Oct 25, 2015 • c0mpute

Dr. Bob

The challenge consists of going through a VirtualBox snapshot of a Linux system and reading a file stored on an encrypted LUKS volume on the virtual machine. First, we need to convert the virtual disk from .vdi format to raw format to be able to mount it:

	VBoxManage clonehd --format RAW [filename].vdi disk.img

Now we can mount it:

	losetup /dev/loop0 disk.img
	kpartx -a /dev/loop0
	vgchange -ay vg

In this particular case, there were 2 LVM’s, home and root. The encrypted one was home. The LVM’s are found under /dev/vg/ Next, we need to take a memory dump of the running machine in the saved state, to get the AES key used for LUKS encryption from main memory.

	VBoxManage debugvm <uuid|vmname> dumpvmcore --filename memdump.elf

We can use aeskeyfind to find the master key:

	aeskeyfind memdump.elf

After finding the key, we can decrypt the volume. Note the master key needs to be supplied in hex format:

	echo <key> | xxd -r -p > masterkey
	cryptsetup luksOpen --master-key-file masterkey /dev/vg/home decrypted
	mount /dev/mapper/decrypted /mnt/decrypted

That’s it. You now have access to the unencrypted volume.