Skip to main content

Forensics



This is a memory dump of compromised system, do some forensics kung-fu to explore the inside.
The Following Room is walkthrough of Forensics Machine of tryhackme

So First Start with checking the info

$ volatility -f victim.raw imageinfo


we will go with profile Win7SP1x64

The OS is windows

Now
$volatility -f victim.raw --profile=Win7SP1x64 pslist


So we got the pid of searchindexer

To check for the last directory
$volatility -f victim.raw --profile=Win7SP1x64 shellbags


Scanning Networks

$volatility -f victim.raw --profile=Win7SP1x64 netscan


$volatility -f victim.raw --profile=Win7SP1x64 malfind -D .


The Process Ids are 1860;1820;2464

Lets find out URLs.



Now lets search for ips.



Its was really new for me to do forensics and this machine is good.
I highly recommend to to https://tryhackme.com/room/bpvolatility this room before doing forensics

Comments

Post a Comment

Popular posts from this blog

Brooklyn 99

This is writeup of Brooklyn nine nine room in tryhackme.com Summary: Easy Room just required standard enum. The entry point is by bruteforcing through hydra and then using gtfo. Walkthrough: nmap -sC -sV <ip> We can see anonymous ftp login and a note. So we can see jake is username and we need to bruteforce for the password. ok. Now enum http port
Post a Comment
Read more

Borderlands CTF

Let's start borderland In starting the machine doesn't look insane at all getting initial shell is not that hard but what new for me was pivoting the router and reading the Data. Walkthrough: Let's start with nmap scan nmap -sC -sV <ip> Okay so port 80 have http server I will run dirbuster to check for Directories with that we can check out the apk given by them. I took hint and the first key is in apk. Here we go we can already see something interesting lets extract out the source code with the .git. I used GitTools to extract all source code. https://github.com/internetwache/GitTools I checked out first commit to find out anything leaked within source code or not. According to hint the WEB key will be in webpage. So we got our first flag with it we can check out the first 20 letter of any key in api.php Let's search for GIT flag. grep -rn GIT So we got GIT flag but we can see 20 letter or AND flag only so i extracted the app using apktools apktool d mobile.apk g
Post a Comment
Read more