De antwoorden van de cybercrimechallenge zoals ik erop gekomen ben. Zoals vaak zijn er meer wegen die naar Rome leiden.
Vraag1:
<info>
??????! ????????????? ??????????? ? ???????? ?????? ?????? ?? ???????? ?????????, ????????? ????? ?????????? ??????? ??????????? ????????: H4ck3nb3rg ?????? 0x7DD. ?????? ???? ??????? ??? ????? ????????????. ???? ????????? ???????? ??????? ???????????, ??????? ?????????? Windows, Mac ? Android. ???? ??????????? ????? ??????? ? ??????? ????? ????????? ??????????? ????????. ?? ????? ?????????? ????? ?? ????????? ??? ??????????? ?? ?????? ??????. ??????? ????? ???? ??????????????, ???????? ????? ? MeKash ??????? ??? ???????? ?????? ? ????????????? ???????????? ???????, ?????? ??? ????????? ????? ??????, BAN-?????? ? Arbo ?????. ????? H4ck3nb3rg 0x7DD ?? ?????????????? ?? ??????????? ????????????!?????????? ???????? ????? 5000 ????, ???????? ????? ???. ????-????? Tor. ?????? ? ??????? ????????? ????? ?? ????. ?????? ??? ???????? ????????!
Miss M.
</info>
https://www.cybercrimechallenge.nl/start
translate.google.com
Antwoord:
H4ck3nb3rg
Vraag2:
<info>
https://www.google.nl/sea...official&client=firefox-a
http://pastebin.com/cqhEqjnD
</info>
Antwoord:
missm7dd@gmail.com
Vraag3:
<info>
Delivered-To: <M8R-vftnqj@mailinator.com>
Received: from 193.200.198.87 ([193.200.198.87])
by mail.mailinator.com with SMTP (Postfix)
for M8R-vftnqj@mailinator.com;
Fri, 22 Feb 2013 10:09:01 +0000 (UTC)
Received: by 193.200.198.87 with SMTP id j8so54729qah.8
for <M8R-vftnqj@mailinator.com>; Fri, 22 Feb 2013 02:09:01 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.224.185.141 with SMTP id co13mr800511qab.33.1361527741255;
Fri, 22 Feb 2013 02:09:01 -0800 (PST)
Received: by 10.49.71.168 with HTTP; Fri, 22 Feb 2013 02:09:01 -0800 (PST)
Date: Fri, 22 Feb 2013 11:09:01 +0100
Message-ID: <CAM-WngbS18XMX6utu-r3QzGf_34g25Z-E_Q2J5+m2z4h4hPrJg@mail.gmail.com>
Subject: H4ck3nb3rg
From: Miss M <missm7dd@gmail.com>
To: Undisclosed Recipients
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Friends! Deploying ransomware to Western Europe is no longer a problem, thanks to our unique malware backend: H4ck3nb3rg. Many of our customers have already become millionaires. Our software is suitable to catch losers who use Windows, Mac or Android. Our software blocks the system by using our state-of-the-art botnet. It will display a default screen or an image of your choice. The system can only be unlocked by paying an amount in MeKash vouchers or to legitimate accounts with reputable European banks such as GNI, BAN-ROAM and Arbo Bank. The new H4ck3nb3rg is not detectable by Law Enforcement! A monthly license costs 5000 euro, delivery through our .onion-site at Tor. Please have someone’s credit card ready. Only three licenses left!
Miss M
</info>
Antwoord:
193.200.198.87
Vraag4:
<info>
zie vraag 3.
