Toortik Triflexation [1/2]

Catégorie: Analyse forensique - Difficulté: Difficile

Description:

Solution:

vol3 --remote-isf-url https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json -f toortik_triflexation.elf

Nous allons d'abord analyser les process lancés afin de voir si nous voyons quelque chose d'intriguant :

Process List

vol3 --remote-isf-url https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json -f toortik_triflexation.elf linux.pslist.PsList

OFFSET (V)	PID	TID	PPID	COMM	UID	GID	EUID	EGID	CREATION TIME	File output

0x9000c0345180	1	1	0	systemd	0	0	0	0	2025-05-03 12:52:25.101895 UTC	Disabled
0x9000c0340000	2	2	0	kthreadd	0	0	0	0	2025-05-03 12:52:25.101895 UTC	Disabled
0x9000c03428c0	3	3	2	pool_workqueue_	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c0350000	4	4	2	kworker/R-rcu_g	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c03528c0	5	5	2	kworker/R-sync_	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c0355180	6	6	2	kworker/R-slub_	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c035a8c0	7	7	2	kworker/R-netns	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c03628c0	11	11	2	kworker/u4:0	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c0365180	12	12	2	kworker/R-mm_pe	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c036a8c0	13	13	2	rcu_tasks_kthre	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c036d180	14	14	2	rcu_tasks_rude_	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c0368000	15	15	2	rcu_tasks_trace	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c0888000	16	16	2	ksoftirqd/0	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c088a8c0	17	17	2	rcu_preempt	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c088d180	18	18	2	rcu_exp_par_gp_	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c089d180	19	19	2	rcu_exp_gp_kthr	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c0898000	20	20	2	migration/0	0	0	0	0	2025-05-03 12:52:25.203895 UTC	Disabled
0x9000c089a8c0	21	21	2	idle_inject/0	0	0	0	0	2025-05-03 12:52:25.207895 UTC	Disabled
0x9000c08a28c0	22	22	2	cpuhp/0	0	0	0	0	2025-05-03 12:52:25.207895 UTC	Disabled
0x9000c08a5180	23	23	2	kdevtmpfs	0	0	0	0	2025-05-03 12:52:25.207895 UTC	Disabled
0x9000c08a0000	24	24	2	kworker/R-inet_	0	0	0	0	2025-05-03 12:52:25.208895 UTC	Disabled
0x9000c08ba8c0	25	25	2	kworker/u4:1	0	0	0	0	2025-05-03 12:52:25.208895 UTC	Disabled
0x9000c08bd180	26	26	2	kauditd	0	0	0	0	2025-05-03 12:52:25.210895 UTC	Disabled
0x9000c08b8000	27	27	2	khungtaskd	0	0	0	0	2025-05-03 12:52:25.211895 UTC	Disabled
0x9000c0af8000	28	28	2	oom_reaper	0	0	0	0	2025-05-03 12:52:25.235895 UTC	Disabled
0x9000c0afa8c0	29	29	2	kworker/u4:2	0	0	0	0	2025-05-03 12:52:25.235895 UTC	Disabled
0x9000c0afd180	30	30	2	kworker/R-write	0	0	0	0	2025-05-03 12:52:25.235895 UTC	Disabled
