37 lines
No EOL
1 KiB
Markdown
37 lines
No EOL
1 KiB
Markdown
# Colonel - forensics
|
|
fridgebuyer
|
|
|
|
### vol
|
|
|
|
vol -f memory.dump linux.bash.Bash
|
|
vol -f memory.dump linux.kmsg.Kmsg
|
|
|
|
"insmod check_service.ko key_path=validation*"
|
|
|
|
### kmsg
|
|
|
|
Key 1 ```Error: Invalid key 51782b4b765251314e32525236364978534d35566a6b72474b67303946483266, indices 9 21 31 incorrect```
|
|
|
|
Key 2 ```Error: Invalid key 58782b4b765251314e51525235364978534d35566a6a72524b673039466c3265, indices 0 12 23 29 incorrect```
|
|
|
|
A kernel module check_service.ko was loaded twice with two different key files (validation, validation2). kmsg recorded both attempts.
|
|
|
|
### Decode hex to ASCII
|
|
swap incorrect indices between keys (Key 1 as a base
|
|
and replace its bad positions (9, 21, 31) with the correct chars
|
|
from Key 2)
|
|
|
|
-> Qx+KvRQ1NQRR66IxSM5VjjrGKg09FH2e
|
|
|
|
### Decrypt
|
|
IV - 1234567890123456, key - ASCII bytes
|
|
|
|
python3 -c "
|
|
from Crypto.Cipher import AES
|
|
key = b'Qx+KvRQ1NQRR66IxSM5VjjrGKg09FH2e'
|
|
iv = b'1234567890123456'
|
|
ct = open('flag.enc','rb').read()
|
|
print(AES.new(key,AES.MODE_CBC,iv).decrypt(ct))
|
|
"
|
|
|
|
**gigem{bl3ss3d_4r3_th3_c010n31_m33k}** |