38 18 398 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
1228 452 spoolsv.exe 0x8e0525b0 13 275 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
1268 452 svchost.exe 0x84477d28 19 337 0 False 2022-12-14 21:08:21.000000 UTC N/A Disabled
1352 452 taskhost.exe 0x8e0a2658 9 223 1 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
1448 864 dwm.exe 0x844d2d28 3 69 1 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
1464 1436 explorer.exe 0x8e0d3a40 32 1069 1 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
1636 452 svchost.exe 0x8e1023a0 10 183 0 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
1680 452 svchost.exe 0x8e10d998 14 224 0 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
1776 452 wlms.exe 0x8e07d900 4 45 0 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
1832 1464 VBoxTray.exe 0x83825540 12 140 1 False 2022-12-14 21:08:22.000000 UTC N/A Disabled
352 452 sppsvc.exe 0x8e1cd8d0 4 144 0 False 2022-12-14 21:08:23.000000 UTC N/A Disabled
1632 452 svchost.exe 0x8e1f6a40 5 91 0 False 2022-12-14 21:08:23.000000 UTC N/A Disabled
856 452 SearchIndexer. 0x8e06f2d0 13 626 0 False 2022-12-14 21:08:28.000000 UTC N/A Disabled
2128 1464 TrueCrypt.exe 0x91892030 4 262 1 False 2022-12-14 21:08:31.000000 UTC N/A Disabled
2760 452 svchost.exe 0x91865790 13 362 0 False 2022-12-14 21:10:23.000000 UTC N/A Disabled
2332 584 WmiPrvSE.exe 0x83911848 5 112 0 False 2022-12-14 21:12:23.000000 UTC N/A Disabled
2580 452 taskhost.exe 0x8e1ef208 5 86 1 False 2022-12-14 21:13:01.000000 UTC N/A Disabled
2176 1464 7zFM.exe 0x8382f198 3 135 1 False 2022-12-14 21:22:44.000000 UTC N/A Disabled
3212 1464 DumpIt.exe 0x83c1d030 2 38 1 False 2022-12-14 21:33:28.000000 UTC N/A Disabled
272 368 conhost.exe 0x83c0a030 2 34 1 False 2022-12-14 21:33:28.000000 UTC N/A Disabled
Time Stamp: Wed Nov 12 22:44:47 2025
Mình thấy có một tiến trình TrueCrypt.exe, đây là một ứng dụng khá lạ vì nó dùng đã mã hóa, nên rất có thể người này đã chạy tiến trình này để mã hóa một file hoặc thứ gì đó
Sau đó mình sử dụng netscan và cmdline
netscan
Volatility 3 Framework 2.26.2
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
0xa08970 UDPv6 fe80::c462:3ba5:e8ed:5629 1900 * 0 1680 svchost.exe 2022-12-14 21:10:23.000000 UTC
0x1c700e0 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 468 lsass.exe N/A
0x28b10b0 UDPv6 ::1 1900 * 0 1680 svchost.exe 2022-12-14 21:10:23.000000 UTC
0x2b50570 UDPv4 0.0.0.0 3702 * 0 1680 svchost.exe 2022-12-14 21:08:28.000000 UTC
0x548da68 UDPv4 0.0.0.0 5355 * 0 1116 svchost.exe 2022-12-14 21:33:22.000000 UTC
0x548da68 UDPv6 :: 5355 * 0 1116 svchost.exe 2022-12-14 21:33:22.000000 UTC
0x57ad758 UDPv4 0.0.0.0 58111 * 0 1680 svchost.exe 2022-12-14 21:08:22.000000 UTC
0x57ad758 UDPv6 :: 58111 * 0 1680 svchost.exe 2022-12-14 21:08:22.000000 UTC
0x57add80 UDPv4 0.0.0.0 58110 * 0 1680 svchost.exe 2022-12-14 21:08:22.000000 UTC
0x5c70330 UDPv4 0.0.0.0 3702 * 0 1680 svchost.exe 2022-12-14 21:08:28.000000 UTC
0x5c70330 UDPv6 :: 3702 * 0 1680 svchost.exe 2022-12-14 21:08:28.000000 UTC
0x6b21380 TCPv4 0.0.0.0 5357 0.0.0.0 0 LISTENING 4 System N/A
0x6b21380 TCPv6 :: 5357 :: 0 LISTENING 4 System N/A
0x6d0e358 UDPv4 0.0.0.0 0 * 0 1632 svchost.exe 2022-12-14 21:08:23.000000 UTC
0x6d0e358 UDPv6 :: 0 * 0 1632 svchost.exe 2022-12-14 21:08:23.000000 UTC
0x6d0e510 UDPv4 0.0.0.0 0 * 0 1632 svchost.exe 2022-12-14 21:08:23.000000 UTC
0x82940a8 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 928 svchost.exe N/A
0x8710b38 UDPv4 0.0.0.0 3702 * 0 1680 svchost.exe 2022-12-14 21:08:28.000000 UTC
0x8b5c008 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 928 svchost.exe N/A
0x8b5c008 TCPv6 :: 49154 :: 0 LISTENING 928 svchost.exe N/A