0x9000c0b85180	31	31	2	kcompactd0	0	0	0	0	2025-05-03 12:52:25.237895 UTC	Disabled
0x9000c0b80000	32	32	2	ksmd	0	0	0	0	2025-05-03 12:52:25.238895 UTC	Disabled
0x9000c0b828c0	33	33	2	khugepaged	0	0	0	0	2025-05-03 12:52:25.239895 UTC	Disabled
0x9000c0baa8c0	34	34	2	kworker/R-kinte	0	0	0	0	2025-05-03 12:52:25.240895 UTC	Disabled
0x9000c0bad180	35	35	2	kworker/R-kbloc	0	0	0	0	2025-05-03 12:52:25.240895 UTC	Disabled
0x9000c0ba8000	36	36	2	kworker/R-blkcg	0	0	0	0	2025-05-03 12:52:25.240895 UTC	Disabled
0x9000c0bbd180	37	37	2	irq/9-acpi	0	0	0	0	2025-05-03 12:52:25.245895 UTC	Disabled
0x9000c0bb8000	38	38	2	kworker/R-tpm_d	0	0	0	0	2025-05-03 12:52:25.289895 UTC	Disabled
0x9000c0bba8c0	39	39	2	kworker/R-ata_s	0	0	0	0	2025-05-03 12:52:25.290895 UTC	Disabled
0x9000c0fd28c0	40	40	2	kworker/R-md	0	0	0	0	2025-05-03 12:52:25.290895 UTC	Disabled
0x9000c0fd5180	41	41	2	kworker/R-md_bi	0	0	0	0	2025-05-03 12:52:25.290895 UTC	Disabled
0x9000c0fd0000	42	42	2	kworker/R-edac-	0	0	0	0	2025-05-03 12:52:25.290895 UTC	Disabled
0x9000c0fda8c0	43	43	2	kworker/R-devfr	0	0	0	0	2025-05-03 12:52:25.290895 UTC	Disabled
0x9000c0fdd180	44	44	2	watchdogd	0	0	0	0	2025-05-03 12:52:25.291895 UTC	Disabled
0x9000c0fd8000	45	45	2	kworker/0:1H	0	0	0	0	2025-05-03 12:52:25.315082 UTC	Disabled
0x9000c11fd180	46	46	2	kswapd0	0	0	0	0	2025-05-03 12:52:25.319546 UTC	Disabled
0x9000c11f8000	47	47	2	ecryptfs-kthrea	0	0	0	0	2025-05-03 12:52:25.319846 UTC	Disabled
0x9000c11fa8c0	48	48	2	kworker/R-kthro	0	0	0	0	2025-05-03 12:52:25.339338 UTC	Disabled
0x9000c26b28c0	49	49	2	kworker/R-acpi_	0	0	0	0	2025-05-03 12:52:25.340192 UTC	Disabled
0x9000c26b5180	50	50	2	scsi_eh_0	0	0	0	0	2025-05-03 12:52:25.350925 UTC	Disabled
0x9000c26b0000	51	51	2	kworker/R-scsi_	0	0	0	0	2025-05-03 12:52:25.351084 UTC	Disabled
0x9000c2ff8000	52	52	2	scsi_eh_1	0	0	0	0	2025-05-03 12:52:25.351629 UTC	Disabled
0x9000c2ffa8c0	53	53	2	kworker/R-scsi_	0	0	0	0	2025-05-03 12:52:25.352080 UTC	Disabled
0x9000c2ffd180	54	54	2	kworker/u4:3	0	0	0	0	2025-05-03 12:52:25.352557 UTC	Disabled
0x9000c30428c0	57	57	2	kworker/R-mld	0	0	0	0	2025-05-03 12:52:25.414824 UTC	Disabled
0x9000c66ca8c0	58	58	2	kworker/R-ipv6_	0	0	0	0	2025-05-03 12:52:25.414907 UTC	Disabled
0x9000c66d0000	65	65	2	kworker/R-kstrp	0	0	0	0	2025-05-03 12:52:25.445125 UTC	Disabled
0x9000c7295180	80	80	2	kworker/R-charg	0	0	0	0	2025-05-03 12:52:25.469412 UTC	Disabled
0x9000c7290000	81	81	2	kworker/0:2	0	0	0	0	2025-05-03 12:52:25.523186 UTC	Disabled
0x9000c72a5180	127	127	2	kworker/0:3	0	0	0	0	2025-05-03 12:52:25.738116 UTC	Disabled
0x9000c77328c0	128	128	2	scsi_eh_2	0	0	0	0	2025-05-03 12:52:25.760749 UTC	Disabled
0x9000c7735180	129	129	2	kworker/R-scsi_	0	0	0	0	2025-05-03 12:52:25.765653 UTC	Disabled
