Writeup Trollctf Forensic V2
Mr_evilpepo_1
points 400
We have caught Mr.EvilPepo and now it is time for you to investigate him we searched his house and we got not much proof we got some report from OSINT department and Our OSINT Investigator told us that he mentioned on his socials "Hack Me if you can, i use same password Everywhere" we have dumped his computer memory and for further investigation we need your help. he typed the flag command somewhere and now he forgot it. can you find it?
File: https://mega.nz/file/y90gWRJa#6lJ4qpKw3bfLKvbcTuvcOgGdDpYS9AapC_mwKM-4Zg4
Flag Format: Trolcat{}
Author: White_wolf
pertama check isi file tersebut
evilpepo.vmem: data
ini adalah file memory dump disini gunakan volatility untuk menyelesaikan chall tersebut pertama kita akan mengecheck dengan menggunakan imageinfo untuk mendapatkan profile volatility -f evilpepo.vmem imageinfo
kurang lebih berikut profile yang di dapatkan
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/dev/ctf/trollcat/evil/evilpepo.vmem)
pilih salah satu suggest profile lalu langsung saja kita menggunakan cmdscan untuk Extract command history by scanning for _COMMAND_HISTORY ||volatility -f evilpepo.vmem –profile=Win7SP0x64 cmdscan
CommandProcess: conhost.exe Pid: 992
CommandHistory: 0x39eb60 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 37 LastAdded: 36 LastDisplayed: 36
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x37e550: helo
Cmd #1 @ 0x37e570: troollll
Cmd #2 @ 0x37e590: caaat
Cmd #3 @ 0x37e5b0: yooooo
Cmd #4 @ 0x39de90: T
Cmd #5 @ 0x39dcd0: r
Cmd #6 @ 0x3a2f00: o
Cmd #7 @ 0x3a2f20: l
Cmd #8 @ 0x3a2f40: c
Cmd #9 @ 0x3a2f60: a
Cmd #10 @ 0x3a2fb0: t
Cmd #11 @ 0x3a2fc0: {
Cmd #12 @ 0x3a2fd0: c
Cmd #13 @ 0x3a2fe0: o
Cmd #14 @ 0x3a2ff0: m
Cmd #15 @ 0x3a3000: a
Cmd #16 @ 0x3a3010: n
Cmd #17 @ 0x3a3020: d
Cmd #18 @ 0x3a3030: s
Cmd #19 @ 0x3a3040: _
Cmd #20 @ 0x3a3050: 4
Cmd #21 @ 0x3a3060: r
Cmd #22 @ 0x3a3070: 3
Cmd #23 @ 0x3a3080: _
Cmd #24 @ 0x3a3090: i
Cmd #25 @ 0x3a30a0: m
Cmd #26 @ 0x3a30b0: p
Cmd #27 @ 0x3a30c0: o
Cmd #28 @ 0x3a30d0: r
Cmd #29 @ 0x3a30e0: t
Cmd #30 @ 0x3a30f0: a
Cmd #31 @ 0x3a3100: n
Cmd #32 @ 0x3a3110: t
Cmd #33 @ 0x3a3120: }
Cmd #34 @ 0x3a33b0: hope you got it
Cmd #35 @ 0x377860: "are you trying to run strings?"
