# Colonel - forensics
fridgebuyer

### vol

vol -f memory.dump linux.bash.Bash
vol -f memory.dump linux.kmsg.Kmsg

"insmod check_service.ko key_path=validation*"

### kmsg

Key 1 ```Error: Invalid key 51782b4b765251314e32525236364978534d35566a6b72474b67303946483266, indices 9 21 31 incorrect```

Key 2 ```Error: Invalid key 58782b4b765251314e51525235364978534d35566a6a72524b673039466c3265, indices 0 12 23 29 incorrect```

A kernel module check_service.ko was loaded twice with two different key files (validation, validation2). kmsg recorded both attempts.

### Decode hex to ASCII
swap incorrect indices between keys (Key 1 as a base  
  and replace its bad positions (9, 21, 31) with the correct chars
  from Key 2)
  
  -> Qx+KvRQ1NQRR66IxSM5VjjrGKg09FH2e

### Decrypt 
IV - 1234567890123456, key - ASCII bytes

python3 -c "
from Crypto.Cipher import AES
key = b'Qx+KvRQ1NQRR66IxSM5VjjrGKg09FH2e'
iv = b'1234567890123456'
ct = open('flag.enc','rb').read()
print(AES.new(key,AES.MODE_CBC,iv).decrypt(ct))
"

**gigem{bl3ss3d_4r3_th3_c010n31_m33k}**