The challenge consists of going through a VirtualBox snapshot of a Linux system and reading a file stored on an encrypted LUKS volume on the virtual machine. First, we need to convert the virtual disk from .vdi format to raw format to be able to mount it:
Now we can mount it:
In this particular case, there were 2 LVM’s, home and root. The encrypted one was home. The LVM’s are found under /dev/vg/ Next, we need to take a memory dump of the running machine in the saved state, to get the AES key used for LUKS encryption from main memory.
We can use aeskeyfind to find the master key:
After finding the key, we can decrypt the volume. Note the master key needs to be supplied in hex format:
That’s it. You now have access to the unencrypted volume.