0x9000c764d180	180	180	2	jbd2/sda2-8	0	0	0	0	2025-05-03 12:52:27.596513 UTC	Disabled
0x9000c7648000	181	181	2	kworker/R-ext4-	0	0	0	0	2025-05-03 12:52:27.596567 UTC	Disabled
0x9000c729a8c0	229	229	1	systemd-journal	0	0	0	0	2025-05-03 12:52:27.968857 UTC	Disabled
0x9000c7730000	301	301	1	systemd-udevd	0	0	0	0	2025-05-03 12:52:28.455917 UTC	Disabled
0x9000c72a28c0	350	350	2	psimon	0	0	0	0	2025-05-03 12:52:28.626028 UTC	Disabled
0x9000c1efd180	384	384	1	systemd-oomd	990	990	990	990	2025-05-03 12:52:28.691719 UTC	Disabled
0x9000c3c4d180	390	390	1	systemd-resolve	991	991	991	991	2025-05-03 12:52:28.702488 UTC	Disabled
0x9000c4fe0000	396	396	1	systemd-timesyn	996	996	996	996	2025-05-03 12:52:28.718637 UTC	Disabled
0x9000c764a8c0	488	488	2	kworker/0:2H	0	0	0	0	2025-05-03 12:52:29.293050 UTC	Disabled
0x9000c80aa8c0	543	543	1	avahi-daemon	108	111	108	111	2025-05-03 12:52:29.957456 UTC	Disabled
0x9000c66c8000	544	544	1	dbus-daemon	101	101	101	101	2025-05-03 12:52:29.967221 UTC	Disabled
0x9000c4fed180	547	547	1	gnome-remote-de	988	988	988	988	2025-05-03 12:52:30.015921 UTC	Disabled
0x9000c3535180	551	551	1	polkitd	987	987	987	987	2025-05-03 12:52:30.098899 UTC	Disabled
0x9000c906a8c0	556	556	1	power-profiles-	0	0	0	0	2025-05-03 12:52:30.138137 UTC	Disabled
0x9000c4fe8000	561	561	1	snapd	0	0	0	0	2025-05-03 12:52:30.174157 UTC	Disabled
0x9000c92da8c0	566	566	2	kworker/R-crypt	0	0	0	0	2025-05-03 12:52:30.202285 UTC	Disabled
0x9000c92e0000	569	569	1	accounts-daemon	0	0	0	0	2025-05-03 12:52:30.213652 UTC	Disabled
0x9000c92dd180	572	572	1	cron	0	0	0	0	2025-05-03 12:52:30.241492 UTC	Disabled
0x9000c9070000	575	575	1	switcheroo-cont	0	0	0	0	2025-05-03 12:52:30.283406 UTC	Disabled
0x9000c93b5180	592	592	1	systemd-logind	0	0	0	0	2025-05-03 12:52:30.392833 UTC	Disabled
0x9000c93b0000	593	593	1	udisksd	0	0	0	0	2025-05-03 12:52:30.459048 UTC	Disabled
0x9000c9358000	620	620	1	rsyslogd	102	102	102	102	2025-05-03 12:52:30.743474 UTC	Disabled
0x9000c934d180	623	623	543	avahi-daemon	108	111	108	111	2025-05-03 12:52:30.795496 UTC	Disabled
0x9000c3530000	637	637	2	irq/18-vmwgfx	0	0	0	0	2025-05-03 12:52:31.080179 UTC	Disabled
0x9000c9068000	638	638	1	NetworkManager	0	0	0	0	2025-05-03 12:52:31.088767 UTC	Disabled
0x9000c93b28c0	640	640	1	wpa_supplicant	0	110	0	110	2025-05-03 12:52:31.103608 UTC	Disabled
0x9000c9350000	648	648	2	kworker/R-ttm	0	0	0	0	2025-05-03 12:52:31.139837 UTC	Disabled
0x9000d9ae0000	692	692	1	ModemManager	0	0	0	0	2025-05-03 12:52:31.410970 UTC	Disabled
0x8fffc1b6d180	1022	1022	1	cupsd	0	0	0	0	2025-05-03 12:52:33.644964 UTC	Disabled
0x9000d9cf28c0	1027	1027	1	unattended-upgr	0	0	0	0	2025-05-03 12:52:33.682919 UTC	Disabled
0x8fffc1b8d180	1038	1038	1022	dbus	7	7	7	7	2025-05-03 12:52:33.802248 UTC	Disabled
