Dr. Bob

The challenge consists of going through a VirtualBox snapshot of a Linux system and reading a file stored on an encrypted LUKS volume on the virtual machine. First, we need to convert the virtual disk from .vdi format to raw format to be able to mount it:

	VBoxManage clonehd --format RAW [filename].vdi disk.img
	

Now we can mount it:

	losetup /dev/loop0 disk.img
	kpartx -a /dev/loop0
	vgscan
	vgchange -ay vg
	

In this particular case, there were 2 LVM’s, home and root. The encrypted one was home. The LVM’s are found under /dev/vg/ Next, we need to take a memory dump of the running machine in the saved state, to get the AES key used for LUKS encryption from main memory.

	VBoxManage debugvm <uuid|vmname> dumpvmcore --filename memdump.elf
	

We can use aeskeyfind to find the master key:

	aeskeyfind memdump.elf
	

After finding the key, we can decrypt the volume. Note the master key needs to be supplied in hex format:

	echo <key> | xxd -r -p > masterkey
	cryptsetup luksOpen --master-key-file masterkey /dev/vg/home decrypted
	mount /dev/mapper/decrypted /mnt/decrypted
	

That’s it. You now have access to the unencrypted volume.