0x8b99d58 UDPv4 127.0.0.1 55598 * 0 1680 svchost.exe 2022-12-14 21:10:23.000000 UTC
0x9965bc8 UDPv4 0.0.0.0 3702 * 0 1680 svchost.exe 2022-12-14 21:08:28.000000 UTC
0x9965bc8 UDPv6 :: 3702 * 0 1680 svchost.exe 2022-12-14 21:08:28.000000 UTC
0x9ae7398 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 452 services.exe N/A
0x9ae7398 TCPv6 :: 49155 :: 0 LISTENING 452 services.exe N/A
0x9ae77e8 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 452 services.exe N/A
0xb264c20 UDPv4 127.0.0.1 1900 * 0 1680 svchost.exe 2022-12-14 21:10:23.000000 UTC
0xb83c2c8 UDPv6 ::1 55597 * 0 1680 svchost.exe 2022-12-14 21:10:23.000000 UTC
0xb840f50 UDPv4 10.10.10.13 1900 * 0 1680 svchost.exe 2022-12-14 21:10:23.000000 UTC
0xb871f50 UDPv4 0.0.0.0 0 * 0 1116 svchost.exe 2022-12-14 21:08:24.000000 UTC
0xb871f50 UDPv6 :: 0 * 0 1116 svchost.exe 2022-12-14 21:08:24.000000 UTC
0xb8b31e8 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 696 svchost.exe N/A
0xb8b31e8 TCPv6 :: 135 :: 0 LISTENING 696 svchost.exe N/A
0xb8b3898 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 696 svchost.exe N/A
0xb8ba1c0 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 356 wininit.exe N/A
0xb8ba1c0 TCPv6 :: 49152 :: 0 LISTENING 356 wininit.exe N/A
0xb8ba488 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 356 wininit.exe N/A
0xb8eb188 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 468 lsass.exe N/A
0xb8eb188 TCPv6 :: 49156 :: 0 LISTENING 468 lsass.exe N/A
0xb8f3698 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 752 svchost.exe N/A
0xb8f3698 TCPv6 :: 49153 :: 0 LISTENING 752 svchost.exe N/A
0xb8f3c08 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 752 svchost.exe N/A
0xbeaa260 UDPv4 0.0.0.0 5355 * 0 1116 svchost.exe 2022-12-14 21:33:22.000000 UTC
0xc072008 UDPv4 0.0.0.0 0 * 0 2292 iexplore.exe 2022-12-14 21:24:22.000000 UTC
0xc072008 UDPv6 :: 0 * 0 2292 iexplore.exe 2022-12-14 21:24:22.000000 UTC
0xc424468 UDPv4 10.10.10.13 137 * 0 4 System 2022-12-14 21:08:22.000000 UTC
0xc4279c8 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System N/A
0xc4279c8 TCPv6 :: 445 :: 0 LISTENING 4 System N/A
0xc42a790 UDPv4 10.10.10.13 138 * 0 4 System 2022-12-14 21:08:22.000000 UTC
0xc4ad3c8 UDPv4 0.0.0.0 5355 * 0 1116 svchost.exe 2022-12-14 21:23:22.000000 UTC
0xc54e438 UDPv4 0.0.0.0 57751 * 0 1116 svchost.exe 2022-12-14 21:28:22.000000 UTC
0xc54e438 UDPv6 :: 57751 * 0 1116 svchost.exe 2022-12-14 21:28:22.000000 UTC
0xc551c20 UDPv4 0.0.0.0 0 * 0 644 VBoxService.ex 2022-12-14 21:24:18.000000 UTC
0xc5a1de8 TCPv4 127.0.0.1 49171 239.255.255.250 8000 CLOSED - - -
0xc68c580 TCPv4 10.10.10.13 139 0.0.0.0 0 LISTENING 4 System N/A
Time Stamp: Wed Nov 12 23:18:33 2025
Các cổng LISTENING (máy đang mở server) là dấu hiệu quan trọng
| PID | Process | Cổng | Ghi chú |
| 4 | System | 445, 139, 5357 | dịch vụ SMB và HTTP Windows (bình thường) |
| 356 | wininit.exe | 49152 | bình thường |
| 452 | services.exe | 49155 | rất đáng nghi, vì services.exe thường không trực tiếp nghe TCP |
| 468 | lsass.exe | 49156 | bình thường (RPC / LSASS) |
| 696 | svchost.exe | 135 | RPC Endpoint Mapper (bình thường) |
| 752 | svchost.exe | 49153 | dịch vụ Windows (bình thường) |
| 928 | svchost.exe | 49154 | dịch vụ Windows (bình thường) |
👉 PID 452 (services.exe) mở cổng 49155 cả IPv4/IPv6 → có khả năng host C2 server tùy chỉnh
cmdline
Volatility 3 Framework 2.26.2
PID Process Args
4 System -
252 smss.exe \SystemRoot\System32\smss.exe
320 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
356 wininit.exe -
368 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
396 winlogon.exe -
452 services.exe C:\Windows\system32\services.exe
468 lsass.exe C:\Windows\system32\lsass.exe
476 lsm.exe C:\Windows\system32\lsm.exe