Cmd #36 @ 0x3a33e0: lolololololol
Dapat disimpulkan flag yang didapat adalah
Trolcat{commands_4r3_important}
Mr_evilpepo_2
points 496 challenge description Now After some good beating, Mr.EvilPepo saying he hides something on the internet. find it Note: Use the file provided in Mr.EvilPepo Part-1 AUTHOR: WHITE_WOLF
setelah dibayangin habis maen valorant ada sesuatu yang disembunyikan di internet letsss goo kita check aja
pertama tama kita gunain pstree Print process list as a tree || volatility -f evilpepo.vmem –profile=Win7SP0x64 pstree ya kurang lebih tampilan nya begini
0xfffffa8000ca0ae0:System 4 0 78 506 2021-01-12 13:13:38 UTC+0000 . 0xfffffa8001bf6470:smss.exe 256 4 2 29 2021-01-12 13:13:38 UTC+0000 0xfffffa80028a7630:csrss.exe 388 368 11 338 2021-01-12 13:13:53 UTC+0000 . 0xfffffa8000f0d060:conhost.exe 992 388 2 51 2021-01-12 13:20:09 UTC+0000 0xfffffa80028f9480:winlogon.exe 420 368 3 109 2021-01-12 13:13:53 UTC+0000 0xfffffa800344fb30:explorer.exe 1568 1548 32 895 2021-01-12 13:14:47 UTC+0000 . 0xfffffa80020de060:notepad.exe 3120 1568 1 61 2021-01-12 13:22:27 UTC+0000 . 0xfffffa8003428a30:cmd.exe 1492 1568 1 19 2021-01-12 13:20:08 UTC+0000 . 0xfffffa8003673b30:chrome.exe 1932 1568 34 856 2021-01-12 13:15:05 UTC+0000 .. 0xfffffa80036d6b30:chrome.exe 912 1932 8 84 2021-01-12 13:15:12 UTC+0000 .. 0xfffffa8000ee9b30:chrome.exe 1292 1932 13 204 2021-01-12 13:16:11 UTC+0000 .. 0xfffffa8000e9ab30:chrome.exe 2324 1932 13 255 2021-01-12 13:16:05 UTC+0000 .. 0xfffffa8000da1b30:chrome.exe 2352 1932 20 248 2021-01-12 13:15:37 UTC+0000 .. 0xfffffa8000e5cb30:chrome.exe 2896 1932 8 181 2021-01-12 13:15:54 UTC+0000 .. 0xfffffa8000d97b30:chrome.exe 2556 1932 7 131 2021-01-12 13:15:38 UTC+0000 . 0xfffffa8000fc0060:KeePass.exe
bisa disimpulin kalo disini untuk history internet kemungkinan ada dichrome dan di explorer gak mungkin di summertime saga :>
oke letss go kita buka history chrome dan explorer nah buat buka history tersebut kita harus download plugins tambahan disini Download disini || langsung aja kita eksekusii pakai command ini abang abang || volatility –plugins=volatility-plugins-master/ -f evilpepo.vmem –profile=Win7SP1x64 chromehistory
favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
53 https://www.google.com/search?q=trollca...E&biw=800&bih=489#imgrc=cUivAz6CV5e2XM trollcat memes - Google Search 1 0 2021-01-12 13:17:20.047797 N/A
54 https://www.google.com/search?q=trollca...E&biw=800&bih=489#imgrc=o3Q0xkhbhExapM trollcat memes - Google Search 1 0 2021-01-12 13:17:20.078990 N/A
52 https://www.google.com/search?q=trollca...E&biw=800&bih=489#imgrc=HcXEteeesBeP-M trollcat memes - Google Search 1 0 2021-01-12 13:17:18.603233 N/A
51 https://www.google.com/search?ei=caL9X5...u7m_vpbuAhXK5nMBHYALBfMQ4dUDCA0&uact=5 trollcat memes - Google Search 2 0 2021-01-12 13:17:17.022311 N/A
50 https://www.google.com/search?ei=MKL9X-...kragvpbuAhXI_XMBHbezCxkQ4dUDCA0&uact=5 trollcat memese - Google Search 2 0 2021-01-12 13:17:12.170420 N/A
47 https://www.ghacks.net/2021/01/10/passw...anager-keepass-2-47-has-been-released/ Password Manager KeePass 2.47 has been released - gHacks Tech News 3 0 2021-01-12 13:17:00.320332 N/A
