[Plaid 2014] forensic : zfs

zfs

Forensic : zfs
The Plague is using state of the art systems for storing his data. Our operatives managed to steal a drive from one of his servers,
 but it seems like our haste may have led to some uber-corruption. Can you get the data off the drive to track down The Plague?

First i just search any strings in this file and i can get useful information

zero@ubuntu:~/Desktop$ file disk
disk: data
zero@ubuntu:~/Desktop$ strings disk | grep key
not_the_key
not_the_key
xor_key
key.xor_encrypted
key3
not_the_key
not_the_key
xor_key
key.xor_encrypted
key3
6keyIy
+(Jkey

Maybe key data would be encrypted with xor. and the xor key is somewhere (maybe near the key.xor_encrypted)

Then, we need to recover 'disk'. So easy to extract key.xor_encrypted file and xor key somewhere in file...

But, i can't find any recovery tools so i just try to extract the data with my hands.

At offset -> 0x41ae00, There are strange 0x200 bytes data!

So, the let's coding decrypting selected xor encryptd data with python

f = open("disk", "rb")
f.seek(0x41ae00)
data = f.read(0x200)
 
xor = lambda a, b : ''.join(chr(ord(a) ^ ord(b)) for a, b in zip(a, b))
 
for i in xrange(2):
    d = xor(f.read(0x200), data)
    print "Try %s : " % (i+1), "\n", d

After decrypting is over, we can see the output with strings command.

zero@ubuntu:~/Desktop$ python sol.py
Try 1 :  
......
Try 2 :  
 _________________________
< ZFS_daTa_1s_s4f35t_d4t4 >
 ------------------------- 
  \                    /' )
   \                 /'   (                          ,
   \             __/'     )                        .' `;
    \    _.-~~~~'          ``---..__             .'   ;
    _.--'  b)                       ``--...____.'   .'
   (     _.      )).      `-._                     <
    `\|\|\|\|)-.....___.-     `-.         __...--'-.'.
      `---......____...---`.___.'----.....'         `.;

The flag is ZFS_daTa_1s_s4f35t_d4t4

P.S : i like that ASCII ART