[Forensics] BsidesSF 2019 - goodluks3

goodluks3

Description:
Our third suspect was caught with a running machine with the encrypted disk mounted.
We captured the whole hard drive and system memory for you. Can you help us?
(Please note, this is a rather large file!)
https://storage.googleapis.com/bsides-sf-ctf-2019-large-artifacts/goodluks3.7z
Solved

After extracting this 7z file we get an image (goodluks3.img) and a memory dump (goodluks3.mem), eventually I tried to use volatility to analyse the memory but It was way too slow and I still needed to find a profile for this specific linux machine which is always a mess.

Normally when you have a luks encryption disk and a memory dump in this kind of ctf challenges the objective is normally to find the master key within the dump. So I tried to use aesfindkey on the memory dump but It didn’t find anything, after this I started to look for a different tool and I found this one:

$ ./findaes ../goodluks3.mem
Searching ../goodluks3.mem
Found AES-256 key schedule at offset 0x895dd88: 
b0 7a 29 f5 44 15 47 76 57 04 6e ec d3 03 f5 bd af a4 e6 df b2 71 01 ab af 7e 22 e1 23 94 15 f5 
Found AES-256 key schedule at offset 0x895df78: 
8e 8c 3a 67 eb 11 54 6c b1 cc 7d 0f cc 85 e8 43 30 7c 16 d4 7f 86 08 a1 0f 59 3d 4c 31 0f c8 6a

It found two AES-256 keys, It is time to set up our loop device from the luks image, so lets look at the partitions on parted:

$ sudo parted goodluks3.img
GNU Parted 3.2
Using ~/ctf/bctf/forensics/goodluks3/goodluks3.img
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) U                                                                
Unit?  [compact]? B                                                       
(parted) print                                                            
Model:  (file)
Disk ~/ctf/bctf/forensics/goodluks3/goodluks3.img: 4294967296B
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start        End          Size         Type     File system     Flags
 1      1048576B     2999975935B  2998927360B  primary  ext4            boot
 2      2999975936B  4000317439B  1000341504B  primary
 3      4000317440B  4293918719B  293601280B   primary  linux-swap(v1)

(parted)

We want to set a loop device on number 2 which its offset starts at 2999975936B so lets use losetup:

$ sudo losetup --offset 2999975936 /dev/loop0 goodluks3.img

And now lets convert one of the dumped keys into a file and decode them into ASCII:

$ echo '8e 8c 3a 67 eb 11 54 6c b1 cc 7d 0f cc 85 e8 43 30 7c 16 d4 7f 86 08 a1 0f 59 3d 4c 31 0f c8 6a' | tr -d ' ' | xxd -r -p > key0

Lets try to decrypt now:

sudo cryptsetup luksOpen --master-key-file key0 /dev/loop14 decrypted
Cannot read 64 bytes from keyfile key0.

And we got an error ? They expected a 64 byte key which means the encryption used was AES-512 and not AES-256, after this I remembered that we got two AES-256 from findaes, what if the full keys is the two keys joined? so lets try that:

$ echo '8e 8c 3a 67 eb 11 54 6c b1 cc 7d 0f cc 85 e8 43 30 7c 16 d4 7f 86 08 a1 0f 59 3d 4c 31 0f c8 6a b0 7a 29 f5 44 15 47 76 57 04 6e ec d3 03 f5 bd af a4 e6 df b2 71 01 ab af 7e 22 e1 23 94 15 f5' | tr -d ' ' | xxd -r -p > key0
$ sudo cryptsetup luksOpen --master-key-file key0 /dev/loop0 decrypted

And it worked! the command didn’t spit any kind of errors so lets mount it and get the flag:

$ sudo mount /dev/mapper/decrypted /mnt/
$ ls /mnt/
collected-wallpapers-master/  ctfscoreboard-master/  flag.txt  lost+found/
$ cat /mnt/flag.txt 
CTF{lucky_U_k33p_secrets!}

The flag was CTF{lucky_U_k33p_secrets!}