584 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch
644 VBoxService.ex C:\Windows\System32\VBoxService.exe
696 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS
752 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
864 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
904 svchost.exe C:\Windows\system32\svchost.exe -k LocalService
928 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
992 svchost.exe -
1116 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService
1228 spoolsv.exe C:\Windows\System32\spoolsv.exe
1268 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1352 taskhost.exe "taskhost.exe"
1448 dwm.exe -
1464 explorer.exe C:\Windows\Explorer.EXE
1636 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc
1680 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1776 wlms.exe -
1832 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
352 sppsvc.exe -
1632 svchost.exe -
856 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
2128 TrueCrypt.exe "C:\Program Files\TrueCrypt\TrueCrypt.exe"
2760 svchost.exe C:\Windows\System32\svchost.exe -k secsvcs
2332 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
2580 taskhost.exe -
2176 7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\IEUser\Documents\backup_development.zip"
3212 DumpIt.exe "C:\Users\IEUser\Downloads\DumpIt.exe"
272 conhost.exe \??\C:\Windows\system32\conhost.exe "-180402527637560752-8319479621992226886-774806053592412399-20651748-1013740728
Time Stamp: Wed Nov 12 23:19:50 2025
- services.exe chạy như bình thường, nhưng PID 2760 – svchost.exe -k secsvcs cũng rất khả nghi: group secsvcs (Security Services) không tồn tại trong Windows mặc định
- 7zFM.exe (PID 2176) được mở cùng với file backup_development.zip → có thể chứa mã nguồn hoặc script bị nén
- TrueCrypt.exe (PID 2128) chạy → có thể đang mount volume mã hóa chứa code
=> ta có 3 mục tiêu cần trích xuất:- services.exe (PID 452)
- svchost.exe -k secsvcs (PID 2760)
- 7zFM.exe (PID 2176) và file backup_development.zip
truecrypt
Cuối cùng, mình sẽ thử nốt plugin truecrypt để quét xem có ghi lại được passwd nào không, nếu có thì có thể dùng để mở volume TrueCrypt thật chứa source
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
Offset Length Password
0x89ebf064 28 X2Hk2XbEJqWYsh8VdbSYg6WpG9g7
filescan
Sau khi xác định được mật khẩu, mình sẽ kiếm ra địa chỉ file-object (trường Offset(V) hay FileObject) của:
- Container TrueCrypt (.tc/.hc)
- Volume/ổ đã mount (\Device\TrueCryptVolumeX, \Device\HarddiskVolume…)
- C:\Users\IEUser\Documents\backup_development.zip (đã thấy trong cmdline của 7zFM.exe PID 2176)
0x90fc688 100.0\Program Files\TrueCrypt\TrueCrypt.exe
0xbbf6158 \Users\IEUser\Documents\backup_development.zip
0xc1f8590 \Program Files\TrueCrypt\TrueCrypt.exe
0xc50c550 \Users\IEUser\Documents\development.tc
Vậy là đã scan ra được một file .tc
handle
Tiếp theo thì trước khi dumpfile mình sẽ lấy đúng _FILE_OBJECT từ handles của tiến trình đang mở file (độ chính xác cao)
138:2176 7zFM.exe 0x843f6158 0x238 File 0x120089 \Device\HarddiskVolume1\Users\IEUser\Documents\backup_development.zip
dumpfiles
Cuối cùng là mình sẽ dumpfile ra
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x843f6158 backup_development.zip file.0x843f6158.0x839339d0.DataSectionObject.backup_development.zip.dat
SharedCacheMap 0x843f6158 backup_development.zip file.0x843f6158.0x9185db40.SharedCacheMap.backup_development.zip.vacb
zip
Sau đó mình sẽ thu được file zip và sẽ unzip nó ra
Archive: dumpfiles_out/file.0x843f6158.0x839339d0.DataSectionObject.backup_development.zip.dat
extracting: development.tc
Nhận được file development.tc như đã phân tích được ở trên
TrueCrypt
Sử dụng TrueCrypt để mount ra máy
Thư mục gồm những file sau
.