</info>
Antwoord:
host 193.200.198.87
87.198.200.193.in-addr.arpa domain name pointer missmonotropa.com.
monotropa
Vraag5:
<info>
Twitter
https://twitter.com/MissMonotropa
https://twitter.com/Louis...status/305974860075642881
</info>
Antwoord:
Liselotte Landervore
Vraag6:
google op naam
gallery: Liselotte Landervore
Liselotte Landervore
Verwijderd in "Gezocht feedback over verlaten locaties"
http://www.flickr.com/people/93455800@N07/
of
op email adres zoeken bij Flickr
Antwoord:
monomiss19
Vraag7:
http://farm9.staticflickr...09541391_2c7993d4a9_o.jpg
Silostraat
https://maps.google.nl/ma...terswijk,+Gelderland&z=19
http://farm9.staticflickr...97019011_954fbd6eb4_o.jpg
nummer 2
Antwoord:
korenstraat 2 winterswijk
Vraag8:
PCAP files
internet.pcap
filter op "xmpp"
217732 13969.810871 192.0.2.5 198.51.100.201 XMPP/XML 203 MESSAGE < vultura@h4ck3nb3rg/BitlBee
Antwoord:
vultura
Vraag9:
truecrypt container
internet.pcap
filter op "xmpp"
time
1361768607.060384000
vultura -> missmonotropa: hey
missmonotropa -> vultura: hi
vultura -> missmonotropa: j ben te laat
missmonotropa -> vultura: sry, tentamen
vultura -> missmonotropa: ok
missmonotropa -> vultura: harvest staat klaar
vultura -> missmonotropa: kom mr door
missmonotropa -> vultura: maar was niet zo goede week
vultura -> missmonotropa: ??
missmonotropa -> vultura: is weinig betaald
missmonotropa -> vultura: 3x ofzo
vultura -> missmonotropa: wtf
vultura -> missmonotropa: moet minstens 20k euro zijn
vultura -> missmonotropa: k zie tog hoeveel ze klikken!!1!
vultura -> missmonotropa: j fokt niet met me
vultura -> missmonotropa: dan lig j eruit
missmonotropa -> vultura: heb je ff
vultura -> missmonotropa: nee
vultura -> missmonotropa: ben j nog
vultura -> missmonotropa: LISELOTT!
vultura -> missmonotropa: ???
missmonotropa -> vultura: ben ik weer
missmonotropa -> vultura: heb nu goede harvest
missmonotropa -> vultura: had verkeerd gekeken
vultura -> missmonotropa: LOL JY DURFT
vultura -> missmonotropa: WAT HEB J AAN
missmonotropa -> vultura: lol
missmonotropa -> vultura: hier is de updated tc
vultura -> missmonotropa: WERKT NIET
vultura -> missmonotropa: MET JE JABBERPASS TOG??? <--- HINT
missmonotropa -> vultura: ja
missmonotropa -> vultura: ehm capslock?
vultura -> missmonotropa: lol
vultura -> missmonotropa: was k vergeten
vultura -> missmonotropa: ok is open
missmonotropa -> vultura: ok
vultura -> missmonotropa: nice
vultura -> missmonotropa: lopen binne >D
missmonotropa -> vultura: moet nu koken
vultura -> missmonotropa: wrom zit die hidden er nog in?
missmonotropa -> vultura: kak
missmonotropa -> vultura: sorry
missmonotropa -> vultura: niemand die het ziet
vultura -> missmonotropa: jy ben gevaarlijk
missmonotropa -> vultura: niet voor jou..
vultura -> missmonotropa: weet ik niet
vultura -> missmonotropa: mr j ben het waart
missmonotropa -> vultura:
vultura -> missmonotropa: Message of the day:
- there are no rules
- allowed password format: ^[a-zA-Z0-9., _-]{4,6}$
http://xmpp.org/extensions/xep-0078.html
Concatenate the Stream ID received from the server with the password. [8]
Hash the concatenated string according to the SHA1 algorithm, i.e., SHA1(concat(sid, password)).
Ensure that the hash output is in hexidecimal format, not binary or base64.
Convert the hash output to all lowercase characters.
