DownUnderCTF 2020: fix my pc
Sept. 22, 2020 in CTF, CTF writeups
fix my pc
500 points
My boss's computer died recently. We managed to dump some of the drive, but can't figure out a way to unlock it.
Download (233MB) https://cloudstor.aarnet.edu.au/plus/s/lIZ7mV36US93DhA
Solution
We start with rescue.zip with two files within: system.bin
and crash.bin
The first one is disk image, the second one looks like memory dump.
I’ve started with mounting the disk.
modprobe nbd max_part=8
qemu-nbd –connect=/dev/nbd0 /tmp/system.bin
But I’ve been stopped by disk encryption.
Ok, let’s try to retrieve the key to decrypt those partitions (/dev/nbd0p1
was boot with nothing interesting).
I downloaded findaes
tool from https://sourceforge.net/projects/findaes/ and used it to find the keys in memory dump.
Looks like I’ve been lucky today ;-)
I’ve combined two parts of the key together and saved as binary.
echo 094e2adf58cfb17d85f0f6933f7b44efa00a3cda7bbe01873e09ff4ee7a60539ff98d76761147024ebb0c8d4e1141814214d2a83d7936609377755e5180a3c57 | xxd -r -p > /tmp/key
And then tried to use it.
cryptsetup luksAddKey /dev/nbd0p2 --master-key-file /tmp/key
cryptsetup luksOpen /dev/nbd0p2 rescue
lsblk
mount /dev/mapper/rescue /mnt
On mounted partition there were many files with corrupted names, but the content was ok and gave me the hint where’s the key for 2nd partition.
cryptsetup luksOpen /dev/nbd0p3 crypthome --key-file /mnt/etc/crypttab.d/home.key
Interesting parts were ssh keys and .ash_history
So I’ve used bob’s keys to clone the repo and have a look.
export GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -i /mnt2/bob/.ssh/id_rsa"
git clone [email protected]:cornochips/configs
cd configs
Checked the content of files with no luck, then suddenly...
for i in `git log --all --oneline | awk -F ' ' '{print $1, $8}'`; do git diff ${i}; done
DUCTF{aT_l3ast_I_had_A_B3ck8p_y4n63xOVX4A}