├── AgentServer.cs
└── sessions
├── 5818acbe-68f1-4176-a2f2-8c6bcb99f9fa.log.enc
├── c65939ad-5d17-43d5-9c3a-29c6a7c31a32.log.enc
└── de008160-66e4-4d51-8264-21cbc27661fc.log.enc
2 directories, 4 files
Mình nhận được một file AgentServer.cs và 3 file log như sau
AgentServer.cs
using System;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Security.Cryptography;
class AgentServer {
static void Main(String[] args)
{
var localPort = 40001;
IPAddress localAddress = IPAddress.Any;
TcpListener listener = new TcpListener(localAddress, localPort);
listener.Start();
Console.WriteLine("Waiting for remote connection from remote agents (infected machines)...");
TcpClient client = listener.AcceptTcpClient();
Console.WriteLine("Received remote connection");
NetworkStream cStream = client.GetStream();
string sessionID = Guid.NewGuid().ToString();
while (true)
{
string cmd = Console.ReadLine();
byte[] cmdBytes = Encoding.UTF8.GetBytes(cmd);
cStream.Write(cmdBytes, 0, cmdBytes.Length);
byte[] buffer = new byte[client.ReceiveBufferSize];
int bytesRead = cStream.Read(buffer, 0, client.ReceiveBufferSize);
string cmdOut = Encoding.ASCII.GetString(buffer, 0, bytesRead);
string sessionFile = sessionID + ".log.enc";
File.AppendAllText(@"sessions\" + sessionFile,
Encrypt(
"Cmd: " + cmd + Environment.NewLine + cmdOut
) + Environment.NewLine
);
}
}
private static string Encrypt(string pt)
{
string key = "AKaPdSgV";
string iv = "QeThWmYq";
byte[] keyBytes = Encoding.UTF8.GetBytes(key);
byte[] ivBytes = Encoding.UTF8.GetBytes(iv);
byte[] inputBytes = System.Text.Encoding.UTF8.GetBytes(pt);
using (DESCryptoServiceProvider dsp = new DESCryptoServiceProvider())
{
var mstr = new MemoryStream();
var crystr = new CryptoStream(mstr, dsp.CreateEncryptor(keyBytes, ivBytes), CryptoStreamMode.Write);
crystr.Write(inputBytes, 0, inputBytes.Length);
crystr.FlushFinalBlock();
return Convert.ToBase64String(mstr.ToArray());
}
}
}5818acbe-68f1-4176-a2f2-8c6bcb99f9fa.log.enc
wENDQtzYcL3CKv0lnnJ4hk0JYvJVBMwTj7a4Plq8h68=
M35jHmvkY9WGlWdXo0ByOJrYhHmtC8O0rZ28CviPexkfHCFTfKUQVw==
hufGZi+isAzspq9AOs+sIwqijQL53yIJa5EVcXF3QLLwXPS1AejOWfPzJZ/wHQbBAIOxsJJIcFq0+83hkFcz+Jz9HAGl8oDianTHILnUlzl1oEc30scurf41lEg+KSu/6orcZQl3Bws=
6ySb2CBt+Z1SZ4GlB7/yL4cOS/j1whoSEqkyri0dj0juRpFBc4kqLw==