Open mobile.pcap
filter op "xmpp"
7644 11699.928347 192.0.2.5 203.0.113.7 XMPP/XML 220 STREAM < h4ck3nb3rg
<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='3807744839' from='h4ck3nb3rg' xml:lang='en'>
3807744839 StreamID=salt
7648 11699.937564 203.0.113.7 192.0.2.5 XMPP/XML 253 IQ(set) QUERY
<iq type="set" id="2"><query xmlns="jabber:iq:auth"><username>missmonotropa</username><digest>b8f6a6eb3bd3f928647ce6b8b787eddb5dc13a74</digest><resource>old-client</resource></query></iq>
b8f6a6eb3bd3f928647ce6b8b787eddb5dc13a74 sha1(salt+passwd)
hashcat-cli64.exe -m 120 -n 8 -a 3 --salt-file salt.txt --pw-min=4 --pw-max=6 -o found.txt -1 ?l?d. hash.txt
http://hashcat.net/hashcat/
salt.txt: 3807744839
hash.txt: b8f6a6eb3bd3f928647ce6b8b787eddb5dc13a74
hashcat-cli64.exe -m 120 -n 8 -a 3 --salt-file salt.txt --pw-min=4 --pw-max=6 -o found.txt -1 ?l?d?u-_,. hash.txt ?1?1?1?1?1?1
b8f6a6eb3bd3f928647ce6b8b787eddb5dc13a74:3807744839:u9.fwh
Antwoord:
u9.fwh
rekening nummer: 6049474
Vraag10:
Bekijk de briefings video.
YouTube: De zaak IJsvogel: een dag uit het leven van de digitaal rechercheur
Antwoord:
Extra spatie achter het wachtwoord "u9.fwh "
in het bestand config
#VrD8r4Nv
Vraag11:
/*
* irssi config voor wekelijkse meeting
*/
servers = (
{
address = "54.228.228.142";
port = "50255";
use_ssl = "yes";
ssl_verify = "no";
autoconnect = "yes";
chatnet = "BOT";
password = "GKqifIEeQhpgPv3po6R7m3Vv";
}
);
chatnets = {
BOT = {
type = "IRC";
};
};
channels = (
{ name = "#VrD8r4Nv"; chatnet = "BOT"; autojoin = "Yes"; },
);
in irssi:
/connect -SSL 54.228.228.142 50255 GKqifIEeQhpgPv3po6R7m3Vv
/j #VrD8r4Nv
16:47:55 -!- Irssi: Changed to server 54.228.228.142
16:48:22 [54] -!- #VrD8r4Nv ojyysist H+ 0 ~ojyysist@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv yplxfwwr H+ 0 ~yplxfwwr@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv hlmarbar H+ 0 ~hlmarbar@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv Erik H 0 ~Mibbit@no.ip [Mibbit]
16:48:22 [54] -!- #VrD8r4Nv pmiulvig H+ 0 ~pmiulvig@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv plmrhcyn H+ 0 ~plmrhcyn@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv obwagrjc H+ 0 ~obwagrjc@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv dxntvpkm H+ 0 ~dxntvpkm@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv cjkvmzrh H+ 0 ~cjkvmzrh@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv robzaoan H+ 0 ~robzaoan@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv xrqszhsv H+ 0 ~xrqszhsv@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv jgpdmsoc H+ 0 ~jgpdmsoc@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv utlexjax H+ 0 ~utlexjax@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv kktqtskt H+ 0 ~kktqtskt@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv czbnjkfv H+ 0 ~czbnjkfv@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv qlrbdihp H+ 0 ~qlrbdihp@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv cjldqqgn H+ 0 ~cjldqqgn@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv nstspjjg H+ 0 ~nstspjjg@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv ltoypqqs H+ 0 ~ltoypqqs@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv lqcekqzp H+ 0 ~lqcekqzp@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv olrvifim H+ 0 ~olrvifim@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv rdwvablp H+ 0 ~rdwvablp@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv pvuadysl H+ 0 ~pvuadysl@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv btbrznuh H+ 0 ~btbrznuh@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv eakqbhkt H+ 0 ~eakqbhkt@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv hgvffzyj H+ 0 ~hgvffzyj@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv ptwlhohn H+ 0 ~ptwlhohn@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv etpgocfw H+ 0 ~etpgocfw@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv kazphfpf H+ 0 ~kazphfpf@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv odrmrxhc H+ 0 ~odrmrxhc@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv pehjjwyy H+ 0 ~pehjjwyy@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv hoeahrew H+ 0 ~hoeahrew@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv mvlisdtp H+ 0 ~mvlisdtp@no.ip [None]
16:48:22 [54] -!- #VrD8r4Nv Dennis H 0 ~Dennis@no.ip [Dennis]
16:48:22 [54] -!- #VrD8r4Nv sdasdsada H 0 ~sdasdsada@no.ip [sdasdsadas]
16:48:22 [54] -!- #VrD8r4Nv asd G 0 ~sicco@no.ip [purple]
16:48:22 [54] -!- #VrD8r4Nv Marco H 0 ~Marco@no.ip [Marco Jan]
16:48:22 [54] -!- #VrD8r4Nv root H 0 ~root@no.ip [root]
16:48:22 [54] -!- #VrD8r4Nv anne_ H 0 ~anne@no.ip [UBUNTU1]
16:48:22 [54] -!- #VrD8r4Nv testje888 H 0 ~testje888@no.ip [testje888]
16:48:22 [54] -!- #VrD8r4Nv wggds H 0 ~wggds@no.ip [wggds]
16:48:22 [54] -!- #VrD8r4Nv Bushi__ H 0 ~Bushi@no.ip [Bushi]
16:48:22 [54] -!- #VrD8r4Nv Bushi_ H 0 ~Bushi@no.ip [Bushi]
16:48:22 [54] -!- #VrD8r4Nv t3j0nz_ H 0 ~Arthur@no.ip [Arthur]
16:48:22 [54] -!- #VrD8r4Nv Beagollum H 0 ~Beagollum@no.ip [Niek]
16:48:22 [54] -!- #VrD8r4Nv Fossil H 0 ~Fossil@no.ip [...]
16:48:22 [54] -!- #VrD8r4Nv emile H 0 ~emile@no.ip [emile]
16:48:22 [54] -!- #VrD8r4Nv oytkjzjz H 0 ~oytkjzjz@no.ip [oytkjzjz]
16:48:22 [54] -!- #VrD8r4Nv mouse H 0 ~mouse@no.ip [Unknown]
16:48:22 [54] -!- #VrD8r4Nv diko H 0 ~diko@no.ip [diko]
16:48:22 [54] -!- #VrD8r4Nv splinter H 0 ~splinter@no.ip [splinter]
16:48:22 [54] -!- #VrD8r4Nv du0ai1Oh H 0 ~du0ai1Oh@no.ip [du0ai1Oh]
16:48:22 [54] -!- #VrD8r4Nv blasty H 0 ~blasty@no.ip [AHI]
16:48:22 [54] -!- #VrD8r4Nv stickybit H 0 ~stickybit@no.ip [Sticky Bit]
16:48:22 [54] -!- #VrD8r4Nv jeffk H 0 ~jeffk@no.ip [jeffk]
16:48:22 [54] -!- #VrD8r4Nv pectagta H+ 0 ~abpfehoh@no.ip [control bot] <--- HINT
16:48:22 [54] -!- #VrD8r4Nv CHANSERV H*@ 1 chan@services.int [channel registration service]
16:48:22 [54] -!- End of /WHO list
/msg pectagta hoi
<pectagta> dfI8J5hkgaQ6vtYtKK2d7Qlou650S9m1FZ697bZ01TCOTnCTWtyCzqyZe9UV4bBHZN9nkm4j/2PyZ/0L6ga3AQ==
Deel2:
erik@ubuntu:/etc/apt$ sudo apt-get install linux-image-2.6.32-45-generic-pae
erik@ubuntu:/etc/apt$ sudo apt-get install linux-headers-2.6.32-45-generic-pae
erik@ubuntu:~$ svn checkout
http://volatility.googlecode.com/svn/trunk/ volatility
erik@ubuntu:~/volatility/tools/linux$ sudo apt-get install dwarfdump
erik@ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y M=/home/erik/volatility/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
Building modules, stage 2.