0x9000c32f8000	1043	1043	1	cups-browsed	115	114	115	114	2025-05-03 12:52:33.930255 UTC	Disabled
0x8fffc1b928c0	1046	1046	1	gdm3	0	0	0	0	2025-05-03 12:52:33.963286 UTC	Disabled
0x9000c32fd180	1049	1049	1	kerneloops	106	4	106	4	2025-05-03 12:52:33.998758 UTC	Disabled
0x8fffc1b828c0	1058	1058	1	kerneloops	106	4	106	4	2025-05-03 12:52:34.050851 UTC	Disabled
0x9000d9cf8000	1075	1075	2	psimon	0	0	0	0	2025-05-03 12:52:34.197423 UTC	Disabled
0x9000c4fea8c0	1129	1129	1	rtkit-daemon	117	119	117	119	2025-05-03 12:52:34.816978 UTC	Disabled
0x8fffc4b30000	1237	1237	1	colord	118	120	118	120	2025-05-03 12:52:36.113455 UTC	Disabled
0x8fffceeca8c0	1272	1272	1	upowerd	0	0	0	0	2025-05-03 12:52:36.939560 UTC	Disabled
0x8fffd8ea28c0	1484	1484	2	kworker/u5:1	0	0	0	0	2025-05-03 12:52:38.002043 UTC	Disabled
0x8fffd8ea5180	1579	1579	1046	gdm-session-wor	0	1000	0	1000	2025-05-03 12:52:40.492815 UTC	Disabled
0x8fffceed5180	1592	1592	1	systemd	1000	1000	1000	1000	2025-05-03 12:52:41.636472 UTC	Disabled
0x8fffceef28c0	1596	1596	1592	(sd-pam)	1000	1000	1000	1000	2025-05-03 12:52:41.664938 UTC	Disabled
0x8fffc4b528c0	1605	1605	1592	pipewire	1000	1000	1000	1000	2025-05-03 12:52:41.952583 UTC	Disabled
0x8fffceecd180	1607	1607	1592	pipewire	1000	1000	1000	1000	2025-05-03 12:52:41.972139 UTC	Disabled
0x8fffd8d80000	1611	1611	1592	snapd-desktop-i	1000	1000	1000	1000	2025-05-03 12:52:41.988610 UTC	Disabled
0x9000c3b08000	1619	1619	1592	ubuntu-report	1000	1000	1000	1000	2025-05-03 12:52:42.016125 UTC	Disabled
0x8fffc4b50000	1620	1620	1592	wireplumber	1000	1000	1000	1000	2025-05-03 12:52:42.025993 UTC	Disabled
0x8fffceefa8c0	1625	1625	1592	pipewire-pulse	1000	1000	1000	1000	2025-05-03 12:52:42.070341 UTC	Disabled
0x9000d9daa8c0	1626	1626	1592	gnome-keyring-d	1000	1000	1000	1000	2025-05-03 12:52:42.084294 UTC	Disabled
0x8fffc49628c0	1633	1633	1592	dbus-daemon	1000	1000	1000	1000	2025-05-03 12:52:42.163965 UTC	Disabled
0x8fffe188a8c0	1676	1676	1579	gdm-wayland-ses	1000	1000	1000	1000	2025-05-03 12:52:42.453445 UTC	Disabled
0x8fffe1880000	1685	1685	1676	gnome-session-b	1000	1000	1000	1000	2025-05-03 12:52:42.500953 UTC	Disabled
0x8fffe1878000	1693	1693	1592	xdg-document-po	1000	1000	1000	1000	2025-05-03 12:52:42.525574 UTC	Disabled
0x9000d9ad28c0	1750	1750	1592	gcr-ssh-agent	1000	1000	1000	1000	2025-05-03 12:52:42.792409 UTC	Disabled
0x8fffe1a4a8c0	1751	1751	1592	gnome-session-c	1000	1000	1000	1000	2025-05-03 12:52:42.796718 UTC	Disabled
0x8fffe1a50000	1755	1755	1592	xdg-permission-	1000	1000	1000	1000	2025-05-03 12:52:42.812756 UTC	Disabled
0x8fffe1bed180	1771	1771	1592	gvfsd	1000	1000	1000	1000	2025-05-03 12:52:42.849605 UTC	Disabled
0x8fffe1a4d180	1773	1773	1693	fusermount3	1000	1000	0	1000	2025-05-03 12:52:42.851302 UTC	Disabled
0x8fffe6c0a8c0	1793	1793	1592	gvfsd-fuse	1000	1000	1000	1000	2025-05-03 12:52:42.921294 UTC	Disabled
