Chybeta

Hackit2017-Cypherpunk’s nightmare-writeup

Hackit2017-Cypherpunk’s nightmare-writeup
LUKS aeskeyfind

Task

1
2
3
4
Description: Our officers just have made cold boot attack on the suspect's computer. Your role is to recover the content of this encrypted hard drive.
Attachment: (none)
Webpage: https://mega.nz/#!VdRAkaKT!xP7s74jwnlGmR2spg9RNaKFf5GmCGAv-pxW8aPZNkOw
Hint: (none)

Solution

题目提供了一个压缩包,解压缩后得到三个文件:

1
2
3
encrypted.dd
memdump.elf.gz
__MACOSX

先看看第一个文件:

可以看到这是一个LUKS加密文件,要解密需要提供密码。结合题目的另外一个文件memdump.elf.gz,我们可以利用工具aeskeyfind来提取藏在内存中的aeskey。

可以通过下面的命令安装:

1
apt-get install aeskeyfind

将memdump.elf.gz压缩包解压后得到data文件,运行aeskeyfind:

1
aeskeyfind -v data

结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
FOUND POSSIBLE 128-BIT KEY AT BYTE bf16da0
KEY: 9e90126c33c85d9a6913e649301b5dcf
EXTENDED KEY:
9e90126c33c85d9a6913e649301b5dcf
30dc98680314c5f26a0723bb5a1c7e74
ae2f0ad6ad3bcf24c73cec9f9d2092eb
1d60e388b05b2cac7767c033ea4752d8
b560820f053baea3725c6e90981b3c48
0a8bd0490fb07eea7dec107ae5f72c32
42faf3904d4a8d7a30a69d00d551b132
d332d0939e785de9aedec0e97b8f71db
209169b2bee9345b1037f4b26bb88569
570690cde9efa496f9d850249260d54d
b105738258ead714a13287303352527d
CONSTRAINTS ON ROWS:
00000004000000000000000000000000
000000be000000000000000000000000
0000005e000000000000000000000000
00000087000000000000000000000000
00000046000000000000000000000000
000000d9000000000000000000000000
00000003000000000000000000000000
00000021000000000000000000000000
0000007f000000000000000000000000
0000004f000000000000000000000000
FOUND POSSIBLE 128-BIT KEY AT BYTE bf16fa0
KEY: 683c5a4bf8f1cedf5b649c482e48e639
EXTENDED KEY:
683c5a4bf8f1cedf5b649c482e48e639
3bb2487ac34386a598271aedb66ffcd4
9102003452418691ca669c7c7c0960a8
94d2c224c69344b50cf5d8c970fcb861
2cbe2d75ea2d69c0e6d8b10996240968
0abf68e5e0920125064ab02c906eb944
b5e97385557b72a05331c28cc35f7bc8
3ac89bab6fb3e90b3c822b87ffdd504f
7b9b1fbd1428f6b628aadd31d7778d7e
95c6ecb381ee1a05a944c7347e334a4a
60103a40e1fe204548bae7713689ad3b
CONSTRAINTS ON ROWS:
00000031000000000000000000000000
0000004e000000000000000000000000
00000010000000000000000000000000
00000051000000000000000000000000
00000090000000000000000000000000
00000060000000000000000000000000
0000002e000000000000000000000000
00000016000000000000000000000000
0000000e000000000000000000000000
000000f3000000000000000000000000
Keyfind progress: 100%

重点是得到了两个KEY:

1
2
KEY: 9e90126c33c85d9a6913e649301b5dcf
KEY: 683c5a4bf8f1cedf5b649c482e48e639

先拿一个key试试:

1
echo "9e90126c33c85d9a6913e649301b5dcf" | xxd -r -p > Safe.key

尝试解密:

1
cryptsetup luksOpen --master-key-file Safe.key encrypted.dd safe-home

但是提示出错:

1
无法从密钥文件 Safe.key 读取 32 字节。

我们看看Safe.key是怎样的;

发现只有十六个字节。

结合有两个key,我们把两个合起来试试:

1
2
3
4
5
root@chybeta:~/Desktop/nightmare# echo "9e90126c33c85d9a6913e649301b5dcf683c5a4bf8f1cedf5b649c482e48e639" | xxd -r -p > Safe.key
root@chybeta:~/Desktop/nightmare# cryptsetup luksOpen --master-key-file Safe.key encrypted.dd safe-home
卷密钥与卷不匹配。
root@chybeta:~/Desktop/nightmare# echo "683c5a4bf8f1cedf5b649c482e48e6399e90126c33c85d9a6913e649301b5dcf" | xxd -r -p > Safe.key
root@chybeta:~/Desktop/nightmare# cryptsetup luksOpen --master-key-file Safe.key encrypted.dd safe-home

然后在kali系统中可以发现已经可以直接打开卷宗。

得到flag:

1
h4ck1t{Not_paranoid_enough}

也可以通过挂载来实现

1
2
3
4
5
6
7
8
9
10
11
root@chybeta:~/Desktop/nightmare# ls -l /dev/mapper/
总用量 0
crw------- 1 root root 10, 236 8月 25 05:25 control
lrwxrwxrwx 1 root root 7 8月 25 05:26 safe-home -> ../dm-0
root@chybeta:~/Desktop/nightmare# mkdir /mnt/safe-home
root@chybeta:~/Desktop/nightmare# mount /dev/mapper/safe-home /mnt/safe-home/
root@chybeta:~/Desktop/nightmare# cd /mnt/safe-home/
root@chybeta:/mnt/safe-home# ls
flag.txt Melkor_ELF_fuzzer
root@chybeta:/mnt/safe-home# cat flag.txt
h4ck1t{Not_paranoid_enough}

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:Hackit2017-Cypherpunk’s nightmare-writeup

文章作者:chybeta

发布时间:2017年08月30日 - 19:08

最后更新:2017年08月30日 - 20:08

原始链接:http://chybeta.github.io/2017/08/30/Hackit2017-Cypherpunk’s-nightmare-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。