File: forensics-1.zip
Here's the text of the Forensics #1 challenge:
Joey wanted to send some pictures to Phreak on a USB drive. Before sending the drive, Joey deleted his Gzip'd backup of his etc folder that was stored on the drive. Show Joey that he should be more careful when deleting data by recovering Joey's dsa private key file from the imaged copy of the usb drive.
After first mounting the image and failing to see anything other than picture files, I broke out testdisk, a free and open-source data recovery tool.
After running: testdisk usbbackup.img, the following screen pops up:
From here we hit enter to select the usbbackup.img disk, and we're asked to select the partition table type.
Following testdisk's hint of "None" partition type, I hit enter and am asked to select the partition:
Hitting enter again, we're asked if we want to rebuild the boot sector:
Hitting enter again, we can choose "List" to show the differences between the extrapolated boot sector and the current boot sector.
After selecting "List", we're shown a list of all recovered files and directories. Fortunately, it looks like etc.tar.gz is now present!
Untarring the tar.gz file gives us the /etc/ directory. Going to /etc/ssh/ gives us the recovered ssh keys!
In ssh_host_dsa_key, we see the following:
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQDH2y+gcskLzub7MFN1gBncrmZrG4mU/ePWRrUjMSZdSmUUOhdy
eWr98MY8bPIArjnuaqNPeRVp7tXzaLBE7hn8BE7me7qRWp8ha1anGVOrkVz2wQzF
xeCX0INGunRUNh4XBNTO2Tf9QO99jttMPsmUl/jkkO+rftvnWf/bJnrN/h864Wcd
ygkw7io AXLaiQeR
49BbkYI The Flag is: 8555199cf63b179586e603c5b237bc90 UwIVAMaE
N2nwwJL oKi4tznM
wgm+Z+UCgYBlofxeIzHWCEZkc7Zh0nZXA3e7snpUN5M42N5Klf/b44DUNgNT6cZq
7OmKnLAdyGlATtpXWenMCWyS4Y5Pi3O91VRu9LGe/QlL16vjtYyO6soO/YMVlJP5
d3dPoSN/JXs00LuX3sNUbkxPRPQoei+RIml72+uHlBYOqvMVqZOboAIUbNqzb2ec
bMmD8sCeLoiAkefjieI=
-----END DSA PRIVATE KEY-----
We're done!
No comments:
Post a Comment