0x8fffe1a6a8c0	1796	1796	1592	gnome-session-b	1000	1000	1000	1000	2025-05-03 12:52:42.934054 UTC	Disabled
0x8fffe6d7a8c0	1830	1830	1592	gnome-shell	1000	1000	1000	1000	2025-05-03 12:52:43.139769 UTC	Disabled
0x8fffe6d78000	1831	1831	1796	at-spi-bus-laun	1000	1000	1000	1000	2025-05-03 12:52:43.143974 UTC	Disabled
0x8fffe6d85180	1843	1843	1831	dbus-daemon	1000	1000	1000	1000	2025-05-03 12:52:43.214134 UTC	Disabled
0x8fffe6c00000	1894	1894	1592	at-spi2-registr	1000	1000	1000	1000	2025-05-03 12:52:43.840577 UTC	Disabled
0x8fffe6f60000	1910	1910	1611	snapd-desktop-i	1000	1000	1000	1000	2025-05-03 12:52:44.393762 UTC	Disabled
0x8fffe6f728c0	1919	1919	1592	gnome-shell-cal	1000	1000	1000	1000	2025-05-03 12:52:44.465419 UTC	Disabled
0x8fffe6f80000	1927	1927	1592	evolution-sourc	1000	1000	1000	1000	2025-05-03 12:52:44.582777 UTC	Disabled
0x8fffeb3fd180	1932	1932	1592	dconf-service	1000	1000	1000	1000	2025-05-03 12:52:44.645574 UTC	Disabled
0x8ffff741d180	1953	1953	1592	gjs	1000	1000	1000	1000	2025-05-03 12:52:44.807336 UTC	Disabled
0x8ffff7425180	1955	1955	1592	ibus-daemon	1000	1000	1000	1000	2025-05-03 12:52:44.827969 UTC	Disabled
0x8ffff75a28c0	1959	1959	1592	gsd-a11y-settin	1000	1000	1000	1000	2025-05-03 12:52:44.839247 UTC	Disabled
0x8ffff75a5180	1960	1960	1592	gsd-color	1000	1000	1000	1000	2025-05-03 12:52:44.852672 UTC	Disabled
0x8ffff75b28c0	1965	1965	1592	gsd-datetime	1000	1000	1000	1000	2025-05-03 12:52:44.882780 UTC	Disabled
0x8ffff75c8000	1974	1974	1592	gsd-housekeepin	1000	1000	1000	1000	2025-05-03 12:52:44.893438 UTC	Disabled
0x8ffff75d28c0	1978	1978	1592	gsd-keyboard	1000	1000	1000	1000	2025-05-03 12:52:44.901837 UTC	Disabled
0x8ffff75ad180	1983	1983	1592	gsd-media-keys	1000	1000	1000	1000	2025-05-03 12:52:44.908762 UTC	Disabled
0x8ffff75aa8c0	1984	1984	1592	gsd-power	1000	1000	1000	1000	2025-05-03 12:52:44.913737 UTC	Disabled
0x8ffff75a8000	1985	1985	1592	gsd-print-notif	1000	1000	1000	1000	2025-05-03 12:52:44.922391 UTC	Disabled
0x8ffff75b5180	1986	1986	1592	gsd-rfkill	1000	1000	1000	1000	2025-05-03 12:52:44.929884 UTC	Disabled
0x8ffff77a0000	1988	1988	1592	gsd-screensaver	1000	1000	1000	1000	2025-05-03 12:52:44.942832 UTC	Disabled
0x8ffff77a28c0	1989	1989	1592	gsd-sharing	1000	1000	1000	1000	2025-05-03 12:52:44.948785 UTC	Disabled
0x8ffff77a8000	1992	1992	1592	gsd-smartcard	1000	1000	1000	1000	2025-05-03 12:52:44.954791 UTC	Disabled
0x8ffff77aa8c0	1994	1994	1796	evolution-alarm	1000	1000	1000	1000	2025-05-03 12:52:44.962535 UTC	Disabled
0x8ffff75b0000	1995	1995	1592	gsd-sound	1000	1000	1000	1000	2025-05-03 12:52:44.963691 UTC	Disabled
0x8ffff77b0000	1998	1998	1592	gsd-wacom	1000	1000	1000	1000	2025-05-03 12:52:44.971343 UTC	Disabled
