[Forensics] BsidesSF 2019 - goodluks2

goodluks2
100

Description:
Our first insider threat has lead to a second insider. We haven’t found any clues to the passphrase here, but given the
vocabulary of the suspect, I don’t think you’ll have a hard time.

https://storage.googleapis.com/bsides-sf-ctf-2019-large-artifacts/goodluks2.7z

We have disk image and by the name of the challenge and the description we can already guess that it’s encrypted with luks

1
2
$ file goodluks2.img 
goodluks2.img: DOS/MBR boot sector; partition 1 : ID=0x83, start-CHS (0x0,32,33), end-CHS (0x51,85,4), startsector 2048, 67106816 sectors, extended partition table (last)

We don’t any more files so we need to actually brute force the passphrase, so let’s try using hashcat for this. But First of all we need to set up a loop device of our image, we need to check the partitions with parted and look at the offset:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ sudo parted goodluks2.img 
GNU Parted 3.2
(parted) U
Unit? [compact]? B
(parted) print
Model: (file)
Disk ~/ctf/bsidectf/forensics/goodluks2/goodluks2.img: 34359738368B
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1048576B 34359738367B 34358689792B primary

We want to loop the primary partition so we want to use losetup at 1048576 offset:

1
2
3
4
5
$ ls /dev/loop*
/dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3 /dev/loop4 /dev/loop5 /dev/loop6 /dev/loop7 /dev/loop-control
$ sudo losetup --offset 1048576 /dev/loop8 goodluks2.img
$ ls /dev/loop*
/dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3 /dev/loop4 /dev/loop5 /dev/loop6 /dev/loop7 /dev/loop8 /dev/loop-control

Now that we have to extract the luks header which will contain the hash for us to crack, we can use dd but first we need to locate the offset to the header, we can do this with cryptsetup luksDump:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
sudo cryptsetup luksDump /dev/loop8 
LUKS header information for /dev/loop8

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: f9 88 ef ee 9e 28 aa 8c 5a 9e ca 1b fa 50 f6 1b be b7 db 85
MK salt: 5b b3 77 d8 e9 dd 1f ea 61 b1 21 20 53 54 e1 e1
b4 fd 11 21 bf 41 67 6f 9d 80 62 f3 b1 2f 6c dd
MK iterations: 132387
UUID: 4e42c516-dc27-402d-872b-a086739d7e2f

Key Slot 0: ENABLED
Iterations: 10260
Salt: 73 2d 5e e0 7e 99 40 8c ff ca de 32 c4 2d e0 cd
1b 6d ad b9 39 08 b5 c5 09 04 af 64 28 d5 bd a9
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

The payload offset is 4096, now finally we can extract the hash with dd:

1
$ sudo dd if=/dev/loop8 of=LUKS_Header.dd bs=521 count=4096

Now we just need to crack with hashcat, I used the password list named rockyou.txt you can find it easily on the internet it took approximately 14 minutes with both CPU and GPU running:





After cracking it (gaffer3) we just need decrypt and mount the disk to get the flag!

1
2
3
4
5
6
7
$ sudo cryptsetup luksOpen /dev/loop11 bkup
Enter passphrase for ~/ctf/bsidectf/forensics/goodluks2/goodluks2.img: gaffer3
$ sudo mount /dev/mapper/bkup /mnt/
$ ls /mnt/
flag.txt JohnTheRipper.7z lost+found rockyou.7z
$ cat /mnt/flag.txt
CTF{lame_users_keys_suck}

The flag was CTF{lame_users_keys_suck}