49 https://www.google.com/search?q=veracry...60l4.3887j1j7&sourceid=chrome&ie=UTF-8 veracrypt - Google Search 1 0 2021-01-12 13:16:52.525692 N/A
48 https://keepass.com/ Keepass.com - Download Keepass for PC and Mac 1 0 2021-01-12 13:16:30.228580 N/A
46 https://en.wikipedia.org/wiki/KeePass KeePass - Wikipedia 1 0 2021-01-12 13:16:22.289650 N/A
45 https://www.google.com/search?q=keepass...60l4.2447j1j7&sourceid=chrome&ie=UTF-8 keepass - Google Search 1 0 2021-01-12 13:16:58.918534 N/A
44 https://www.google.com/search?q=trollca...l8.172570j0j7&sourceid=chrome&ie=UTF-8 trollcats ctf - Google Search 1 0 2021-01-12 13:16:06.455385 N/A
43 https://sourceforge.net/projects/keepass/ KeePass download | SourceForge.net 2 0 2021-01-12 11:27:41.219565 N/A
42 https://sourceforge.net/projects/keepass/postdownload Find out more about KeePass | SourceForge.net 1 0 2021-01-12 08:31:52.181148 N/A
1 https://www.google.com/search?q=trollca...95l4.4346j1j7&sourceid=chrome&ie=UTF-8 trollcats - Google Search 1 0 2021-01-12 04:47:44.570774 N/A
23 https://defuse.ca/b/sOOqp4UunTdD0oUjidJFlz Defuse Security's Encrypted Pastebin 2 1 2021-01-12 08:23:00.706346 N/A
30 https://www.google....���� ��������������� -1 0 1601-01-01 00:00:00 N/A
23 https://defuse.ca/b/sOOqp4UunTdD0oUjidJFlz Defuse Security's Encrypted Pastebin 3 2 2021-01-12 13:16:47.523791 N/A
nah dibagian ini nih kunci nya silahkan akses website nya
23 https://defuse.caOOqp4UunTdD0oUjidJFlz Defuse Security's Encrypted Pastebin32 2021-01-12 13:16:47.523791 NA
langsung aja dari sini kita hashdump || volatility -f evilpepo.vmem –profile=Win7SP0x64 hashdump
Volatility Foundation Volatility Framework 2.6.1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WhiteWolf:1000:aad3b435b51404eeaad3b435b51404ee:2e6a7cf5aabb33a044684dd9c97e88a7:::
dapat di prediksi user WhiteWOlf adalah author, lalu kita cari passsword dengan menggunakan wordlist rockyou
hashcat "2e6a7cf5aabb33a044684dd9c97e88a7" -m 1000 /usr/bin/rockyou.txt --force --show ========================================== 2e6a7cf5aabb33a044684dd9c97e88a7:abracadabra
abracadabra adalah password atau hascat dari author whitewolf ||decript web tersebut dengan user WhiteWOlf dan password diatas 
Trollcat{secret_hidden_0nn_th3_1ntern3t}
Mr_evilpepo_3
challenge description The Top Secret file of Mr.EvilPepo is still not discovered this is your last mission of finding the top secret file related to Mr.EvilPepo Good Luck Note: Use the file provided in Mr.EvilPepo Part-1 AUTHOR: WHITE_WOLF
Disini kita di suruh mencari secret atau rahasia di balik dump || lansung aja kita ketikan command volatility –plugins=volatility-plugins-master/ -f evilpepo.vmem –profile=Win7SP0x64 clipboard -v
bisa dilihat abang abang ini terdapat link mega langsung aja kita buka euy, ternyata terdapat sebuah file secret kita buka file ini dengan tools / app veracrypt
lalu kita mount dengan veracrypt 
lalu open dengan cara klik kanan file yang di mount ke drive pilihan dan berikut ada file foryou dan yang dibuka dengdenggggg…..
Trollcat{y0u_got_n1ce_Skills!!!}
ihiwww mantap makasih dah baca kalau ada saran dirrect message ya abang abang