0x8ffff77ca8c0	2004	2004	1592	goa-daemon	1000	1000	1000	1000	2025-05-03 12:52:44.988636 UTC	Disabled
0x8ffff77bd180	2005	2005	1796	gsd-disk-utilit	1000	1000	1000	1000	2025-05-03 12:52:44.995600 UTC	Disabled
0x8ffffd1ca8c0	2115	2115	1592	gvfs-udisks2-vo	1000	1000	1000	1000	2025-05-03 12:52:45.421745 UTC	Disabled
0x8ffffd26d180	2129	2129	1592	evolution-calen	1000	1000	1000	1000	2025-05-03 12:52:45.451944 UTC	Disabled
0x8ffffd395180	2147	2147	1592	gsd-printer	1000	1000	1000	1000	2025-05-03 12:52:45.507199 UTC	Disabled
0x8ffffb618000	2179	2179	1955	ibus-dconf	1000	1000	1000	1000	2025-05-03 12:52:45.607020 UTC	Disabled
0x8ffff779d180	2182	2182	1955	ibus-extension-	1000	1000	1000	1000	2025-05-03 12:52:45.612145 UTC	Disabled
0x8ffff7405180	2184	2184	1592	goa-identity-se	1000	1000	1000	1000	2025-05-03 12:52:45.618453 UTC	Disabled
0x8ffffd3bd180	2186	2186	1592	ibus-portal	1000	1000	1000	1000	2025-05-03 12:52:45.628228 UTC	Disabled
0x8fffffe55180	2201	2201	1592	evolution-addre	1000	1000	1000	1000	2025-05-03 12:52:45.687524 UTC	Disabled
0x8ffff741a8c0	2224	2224	1592	gvfs-mtp-volume	1000	1000	1000	1000	2025-05-03 12:52:45.763380 UTC	Disabled
0x8fffffea28c0	2234	2234	1592	gvfs-afc-volume	1000	1000	1000	1000	2025-05-03 12:52:45.817737 UTC	Disabled
0x8fffffe8d180	2243	2243	1592	gvfs-goa-volume	1000	1000	1000	1000	2025-05-03 12:52:45.863891 UTC	Disabled
0x8ffffffb0000	2248	2248	1592	gvfs-gphoto2-vo	1000	1000	1000	1000	2025-05-03 12:52:45.894526 UTC	Disabled
0x8ffffffc28c0	2265	2265	1955	ibus-engine-sim	1000	1000	1000	1000	2025-05-03 12:52:46.070636 UTC	Disabled
0x8fffffe88000	2294	2294	1771	gvfsd-trash	1000	1000	1000	1000	2025-05-03 12:52:46.418487 UTC	Disabled
0x8ffffffdd180	2327	2327	1830	gjs	1000	1000	1000	1000	2025-05-03 12:52:46.998397 UTC	Disabled
0x8fffc229d180	2357	2357	2	kworker/u5:2	0	0	0	0	2025-05-03 12:52:47.149840 UTC	Disabled
0x8fffceed0000	2370	2370	1592	tracker-miner-f	1000	1000	1000	1000	2025-05-03 12:52:47.271287 UTC	Disabled
0x9000c66d28c0	2402	2402	1592	gjs	1000	1000	1000	1000	2025-05-03 12:52:47.734289 UTC	Disabled
0x8ffff75c0000	2410	2410	1592	xdg-desktop-por	1000	1000	1000	1000	2025-05-03 12:52:47.919771 UTC	Disabled
0x8fffc4945180	2417	2417	1592	xdg-desktop-por	1000	1000	1000	1000	2025-05-03 12:52:48.008772 UTC	Disabled
0x8fffc22ca8c0	2423	2423	1592	gvfsd-metadata	1000	1000	1000	1000	2025-05-03 12:52:48.185419 UTC	Disabled
0x9000021e28c0	2435	2435	1592	xdg-desktop-por	1000	1000	1000	1000	2025-05-03 12:52:48.424434 UTC	Disabled
0x8fffd8ec5180	2545	2545	1592	gnome-terminal-	1000	1000	1000	1000	2025-05-03 12:52:53.679692 UTC	Disabled
0x8fffd78e8000	2552	2552	2545	bash	1000	1000	1000	1000	2025-05-03 12:52:54.034839 UTC	Disabled
0x8fffc493d180	2593	2593	2552	sudo	1000	0	0	0	2025-05-03 12:53:01.978586 UTC	Disabled
0x8fffd78ed180	2601	2601	2593	sudo	1000	0	0	0	2025-05-03 12:53:03.066979 UTC	Disabled
