aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add volatility3 info

Browse Source
This commit is contained in:
aaron
2021-12-04 03:21:34 +01:00
parent bac79f7540
commit 076a5fe8d4
1 changed files with 23 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
forensics/honeypot/README.md
View File

@@ -14,9 +14,29 @@ Download Link: http://46.101.25.140/forensics_honeypot.zip
## Flag ## Flag
## Progress so far ## Volatility3
- The honeypot.zip file contains ä windows memory dump ### Installation
```bash
git clone git@github.com:volatilityfoundation/volatility3.git
cd volatility3
pipenv install
pipenv shell
```
### Useful Commands
```bash
# get running processes and pid
python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.cmdline.CmdLine
# get all connected ips
python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.netstat.NetStat
```
## Notes
- The honeypot.zip file contains a windows memory dump
- By using the `volatility3` framework one can extract data from the dump - By using the `volatility3` framework one can extract data from the dump
- By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious - By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious
@@ -47,7 +67,7 @@ exited?)
- The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url - The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
- The PID of said command is 2700 - The PID of said command is 2700
- By examining the currently active connections, using `vol -f honeypot.raw windows.netscan.Netscan` the following foreign IPs stand out: - By examining the currently active connections, using `windows.netscan.Netscan` the following foreign IPs stand out:
``` ```
Volatility 3 Framework 1.0.1 Volatility 3 Framework 1.0.1