Académie de l'investigation - Administration
Énoncé
Ce poste administre un serveur distant avec le protocole SSH à l'aide d'une authentification par clé (clé protégée par mot de passe). La clé publique a été utilisée pour chiffrer le message ci-joint (flag.txt.enc).
Retrouvez et reconstituez la clé en mémoire qui permettra de déchiffrer ce message.
Étape 1 - Recherche d'une clé avec volatility
Nous devons retrouver une clé (privé) RSA dans la mémoire, c'est parti, et avec volatility.
Après avoir testé et vérifié absolument tous les plugins volatility existant je ne trouve aucune trace de clé rsa dans ce dump.
J'ai simplement un visuel sur l’existence de cette clé avec strings :
onosh@kali:/home/onosh/FCSC/FORENSIC/volatility# strings ../dmp/dmp.mem |grep -inH --color 'id_rsa'
(standard input):1078026:Enter passphrase for key '/home/Lesage/.ssh/id_rsa':
(standard input):1788358:Enter passphrase for key '/home/Lesage/.ssh/id_rsa':
(standard input):2191305:h/id_rsa
(standard input):2441815:/id_rsa'
(standard input):3498355:Enter passphrase for key '/home/Lesage/.ssh/id_rsa':Et si volatility ne suffisait pas ?
Étape 2 - RSAKEYFIND
Je découvre en cherchant sur notre bon vieux google, un outil, rsakeyfind. Il existe dans les dépot debian, le nom est plutot attirant, et en plus il prend en entrer un dump mémoire...
Wow, magique, il nous trouve deux clés.
onosh@kali:/home/onosh/FCSC/FORENSIC# rsakeyfind dmp/dmp.mem
FOUND PRIVATE KEY AT c64ac50
version =
00
modulus =
00 d7 1e 77 82 8c 92 31 e7 69 02 a2 d5 5c 78 de
a2 0c 8f fe 28 59 31 df 40 9c 60 61 06 b9 2f 62
40 80 76 cb 67 4a b5 59 56 69 17 07 fa f9 4c bd
6c 37 7a 46 7d 70 a7 67 22 b3 4d 7a 94 c3 ba 4b
7c 4b a9 32 7c b7 38 95 45 64 a4 05 a8 9f 12 7c
4e c6 c8 2d 40 06 30 f4 60 a6 91 bb 9b ca 04 79
11 13 75 f0 ae d3 51 89 c5 74 b9 aa 3f b6 83 e4
78 6b cd f9 5c 4c 85 ea 52 3b 51 93 fc 14 6b 33
5d 30 70 fa 50 1b 1b 38 81 13 8d f7 a5 0c c0 8e
f9 63 52 18 4e a9 f9 f8 5c 5d cd 7a 0d d4 8e 7b
ee 91 7b ad 7d b4 92 d5 ab 16 3b 0a 8a ce 8e de
47 1a 17 01 86 7b ab 99 f1 4b 0c 3a 0d 82 47 c1
91 8c bb 2e 22 9e 49 63 6e 02 c1 c9 3a 9b a5 22
1b 07 95 d6 10 02 50 fd fd d1 9b be ab c2 c0 74
d7 ec 00 fb 11 71 cb 7a dc 81 79 9f 86 68 46 63
82 4d b7 f1 e6 16 6f 42 63 f4 94 a0 ca 33 cc 75
13
publicExponent =
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01
privateExponent =
62 b5 60 31 4f 3f 66 16 c1 60 ac 47 2a ff 6b 69
00 4a b2 5c e1 50 b9 18 74 a8 e4 dc a8 ec cd 30
bb c1 c6 e3 c6 ac 20 2a 3e 5e 8b 12 e6 82 08 09
38 0b ab 7c b3 cc 9c ce 97 67 dd ef 95 40 4e 92
e2 44 e9 1d c1 14 fd a9 b1 dc 71 9c 46 21 bd 58
88 6e 22 15 56 c1 ef e0 c9 8d e5 80 3e da 7e 93
0f 52 f6 f5 c1 91 90 9e 42 49 4f 8d 9c ba 38 83
e9 33 c2 50 4f ec c2 f0 a8 b7 6e 28 25 56 6b 62
67 fe 08 f1 56 e5 6f 0e 99 f1 e5 95 7b ef eb 0a
2c 92 97 57 23 33 36 07 dd fb ae f1 b1 d8 33 b7
96 71 42 36 c5 a4 a9 19 4b 1b 52 4c 50 69 91 f0
0e fa 80 37 4b b5 d0 2f b7 44 0d d4 f8 39 8d ab
71 67 59 05 88 3d eb 48 48 33 88 4e fe f8 27 1b
d6 55 60 5e 48 b7 6d 9a a8 37 f9 7a de 1b cd 5d
1a 30 d4 e9 9e 5b 3c 15 f8 9c 1f da d1 86 48 55
ce 83 ee 8e 51 c7 de 32 12 47 7d 46 b8 35 df 41
prime1 =
00
prime2 =
00
exponent1 =
00
exponent2 =
00
coefficient =
00
FOUND PRIVATE KEY AT 1084c490
version =
00
modulus =
00 d7 1e 77 82 8c 92 31 e7 69 02 a2 d5 5c 78 de
a2 0c 8f fe 28 59 31 df 40 9c 60 61 06 b9 2f 62
40 80 76 cb 67 4a b5 59 56 69 17 07 fa f9 4c bd
6c 37 7a 46 7d 70 a7 67 22 b3 4d 7a 94 c3 ba 4b