0x8fffd78ea8c0	2602	2602	2601	su	0	0	0	0	2025-05-03 12:53:03.067462 UTC	Disabled
0x8fffd51d0000	2605	2605	2602	bash	0	0	0	0	2025-05-03 12:53:03.108966 UTC	Disabled
0x8fffd7ae28c0	2642	2642	2605	wireshark	0	0	0	0	2025-05-03 12:53:41.118799 UTC	Disabled
0x8fffd7ae5180	2643	2643	1830	Xwayland	1000	1000	1000	1000	2025-05-03 12:53:41.358195 UTC	Disabled
0x8fffd8da28c0	2646	2646	1592	gsd-xsettings	1000	1000	1000	1000	2025-05-03 12:53:41.422607 UTC	Disabled
0x8fffc1b70000	2671	2671	1592	ibus-x11	1000	1000	1000	1000	2025-05-03 12:53:41.557308 UTC	Disabled
0x8fffe6d7d180	2678	2678	1830	mutter-x11-fram	1000	1000	1000	1000	2025-05-03 12:53:41.647040 UTC	Disabled
0x8ffff75d5180	2688	2688	2	kworker/R-cfg80	0	0	0	0	2025-05-03 12:53:41.997571 UTC	Disabled
0x8fffd8ec0000	2721	2721	2	kworker/R-ib-co	0	0	0	0	2025-05-03 12:53:42.920660 UTC	Disabled
0x8fffd8d628c0	2722	2722	2	kworker/R-ib-co	0	0	0	0	2025-05-03 12:53:42.920713 UTC	Disabled
0x8fffe188d180	2723	2723	2	kworker/R-ib_mc	0	0	0	0	2025-05-03 12:53:42.920833 UTC	Disabled
0x8ffffffd8000	2724	2724	2	kworker/R-ib_nl	0	0	0	0	2025-05-03 12:53:42.920851 UTC	Disabled
0x8ffffd1a0000	2757	2757	1796	update-notifier	1000	1000	1000	1000	2025-05-03 12:53:44.953714 UTC	Disabled
0x8ffffd1d0000	2790	2790	2642	dumpcap	0	0	0	0	2025-05-03 12:53:46.827522 UTC	Disabled
0x9000021dd180	2795	2795	1830	firefox	1000	1000	1000	1000	2025-05-03 12:53:49.383271 UTC	Disabled
0x8ffff74028c0	2927	2927	2795	Socket Process	1000	1000	1000	1000	2025-05-03 12:53:51.597236 UTC	Disabled
0x8ffff77a5180	2942	2942	2795	WebExtensions	1000	1000	1000	1000	2025-05-03 12:53:51.809277 UTC	Disabled
0x9000d9ad5180	2952	2952	2795	RDD Process	1000	1000	1000	1000	2025-05-03 12:53:51.841697 UTC	Disabled
0x8fffd8eb5180	2994	2994	2795	Privileged Cont	1000	1000	1000	1000	2025-05-03 12:53:52.153558 UTC	Disabled
0x90001be4d180	3027	3027	1592	snap	1000	1000	1000	1000	2025-05-03 12:53:52.792073 UTC	Disabled
0x90001bed8000	3482	3482	2795	Utility Process	1000	1000	1000	1000	2025-05-03 12:53:54.637334 UTC	Disabled
0x8fffe6f7a8c0	3488	3488	2795	Isolated Web Co	1000	1000	1000	1000	2025-05-03 12:53:54.756594 UTC	Disabled
0x90005029d180	3506	3506	2795	Web Content	1000	1000	1000	1000	2025-05-03 12:53:55.172873 UTC	Disabled
0x90001be128c0	3532	3532	2795	Web Content	1000	1000	1000	1000	2025-05-03 12:53:55.952100 UTC	Disabled
0x90001be10000	3625	3625	2795	Web Content	1000	1000	1000	1000	2025-05-03 12:57:55.836797 UTC	Disabled
0x900047540000	3701	3701	1771	gvfsd-network	1000	1000	1000	1000	2025-05-03 12:58:56.489864 UTC	Disabled
0x8fffc1f3a8c0	3718	3718	1771	gvfsd-dnssd	1000	1000	1000	1000	2025-05-03 12:58:57.470637 UTC	Disabled
0x8fffffe728c0	3783	3783	2	kworker/0:0	0	0	0	0	2025-05-03 12:59:26.532115 UTC	Disabled

Rien de très choquant ici, nous allons donc continuer à investiguer. Pour faire cela automatiquement et passer du temps sur d'autres challs, j'ai créé un petit script afin de lancer toutes les commandes Volatility3 automatiquement et de m'exporter les résultats dans des fichiers :

Autoscan Vol3

# --- Paramètres à adapter au besoin ------------------------------------------
VOL_BIN="vol3"
IMAGE="toortik_triflexation.elf"
REMOTE_ISF="https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json"
OUTDIR="Toortik"

# --- Liste des plugins à exécuter -------------------------------------------
PLUGINS=(
  linux.check_syscall.Check_syscall
  linux.ebpf.EBPF
  linux.elfs.Elfs
  linux.envars.Envars
  linux.graphics.fbdev.Fbdev
  linux.hidden_modules.Hidden_modules
  linux.iomem.IOMem
  linux.ip.Addr
  linux.ip.Link
  linux.kallsyms.Kallsyms
  linux.keyboard_notifiers.Keyboard_notifiers
  linux.kmsg.Kmsg
  linux.kthreads.Kthreads
  linux.library_list.LibraryList
  linux.lsmod.Lsmod
  linux.lsof.Lsof
  linux.malfind.Malfind
  linux.module_extract.ModuleExtract
  linux.modxview.Modxview
  linux.mountinfo.MountInfo
  linux.netfilter.Netfilter
  linux.pagecache.Files
  linux.pagecache.InodePages
  linux.pagecache.RecoverFs
  linux.pidhashtable.PIDHashTable
  linux.proc.Maps
  linux.psaux.PsAux
  linux.pscallstack.PsCallStack
  linux.pslist.PsList
  linux.psscan.PsScan
  linux.pstree.PsTree
  linux.ptrace.Ptrace
  linux.sockstat.Sockstat
  linux.tracing.ftrace.CheckFtrace
  linux.tracing.perf_events.PerfEvents
  linux.tracing.tracepoints.CheckTracepoints
  linux.tty_check.tty_check
  linux.vmaregexscan.VmaRegExScan
  linux.vmayarascan.VmaYaraScan
  linux.vmcoreinfo.VMCoreInfo
)
# -----------------------------------------------------------------------------

mkdir -p "$OUTDIR"

for plugin in "${PLUGINS[@]}"; do
  printf '\n[%s] Exécution du plugin %-40s ...\n' "$(date '+%H:%M:%S')" "$plugin"
  # On redirige STDOUT et STDERR pour garder toute la trace dans le fichier
  $VOL_BIN --remote-isf-url "$REMOTE_ISF" -f "$IMAGE" "$plugin" \
           >  "$OUTDIR/${plugin}.txt" \
           2>&1
done

echo -e "\n👍  Tous les plugins ont fini ! Les rapports sont dans \"${OUTDIR}/\""

Maintenant, nous avons juste à analyser ces output afin de trouver notre première piste.

L'un des plugins les plus intéressants pour nous ici est le plugin linux.hidden_modules.Hidden_modules qui répertorie tous les modules kernel qui tentent de se cacher dans la mémoire. Nous avons de la chance, il n'y a qu'un seul résultat ici :

Nous avons donc le nom du module kernel : chall.

Maintenant, il faut trouver tout le reste et pour essayer simple (ce qui est souvent le cas en CTF où en réponse à incident en général), checker les répertoires usuels des utilisateurs. Pour ce faire, nous allons utiliser le plugin linux.pagecache.Files : Nous avons aucun résultats intéressant sur "chall"...

Nous allons donc orienter nos recherches vers firefox (et son dossier), car c'est tout à fait plausible de se cacher derrière un nom de programme connu (et inoffensif en temps normal) :

Dans l'output du plugin linux.pagecache.Files, nous trouvons ces résultats :

Nous avons donc le dossier qui contient le binaire exécuté : /snap/firefox/.config/config-firefox

Pour aller plus loin, nous allons dumper (récupérer) ces fichiers depuis le dump : vol3 --remote-isf-url https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json -f toortik_triflexation.elf linux.pagecache.InodePages --inode 0x8fffe22a9cb8 --dump

En examinant ces fichiers, nous avons plusieurs choses intéressantes :

.parameters :

config-firefox : Un binaire - Le fameux module kernel qui s'exécute
.bash_history : <Vide>
logs

Nous voyons donc une sort de keylogger, grâce aux _MAJ_ qui correspond donc à la touche majuscule pour avoir le signe 6 (Maj + 6 ⇒ 6).

Nous voilà donc avec nos 3 infos :

Chemin du binaire : /snap/firefox/.config/config-firefox
Nom du module kernel : chall
Type de spyware : keylogger

Il nous manque la période entre chaque exécution, et nous allons chercher ça :

Pour se faire, nous allons vérifier si des tâches cron ne sont pas définies afin de lancer le binaire à périodes fixes. Afin de chercher ça, je n'ai pas trouvé de module Volatility, donc je me suis basé sur les strings du dump. J'ai donc cherché via le chemin du binaire et paf, un résultat très intéressant arrive à nous :

Le binaire est donc exécuté toutes les 10 minutes selon la cron définie. Nous avons donc tout ce qu'il nous faut pour valider le challenge.

🚩FLAG

404CTF{/snap/firefox/.config/config-firefox:00:10:00:chall:keylogger}

PreviousTape ton MDP NextToortik Triflexation [2/2]

Last updated 2 days ago

Was this helpful?