Rootme Second Job Interview
Root-me.org
Second job interview
fvek
This challenge gives us another memory dump with a dd image. The title gives us a hint of what we’re dealing with.
Fvek stands for Full Volume Encryption Key. Big changes if that we’re dealing with bitlocker.
The dd image is most probably encrypted and we need to extract the FVEK from the memory dump.
We’ll confirm that the dd image is indeed encrypted by looking at the header and see if we can spot the signature “-FVE-FS-”.
hexdump -C image.dd | grep "\-FVE\-FS\-"
00010000 eb 58 90 2d 46 56 45 2d 46 53 2d 00 02 08 00 00 |.X.-FVE-FS-.....|
As suspected, let’s get the key in the memory dump. For this we’ll use the following plugin to help us out. https://github.com/elceef/bitlocker
wget https://raw.githubusercontent.com/elceef/bitlocker/master/bitlocker.py
vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/something/CTF/rootme/forensic/ch17/memory.dmp)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028520a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002853d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2016-07-02 20:09:29 UTC+0000
Image local date and time : 2016-07-02 22:09:29 +0200
vol.py --plugins=./ -f memory.dmp --profile=Win7SP1x64 bitlocker
Volatility Foundation Volatility Framework 2.6
Address : 0xfa80018be720
Cipher : AES-128
FVEK : e7e576581fe26aa7c71a7e711c778da2
TWEAK : b72f4e075edb7e734dfb08638cf29652
We got the key, now we’ll install bdemount, find the offset of the partition.
sudo apt-get install libbde-utils
sudo fdisk -l image.dd
Disk image.dd: 75 MiB, 78643200 bytes, 153600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0a152bd9
Device Boot Start End Sectors Size Id Type
image.dd1 128 147583 147456 72M 7 HPFS/NTFS/exFAT
Starts at 128 with 512 bytes sectors.
bdemount -k e7e576581fe26aa7c71a7e711c778da2:b72f4e075edb7e734dfb08638cf29652 -o $((512*128)) image.dd image_mount/
bdemount 20170204
-k is the key:tweak and -o is the offset
The only thing left to do is to mount the image.
cd image_mount
file bde1
bde1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 16, hidden sectors 128, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 147455, $MFT start cluster 6144, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 084637bb4637a878; containsMicrosoft Windows XP/VISTA bootloader BOOTMGR
cp bde1 ../
cd ..
mkdir mount_point
sudo mount -o loop ./bde1 mount_point/
cd mount_point/
ls
flag.jpg $RECYCLE.BIN System Volume Information
The flag is in the jpg.