MODPOST 1 modules
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.32-45-generic-pae/build M=/home/erik/volatility/tools/linux clean
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
CLEAN /home/erik/volatility/tools/linux/.tmp_versions
CLEAN /home/erik/volatility/tools/linux/Module.symvers /home/erik/volatility/tools/linux/modules.order
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
erik@ubuntu:~/volatility$ sudo zip volatility/plugins/overlays/linux/Ubuntu1004_4pae.zip tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
adding: tools/linux/module.dwarf (deflated 89%)
adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
erik@ubuntu:~/volatility$ python vol.py --info
Volatile Systems Volatility Framework 2.3_alpha
Profiles
--------
LinuxUbuntu1004_4paex86 - A Profile for Linux Ubuntu1004_4pae x86
erik@ubuntu:~/volatility$ python vol.py -f ~/Downloads/memory.raw --profile=LinuxUbuntu1004_4paex86 linux_psaux
Volatile Systems Volatility Framework 2.3_alpha
Pid Uid Gid Arguments
1 0 0 /sbin/init
2 0 0 [kthreadd]
3 0 0 [migration/0]
4 0 0 [ksoftirqd/0]
5 0 0 [watchdog/0]
6 0 0 [events/0]
7 0 0 [cpuset]
8 0 0 [khelper]
9 0 0 [netns]
10 0 0 [async/mgr]
11 0 0 [pm]
12 0 0 [sync_supers]
13 0 0 [bdi-default]
14 0 0 [kintegrityd/0]
15 0 0 [kblockd/0]
16 0 0 [kacpid]
17 0 0 [kacpi_notify]
18 0 0 [kacpi_hotplug]
19 0 0 [ata/0]
20 0 0 [ata_aux]
21 0 0 [ksuspend_usbd]
22 0 0 [khubd]
23 0 0 [kseriod]
24 0 0 [kmmcd]
27 0 0 [khungtaskd]
28 0 0 [kswapd0]
29 0 0 [ksmd]
30 0 0 [aio/0]
31 0 0 [ecryptfs-kthrea]
32 0 0 [crypto/0]
36 0 0 [scsi_eh_0]
38 0 0 [scsi_eh_1]
40 0 0 [kstriped]
41 0 0 [kmpathd/0]
42 0 0 [kmpath_handlerd]
43 0 0 [ksnapd]
44 0 0 [kondemand/0]
45 0 0 [kconservative/0]
159 0 0 [scsi_eh_2]
165 0 0 [usbhid_resumer]
178 0 0 [kdmflush]
182 0 0 [kdmflush]
196 0 0 [jbd2/dm-0-8]
197 0 0 [ext4-dio-unwrit]
240 0 0 upstart-udev-bridge --daemon
243 0 0 udevd --daemon
319 0 0 udevd --daemon
321 0 0 udevd --daemon
385 0 0 [kpsmoused]
497 101 103 rsyslogd -c4
557 0 0 /sbin/getty -8 38400 tty4
566 0 0 /sbin/getty -8 38400 tty5
573 0 0 /sbin/getty -8 38400 tty2
575 0 0 /sbin/getty -8 38400 tty3
579 0 0 /sbin/getty -8 38400 tty6
583 0 0 cron
584 0 0 atd
636 0 0 /sbin/getty -8 38400 tty1
637 0 0 [flush-1:0]
638 0 0 [flush-1:1]
639 0 0 [flush-1:2]
640 0 0 [flush-1:3]
641 0 0 [flush-1:4]
642 0 0 [flush-1:5]
643 0 0 [flush-1:6]
644 0 0 [flush-1:7]
645 0 0 [flush-1:8]
646 0 0 [flush-1:9]
647 0 0 [flush-1:10]
648 0 0 [flush-1:11]
649 0 0 [flush-1:12]
650 0 0 [flush-1:13]
651 0 0 [flush-1:14]
652 0 0 [flush-1:15]
653 0 0 [flush-8:0]
654 0 0 [flush-251:0]
