Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the ultimate-blocks domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/margheri/public_html/wp-includes/functions.php on line 6121

Notice: _load_textdomain_just_in_time işlevi yanlış çağrıldı. Translation loading for the perfect-portfolio domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Ayrıntılı bilgi almak için lütfen WordPress hata ayıklama bölümüne bakın. (Bu ileti 6.7.0 sürümünde eklendi.) in /home/margheri/public_html/wp-includes/functions.php on line 6121
Tryhackme: Critical Writeup - Aleyna Doğan

Tryhackme: Critical Writeup

Acquire the basic skills to analyze a memory dump in a practical scenario.

Lab link.

Task 2: Memory Forensics

2.1. What type of memory is analyzed during a forensic memory task?

RAM

2.2. In which phase will you create a memory dump of the target system?

Memory Acquisition

Task 3: Environment & Setup

3.1. Which plugin can help us to get information about the OS running on the target machine?

Windows.info

3.2. Which tool referenced above can help us take a memory dump on a Linux OS?

LIME

3.3. Which command will display the help menu using Volatility on the target machine?

vol -h

Task 4: Gathering Target Information

4.1. Is the architecture of the machine x64 (64bit) Y/N?

Y

4.2. What is the Verison of the Windows OS

10

4.3. What is the base address of the kernel?

0xf8066161b000

Task 5: Searching for Suspicious Activity

5.1. Using the plugin “windows.netscan” can you identify the IP address that establish a connection on port 80?

192.168.182.128

5.2. Using the plugin “windows.netscan,” can you identify the program (owner) used to access through port 80?

msedge.exe

5.3. Analyzing the process present on the dump, what is the PID of the child process of critical_updat?

1612

5.4. What is the time stamp time for the process with the truncated name critical_updat?

2024-02-24 22:51:50.000000

Task 6: Finding Interesting Data

6.1. Analyzing the “windows.filescan” output, what is the full path and name for critical_updat?

\Users\user01\Documents\critical_update.exe

6.2. Analyzing the “windows.mftscan.MFTScan” what is the Timestamp for the created date of important_document.pdf?

2024-02-24 20:39:42.000000

6.3. Analyzing the updater.exe memory output, can you observe the HTTP request and determine the server used by the attacker?

SimpleHTTP/0.6 Python/3.10.4

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir