Hack.lu CTF 2015 - Forensics 150: Dr. Bob Writeup
Over the past couple of days, I've been having a go at the Hack.lu CTF. There were some really nice challenges - some of which were out of my league - but I was really pleased that I was able to solve the Forensics challenge. Here is my writeup for Dr. Bob.
For this challenge, we're given a VirtualBox VM. I add this to my VirtualBox installation by using the 'Machine -> Add' menu item.
The VM has a saved state, so the first thing I do is start the VM with the '--dbg' option, open up the debug console in VirtualBox and dump the VMs memory to file.
|*|-language-bash-|*|
VirtualBox --dbg --startvm "Safe"
.pgmphystofile Safe.memory.raw
Next, I need to extract the actual disk image.
I stop the VM and proceed to convert the VMs .vdi disk file to a raw disk image.
VBoxManage clonehd Safe.vdi Safe.disk.raw --format RAW
Inspecting the partition table of this image reveals it contains a single LVM volume.
|*|-language-bash-|*|
fdisk -l Safe.disk.raw
Disk Safe.disk.raw: 2.8 GiB, 3003121664 bytes, 5865472 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Time to mount the LVM volume locally.
|*|-language-bash-|*|
losetup /dev/loop0 Safe.disk.raw
kpartx -a /dev/loop0
vgscan
vgchange -ay vg
ls -lah /dev/vg
total 0
drwxr-xr-x 2 root root 80 Oct 21 10:38 .
drwxr-xr-x 19 root root 4.2K Oct 21 11:04 ..
lrwxrwxrwx 1 root root 7 Oct 21 11:04 home -> ../dm-2
lrwxrwxrwx 1 root root 7 Oct 21 10:38 root -> ../dm-1
Then, we dump the home partition and inspect it.
|*|-language-bash-|*|
dd if=/dev/vg/home of=Safe.home.raw bs=2048
file Safe.home.raw
Safe.home.raw: LUKS encrypted file, ver 1 [aes, ecb, sha1] UUID: a58d9b78-68d7-42c7-bade-a0e609d569d9
So, we've got a LUKS encrypted partition. Using the tool aeskeyfind, I retrieve the master key from our memory dump we retrieved previously.
|*|-language-bash-|*|
./aeskeyfind -v ../Safe.memory.raw
FOUND POSSIBLE 128-BIT KEY AT BYTE 1c5f6c30
KEY: 1fab015c1e3df9eac8728f65d3d16646
EXTENDED KEY:
1fab015c1e3df9eac8728f65d3d16646
20985b3a3ea5a2d0f6d72db525064bf3
4d2b5605738ef4d58559d960a05f9293
86648ae5f5ea7e3070b3a750d0ec35c3
40f2a495b518daa5c5ab7df515474836
f0a0a1cc45b87b698013069c95544eaa
f08f0de6b537768f35247013a0703eb9
e13d5b06540a2d89612e5d9ac15e6323
39c67d7e6dcc50f70ce20d6dcdbc6e4e
475952c32a95023426770f59ebcb6117
6eb6a22a4423a01e6254af47899fce50
CONSTRAINTS ON ROWS:
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
Keyfind progress: 100%
Now we can create our master key file, and mount the encrypted volume.
|*|-language-bash-|*|
echo "1fab015c1e3df9eac8728f65d3d16646" | xxd -r -p > Safe.key
cryptsetup luksOpen --master-key-file Safe.key /dev/mapper/vg-home safe-home
mkdir /mnt/safe-home
mount /dev/mapper/safe-home /mnt/safe-home
Time to find our flag. After performing a directory listing in '/home/bob', we find a file named 'flag.txt'. I cat it, but am taunted.
|*|-language-bash-|*|
cd /mnt/safe-home
ls -alh
total 28K
drwxr-xr-x 4 root root 4.0K Sep 21 12:51 .
drwxr-xr-x 4 root root 4.0K Oct 21 10:57 ..
drwxr-xr-x 2 test test 4.0K Sep 21 13:10 bob
drwx------ 2 root root 16K Sep 21 12:33 lost+found
cd bob
ls -alh
total 24K
drwxr-xr-x 2 test test 4.0K Sep 21 13:10 .
drwxr-xr-x 4 root root 4.0K Sep 21 12:51 ..
-rw-r--r-- 1 test test 220 Sep 21 12:51 .bash_logout
-rw-r--r-- 1 test test 3.4K Sep 21 12:51 .bashrc
-r-------- 1 test test 43 Sep 21 13:38 flag.txt
-rw-r--r-- 1 test test 675 Sep 21 12:51 .profile
cat flag.txt
You are very close :)
I note that this string does not match up with the reported size of the file, so I break out hexdump.
|*|-language-bash-|*|
hexdump -v -e '"%010_ad |" 16/1 "%_p" "|\n"' flag.txt
0000000000 |flag{v0t3_f0r_p3|
0000000016 |dr0}.You are ver|
0000000032 |y close :).|
There's our flag! Looks like the '\r' control character must of been used to move the cursor back to the beginning of the line, and then the flag was overwritten with the taunting string.
flag{v0t3_f0r_p3dr0}
Reference: Recover LUKS Password from Android Phone