665 0 0 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
681 0 0 /usr/sbin/sshd -D
780 0 0 sshd: monotropa [priv
849 1000 1000 sshd: monotropa@pts/0
850 1000 1000 -bash
866 1000 1000 ./crypto
erik@ubuntu:~/volatility$ python vol.py -f ~/Downloads/memory.raw --profile=LinuxUbuntu1004_4paex86 linux_proc_maps -p 866
Volatile Systems Volatility Framework 2.3_alpha
Pid Start End Flags Pgoff Major Minor Inode File Path
-------- ---------- ---------- ------ ---------- ------ ------ ---------- --------------------------------------------------------------------------------
866 0x08048000 0x0810a000 r-x 0x0 251 0 142435 /home/monotropa/crypto
866 0x0810a000 0x08115000 rw- 0xc1000 251 0 142435 /home/monotropa/crypto
866 0x08115000 0x08117000 rw- 0x0 0 0 0
866 0x0991c000 0x0993e000 rw- 0x0 0 0 0 [heap]
866 0xb7701000 0xb7703000 rw- 0x0 0 0 0
866 0xb7703000 0xb7704000 r-x 0x0 0 0 0
866 0xbfa26000 0xbfa3c000 rw- 0x0 0 0 0 [stack]
erik@ubuntu:~/volatility$ python vol.py -f ~/Downloads/memory.raw --profile=LinuxUbuntu1004_4paex86 linux_dump_map -p 866 0x0991c000 --dump-dir ~
Volatile Systems Volatility Framework 2.3_alpha
Task VM Start VM End Length Path
---------- ---------- ---------- ---------- ----
866 0x08048000 0x0810a000 0xc2000 /home/erik/task.866.0x8048000.vma
866 0x0810a000 0x08115000 0xb000 /home/erik/task.866.0x810a000.vma
866 0x08115000 0x08117000 0x2000 /home/erik/task.866.0x8115000.vma
866 0x0991c000 0x0993e000 0x22000 /home/erik/task.866.0x991c000.vma
866 0xb7701000 0xb7703000 0x2000 /home/erik/task.866.0xb7701000.vma
866 0xb7703000 0xb7704000 0x1000 /home/erik/task.866.0xb7703000.vma
866 0xbfa26000 0xbfa3c000 0x16000 /home/erik/task.866.0xbfa26000.vma
/home/erik/task.866.0xbfa26000.vma STACK
/home/erik/task.866.0x991c000.vma HEAP
xxd task.866.0x991c000.vma > heap.hex
xxd task.866.0xbfa26000.vma > stack.hex
chmod a+x crypto
./crypto
password 1234567890
erik 3329 0.0 0.0 1064 260 pts/0 S+ 10:21 0:00 ./crypto
erik 3331 0.0 0.0 3328 884 pts/2 S+ 10:21 0:00 grep --color=auto crypto
erik@ubuntu:~/volatility$ cat /proc/3329/maps
08048000-0810a000 r-xp 00000000 08:01 927135 /home/erik/crypto
0810a000-08115000 rw-p 000c1000 08:01 927135 /home/erik/crypto
08115000-08117000 rw-p 00000000 00:00 0
085c9000-085eb000 rw-p 00000000 00:00 0 [heap]
b771e000-b7720000 rw-p 00000000 00:00 0
b7720000-b7721000 r-xp 00000000 00:00 0 [vdso]
bfcfc000-bfd11000 rw-p 00000000 00:00 0 [stack]
erik@ubuntu:~/volatility$ gdb --pid 3329
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Attaching to process 3329
Reading symbols from /home/erik/crypto...(no debugging symbols found)...done.
