Root-me.org

Second job interview

fvek

This challenge gives us another memory dump with a dd image. The title gives us a hint of what we’re dealing with.

Fvek stands for Full Volume Encryption Key. Big changes if that we’re dealing with bitlocker.

The dd image is most probably encrypted and we need to extract the FVEK from the memory dump.

We’ll confirm that the dd image is indeed encrypted by looking at the header and see if we can spot the signature “-FVE-FS-”.

hexdump -C image.dd  | grep "\-FVE\-FS\-"
00010000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|

As suspected, let’s get the key in the memory dump. For this we’ll use the following plugin to help us out. https://github.com/elceef/bitlocker

wget https://raw.githubusercontent.com/elceef/bitlocker/master/bitlocker.py

vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/something/CTF/rootme/forensic/ch17/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028520a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002853d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-07-02 20:09:29 UTC+0000
     Image local date and time : 2016-07-02 22:09:29 +0200
     
vol.py --plugins=./ -f memory.dmp --profile=Win7SP1x64 bitlocker
Volatility Foundation Volatility Framework 2.6

Address : 0xfa80018be720
Cipher  : AES-128
FVEK    : e7e576581fe26aa7c71a7e711c778da2
TWEAK   : b72f4e075edb7e734dfb08638cf29652

We got the key, now we’ll install bdemount, find the offset of the partition.

sudo apt-get install libbde-utils

 sudo fdisk -l  image.dd 
Disk image.dd: 75 MiB, 78643200 bytes, 153600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0a152bd9

Device     Boot Start    End Sectors Size Id Type
image.dd1         128 147583  147456  72M  7 HPFS/NTFS/exFAT

Starts at 128 with 512 bytes sectors.

 bdemount -k e7e576581fe26aa7c71a7e711c778da2:b72f4e075edb7e734dfb08638cf29652 -o $((512*128)) image.dd image_mount/
bdemount 20170204

-k is the key:tweak and -o is the offset

The only thing left to do is to mount the image.

cd image_mount
file bde1
bde1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 16, hidden sectors 128, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 147455, $MFT start cluster 6144, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 084637bb4637a878; containsMicrosoft Windows XP/VISTA bootloader BOOTMGR

cp bde1 ../
cd ..
mkdir mount_point
sudo mount -o loop ./bde1 mount_point/
cd mount_point/
ls
flag.jpg  $RECYCLE.BIN  System Volume Information

The flag is in the jpg.