U2ltlIYcyGYnuh0P+ahTMe3t9e+TYxKwU+PGm/UsltpkanmBmWym5mDDqqQ14J/VSSgCRKXn/E+DKaxmNc9PpPOG1vZndmflMUnuTUzbiIdHBUAEOWMO8wVCufhanIdN56BhtczjrJS5HRvl9NwE/FNkLGZt6HQNSgDRzrpY0mseJHjTbkal6nh226f43X3ZihIF4sdLn7l766ZksE9JDASBi7qEotE7f0yxEbStNOZ1QPDchKVFkw==
c65939ad-5d17-43d5-9c3a-29c6a7c31a32.log.enc
wENDQtzYcL3CKv0lnnJ4hk0JYvJVBMwTj7a4Plq8h68=
M35jHmvkY9WGlWdXo0ByOJrYhHmtC8O0eu8xtbA16kKagSu6MIFSWQ==
hufGZi+isAzspq9AOs+sI0VYrJ6o8j3e9a1tNb9m1bVwJZpRxCOxg3Vs0NdU9xNxPku+sBziVYsVaOtgWkbH9691++BUkD1BNVRMc0e69lVs2cJmQIAbnagMaJ6OQEZAAvZ/G6y57CQ=
6ySb2CBt+Z1SZ4GlB7/yL8asWs1F/wTUTOLEHO92yuzuTzdsiM5t5w==
U2ltlIYcyGYnuh0P+ahTMe3t9e+TYxKwU+PGm/UsltpkanmBmWym5mDDqqQ14J/VSSgCRKXn/E+DKaxmNc9PpPOG1vZndmflMUnuTUzbiIdHBUAEOWMO8wVCufhanIdN56BhtczjrJS5HRvl9NwE/FNkLGZt6HQNSgDRzrpY0mseJHjTbkal6nh226f43X3ZihIF4sdLn7l766ZksE9JDASBi7qEotE7f0yxEbStNOZ1QPDchKVFkw==
de008160-66e4-4d51-8264-21cbc27661fc.log.enc
wENDQtzYcL3CKv0lnnJ4hk0JYvJVBMwTj7a4Plq8h68=
M35jHmvkY9WGlWdXo0ByOJrYhHmtC8O0hn+gLHaClb4QbACeOoSiYA==
hufGZi+isAzspq9AOs+sI/u+AS/aWPrAYd+mctDo7qEt+SpW2sELvSaxx6RRdK3vDavTsziAtb4/iCZ72v3QGh78yhY2KXZFu8qAcYdN7ltOOlg1LSrdkhjgr+CWTlvWh7A8IS7NwwI=
6ySb2CBt+Z1SZ4GlB7/yL4rJGeZ0WVaYW7N15aUsDAqzIYJWL/f0yw==
U2ltlIYcyGaSmL5xmAkEop+/f5MGUEWeWjpCTe5eStd/cg9FKp89l/EksGB90Z/hLbT44/Ur/6XL9aI27v0+SzaMFsgAeamjyYTRfLQk2fQlsRPCY/vMDj0FWRCGIZyHXCVoo4AePQB93SgQtOEkTQ2oBOeVU4X5sNQo23OcM1wrFrg8x90UOk2EzOm/IbS5BR+Wms1M2dCvLytaGCTmsUmBsATEF/zkfM2aGLytnu5+72bD99j7AiSvFDCpd1aFsogNiYYSai52YKIttjvao22+uqWMM/7Dx/meQWRCCkKm6s9ag1BFUQ==
+iTzBxkIgVWgWm/oyP/Uf6+qW+A+kMTQkouTEammirkz2efek8yfrP5l+mtFS+bWA7TCjJDK2nLAdTKssL7CrHnVW8fMvc6mJR4Ismbs/d/fMDXQeiGXCA==
Trong volume có AgentServer.cs (C#). Tóm tắt chức năng:
- Lắng nghe TCP trên port 40001 (TcpListener(IPAddress.Any, 40001))
- Nhận 1 kết nối từ agent, sau đó vòng lặp:
- đọc lệnh từ console, gửi qua NetworkStream
- nhận stdout từ agent
- ghi log vào sessions\<GUID>.log.enc, mã hoá DES/CBC với key AKaPdSgV, IV QeThWmYq, và Base64 mỗi dòng
OpenSSL
Chương trình sử dụng mã hóa DES/CBC cơ bản cùng key và IV nên mình đã chuẩn bị một dòng decode đơn giản sau
echo "<BASE64_LINE>" | base64 -d | openssl enc -d -des-cbc -K 414b615064536756 -iv 51655468576d5971Flag
Flag: HTB{570r1ng_53cr37_1n_m3m0ry_15_n07_g00d}
'WriteUp > Forensics' 카테고리의 다른 글
| emo - HackTheBox (0) | 2025.11.21 |
|---|---|
| oBfsC4t10n - HackTheBox (0) | 2025.11.21 |
| zip2john2zip - BuckeyeCTF 2025 (0) | 2025.11.09 |
| The Professor's Files - BuckeyeCTF 2025 (0) | 2025.11.09 |
| 1985 - BuckeyeCTF 2025 (0) | 2025.11.09 |