0x080925ae in __read_nocancel ()
(gdb) dump memory /home/erik/erikstack 0xbfcfc000 0xbfd11000
(gdb) dump memory /home/erik/erikheap 0x085c9000 0x085eb000
(gdb) quit
A debugging session is active.
Inferior 1 [process 3329] will be detached.
Quit anyway? (y or n) y
Detaching from program: /home/erik/crypto, process 3329
erik@ubuntu:~$ xxd erikheap > erikheap.hex
erik@ubuntu:~$ xxd erikstack > erikstack.hex
erik@ubuntu:~$ diff erikheap.hex heap.hex
132,133c132,133
< 0000830: 3098 5c08 084f 1108 3098 5c08 0000 0000 0.\..O..0.\.....
< 0000840: 2004 72b7 0004 3a16 0000 0000 0000 0000 .r...:.........
---
> 0000830: 30c8 9109 084f 1108 30c8 9109 0000 0000 0....O..0.......
> 0000840: 2034 70b7 00f2 27b7 0000 0000 0000 0000 4p...'.........
140c140
< 00008b0: 6000 d1bf 0000 0000 0000 0000 0000 0000 `...............
---
> 00008b0: 90ad a3bf 0000 0000 0000 0000 0000 0000 ................
206,208c206,208
< 0000cd0: 0000 0000 1900 0000 f09c 5c08 189d 5c08 ..........\...\.
< 0000ce0: 409d 5c08 689d 5c08 0000 0000 b909 0000 @.\.h.\.........
< 0000cf0: 189d 5c08 5ae5 0f08 0000 0000 40eb 0f08 ..\.Z.......@...
---
> 0000cd0: 0000 0000 1900 0000 f0cc 9109 18cd 9109 ................
> 0000ce0: 40cd 9109 68cd 9109 0000 0000 b909 0000 @...h...........
> 0000cf0: 18cd 9109 5ae5 0f08 0000 0000 40eb 0f08 ....Z.......@...
210c210
< 0000d10: 0000 0000 0000 0000 409d 5c08 5ae5 0f08 ........@.\.Z...
---
> 0000d10: 0000 0000 0000 0000 40cd 9109 5ae5 0f08 ........@...Z...
213c213
< 0000d40: 689d 5c08 5ae5 0f08 0000 0000 50eb 0f08 h.\.Z.......P...
---
> 0000d40: 68cd 9109 5ae5 0f08 0000 0000 50eb 0f08 h...Z.......P...
386,387c386,387
< 0001810: 655a 5154 3536 3738 3930 0000 0000 0000 eZQT567890......
< 0001820: 0000 0000 0000 0000 0000 0000 0000 0000 ................
---
> 0001810: 6051 7931 6f48 5745 4130 7274 4d76 4178 `Qy1oHWEA0rtMvAx
> 0001820: 5748 0000 0000 0000 0000 0000 0000 0000 WH..............
erik@ubuntu:~$ grep -B 3 -A 3 56789 erikstack.hex
0013f70: 2a4b 4524 5577 6621 6258 3a25 4979 784b *KE$Uwf!bX:%IyxK
0013f80: 6076 7a31 2b48 6a5c 6b79 546a 7052 2e79 `vz1+Hj\kyTjpR.y
0013f90: 5752 2265 2942 666a 7925 6e48 3132 3334 WR"e)Bfjy%nH1234
0013fa0: 3536 3738 3930 486f 2321 4c78 4427 3344 567890Ho#!LxD'3D
0013fb0: 5254 3b4b 787a 5572 5730 3d2b 4d66 2964 RT;KxzUrW0=+Mf)d
0013fc0: 6a50 4834 2d49 5c2f 232e 6146 6873 4373 jPH4-I\/#.aFhsCs
0013fd0: 2637 4458 3752 296d 6145 5133 d93b 9416 &7DX7R)maEQ3.;..
