[Plaid 2014] forensic : zfs 본문
[Plaid 2014] forensic : zfsZero Day 2016. 8. 27. 16:17
First i just search any strings in this file and i can get useful information
zero@ubuntu:~/Desktop$ file disk
zero@ubuntu:~/Desktop$ strings disk | grep key
Maybe key data would be encrypted with xor. and the xor key is somewhere (maybe near the key.xor_encrypted)
Then, we need to recover 'disk'. So easy to extract key.xor_encrypted file and xor key somewhere in file...
But, i can't find any recovery tools so i just try to extract the data with my hands.
At offset -> 0x41ae00, There are strange 0x200 bytes data!
So, the let's coding decrypting selected xor encryptd data with python
f = open("disk", "rb")
data = f.read(0x200)
xor = lambda a, b : ''.join(chr(ord(a) ^ ord(b)) for a, b in zip(a, b))
for i in xrange(2):
d = xor(f.read(0x200), data)
print "Try %s : " % (i+1), "\n", d
After decrypting is over, we can see the output with strings command.
The flag is ZFS_daTa_1s_s4f35t_d4t4
P.S : i like that ASCII ART