goodluks3
Description:
Our third suspect was caught with a running machine with the encrypted disk mounted.
We captured the whole hard drive and system memory for you. Can you help us?
(Please note, this is a rather large file!)
https://storage.googleapis.com/bsides-sf-ctf-2019-large-artifacts/goodluks3.7z
Solved
After extracting this 7z file we get an image (goodluks3.img) and a memory dump (goodluks3.mem), eventually I tried to use volatility to analyse the memory but It was way too slow and I still needed to find a profile for this specific linux machine which is always a mess.
Normally when you have a luks encryption disk and a memory dump in this kind of ctf challenges the objective is normally to find the master key within the dump. So I tried to use aesfindkey on the memory dump but It didn’t find anything, after this I started to look for a different tool and I found this one:
1 | $ ./findaes ../goodluks3.mem |
It found two AES-256 keys, It is time to set up our loop device from the luks image, so lets look at the partitions on parted:
1 | $ sudo parted goodluks3.img |
We want to set a loop device on number 2 which its offset starts at 2999975936B so lets use losetup:
1 | $ sudo losetup --offset 2999975936 /dev/loop0 goodluks3.img |
And now lets convert one of the dumped keys into a file and decode them into ASCII:
1 | $ echo '8e 8c 3a 67 eb 11 54 6c b1 cc 7d 0f cc 85 e8 43 30 7c 16 d4 7f 86 08 a1 0f 59 3d 4c 31 0f c8 6a' | tr -d ' ' | xxd -r -p > key0 |
Lets try to decrypt now:
1 | sudo cryptsetup luksOpen --master-key-file key0 /dev/loop14 decrypted |
And we got an error ? They expected a 64 byte key which means the encryption used was AES-512 and not AES-256, after this I remembered that we got two AES-256 from findaes, what if the full keys is the two keys joined? so lets try that:
1 | $ echo '8e 8c 3a 67 eb 11 54 6c b1 cc 7d 0f cc 85 e8 43 30 7c 16 d4 7f 86 08 a1 0f 59 3d 4c 31 0f c8 6a b0 7a 29 f5 44 15 47 76 57 04 6e ec d3 03 f5 bd af a4 e6 df b2 71 01 ab af 7e 22 e1 23 94 15 f5' | tr -d ' ' | xxd -r -p > key0 |
And it worked! the command didn’t spit any kind of errors so lets mount it and get the flag:
1 | $ sudo mount /dev/mapper/decrypted /mnt/ |
The flag was CTF{lucky_U_k33p_secrets!}