erik@ubuntu:~$ grep -B 3 -A 3 HWEA0 stack.hex
0014ca0: 5c5e 2929 7564 5b4f 4a62 6d4c 6735 6670 \^))ud[OJbmLg5fp
0014cb0: 2d65 714a 4378 585a 5a57 4721 5431 3c69 -eqJCxXZZWG!T1<i
0014cc0: 6e45 7242 622c 7065 4763 3734 3765 5343 nErBb,peGc747eSC
0014cd0: 6f48 5745 4130 7274 4d76 4178 5748 5370 oHWEA0rtMvAxWHSp
0014ce0: 382f 5556 2f59 6f5e 3456 5072 5d67 2932 8/UV/Yo^4VPr]g)2
0014cf0: 722c 3e4f 366a 5c62 5c41 2b50 2637 4572 r,>O6j\b\A+P&7Er
0014d00: 4553 4d2e 3142 6b78 5174 6f68 6c99 160e ESM.1BkxQtohl...
7eSCoHWEA0rtMvAxWH
./crypto
password: 7eSCoHWEA0rtMvAxWH
decrypt
message: dfI8J5hkgaQ6vtYtKK2d7Qlou650S9m1FZ697bZ01TCOTnCTWtyCzqyZe9UV4bBHZN9nkm4j/2PyZ/0L6ga3AQ==
erik@ubuntu:~$ ./crypto
password:
1. encrypt
2. decrypt
0. quit
menu: 2
msg: dfI8J5hkgaQ6vtYtKK2d7Qlou650S9m1FZ697bZ01TCOTnCTWtyCzqyZe9UV4bBHZN9nkm4j/2PyZ/0L6ga3AQ==
decrypted: supported commands: info, help, history, stats, zombies
menu: 1
msg: history
encrypted: 3x6o42tX97fE/EceLRTn6A==
18:39:39 <Erik> 3x6o42tX97fE/EceLRTn6A==
18:39:39 <pectagta> 7cK6NZ3unxXBwreX2W0Zljqs4kk//eUKoMu9SCLRtdnPMdPtgZD2rDDxHOTBZpK3bWBDlUa4qWOIB16y/2PAbs0+4u/8AfXWY7gRwicWI6E6VItvWsdtWBLKusITToby
msg: 7cK6NZ3unxXBwreX2W0Zljqs4kk//eUKoMu9SCLRtdnPMdPtgZD2rDDxHOTBZpK3bWBDlUa4qWOIB16y/2PAbs0+4u/8AfXWY7gRwicWI6E6VItvWsdtWBLKusITToby
decrypted: last login from Vultura@home7eb463.vulturacommunicationhq.com on 2013-03-19 18:36:41
Antwoord:
home7eb463.vulturacommunicationhq.com
Vraag12:
whois vulturacommunicationhq.com
Registrant:
Zevendees, Oscar
Roosveldstraat 404
Haarlem, NH 2013 cc
NL
Domain Name: VULTURACOMMUNICATIONHQ.COM
Antwoord:
Oscar Zevendees
een mooi Tshirt met Pim. is de beste enzo
/u/70049/crop63eb27fd3d18d_cropped.png?f=community)
:strip_exif()/u/11775/SoulTaker.gif?f=community)
/u/133067/new.avatar60.png?f=community){kind=avatar}
/u/147751/avatar455992_1.gif.png?f=community){kind=avatar}
:strip_exif()/u/243981/luckyy_oranje.gif?f=community)
/u/249034/arrow.png?f=community){kind=icon}
:strip_icc():strip_exif()/u/310769/biohazard2.jpg?f=community)
:strip_exif()/u/70496/glowmouse2.gif?f=community)
De serie daarna ondersteunt wel. Het opnieuw installeren van de drivers zoals op het Hashcat-forum werd aangeraden werkte dus niet....