7c 4b a9 32 7c b7 38 95 45 64 a4 05 a8 9f 12 7c
4e c6 c8 2d 40 06 30 f4 60 a6 91 bb 9b ca 04 79
11 13 75 f0 ae d3 51 89 c5 74 b9 aa 3f b6 83 e4
78 6b cd f9 5c 4c 85 ea 52 3b 51 93 fc 14 6b 33
5d 30 70 fa 50 1b 1b 38 81 13 8d f7 a5 0c c0 8e
f9 63 52 18 4e a9 f9 f8 5c 5d cd 7a 0d d4 8e 7b
ee 91 7b ad 7d b4 92 d5 ab 16 3b 0a 8a ce 8e de
47 1a 17 01 86 7b ab 99 f1 4b 0c 3a 0d 82 47 c1
91 8c bb 2e 22 9e 49 63 6e 02 c1 c9 3a 9b a5 22
1b 07 95 d6 10 02 50 fd fd d1 9b be ab c2 c0 74
d7 ec 00 fb 11 71 cb 7a dc 81 79 9f 86 68 46 63
82 4d b7 f1 e6 16 6f 42 63 f4 94 a0 ca 33 cc 75
13
publicExponent =
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01
privateExponent =
62 b5 60 31 4f 3f 66 16 c1 60 ac 47 2a ff 6b 69
00 4a b2 5c e1 50 b9 18 74 a8 e4 dc a8 ec cd 30
bb c1 c6 e3 c6 ac 20 2a 3e 5e 8b 12 e6 82 08 09
38 0b ab 7c b3 cc 9c ce 97 67 dd ef 95 40 4e 92
e2 44 e9 1d c1 14 fd a9 b1 dc 71 9c 46 21 bd 58
88 6e 22 15 56 c1 ef e0 c9 8d e5 80 3e da 7e 93
0f 52 f6 f5 c1 91 90 9e 42 49 4f 8d 9c ba 38 83
e9 33 c2 50 4f ec c2 f0 a8 b7 6e 28 25 56 6b 62
67 fe 08 f1 56 e5 6f 0e 99 f1 e5 95 7b ef eb 0a
2c 92 97 57 23 33 36 07 dd fb ae f1 b1 d8 33 b7
96 71 42 36 c5 a4 a9 19 4b 1b 52 4c 50 69 91 f0
0e fa 80 37 4b b5 d0 2f b7 44 0d d4 f8 39 8d ab
71 67 59 05 88 3d eb 48 48 33 88 4e fe f8 27 1b
d6 55 60 5e 48 b7 6d 9a a8 37 f9 7a de 1b cd 5d
1a 30 d4 e9 9e 5b 3c 15 f8 9c 1f da d1 86 48 55
ce 83 ee 8e 51 c7 de 32 12 47 7d 46 b8 35 df 41
prime1 =
00
prime2 =
00
exponent1 =
00
exponent2 =
00
coefficient =
00 La première ne fonctionne pas, je test la deuxième avec ce petit script :
from Crypto.PublicKey import RSA
modulus = '00d71e77828c9231e76902a2d55c78dea20c8ffe285931df409c606106b92f62408076cb674ab55956691707faf94cbd6c377a467d70a76722b34d7a94c3ba4b7c4ba9327cb738954564a405a89f127c4ec6c82d400630f460a691bb9bca0479111375f0aed35189c574b9aa3fb683e4786bcdf95c4c85ea523b5193fc146b335d3070fa501b1b3881138df7a50cc08ef96352184ea9f9f85c5dcd7a0dd48e7bee917bad7db492d5ab163b0a8ace8ede471a1701867bab99f14b0c3a0d8247c1918cbb2e229e49636e02c1c93a9ba5221b0795d6100250fdfdd19bbeabc2c074d7ec00fb1171cb7adc81799f86684663824db7f1e6166f4263f494a0ca33cc7513'
publicExponent = '10001'
privateExponent = '62b560314f3f6616c160ac472aff6b69004ab25ce150b91874a8e4dca8eccd30bbc1c6e3c6ac202a3e5e8b12e6820809380bab7cb3cc9cce9767ddef95404e92e244e91dc114fda9b1dc719c4621bd58886e221556c1efe0c98de5803eda7e930f52f6f5c191909e42494f8d9cba3883e933c2504fecc2f0a8b76e2825566b6267fe08f156e56f0e99f1e5957befeb0a2c92975723333607ddfbaef1b1d833b796714236c5a4a9194b1b524c506991f00efa80374bb5d02fb7440dd4f8398dab71675905883deb484833884efef8271bd655605e48b76d9aa837f97ade1bcd5d1a30d4e99e5b3c15f89c1fdad1864855ce83ee8e51c7de3212477d46b835df41'
modulus_int = long(modulus,16)
publicExponent_int = long(publicExponent, 16)
privateExponent_int = long(privateExponent, 16)
private_key = RSA.construct((modulus_int, publicExponent_int, privateExponent_int))
pem_key = private_key.exportKey('PEM')
print(pem_key)Il me ressors gentiment une clé privé :
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1x53goySMedpAqLVXHjeogyP/ihZMd9AnGBhBrkvYkCAdstn
SrVZVmkXB/r5TL1sN3pGfXCnZyKzTXqUw7pLfEupMny3OJVFZKQFqJ8SfE7GyC1A
BjD0YKaRu5vKBHkRE3XwrtNRicV0uao/toPkeGvN+VxMhepSO1GT/BRrM10wcPpQ
Gxs4gRON96UMwI75Y1IYTqn5+FxdzXoN1I577pF7rX20ktWrFjsKis6O3kcaFwGG
e6uZ8UsMOg2CR8GRjLsuIp5JY24Cwck6m6UiGweV1hACUP390Zu+q8LAdNfsAPsR
cct63IF5n4ZoRmOCTbfx5hZvQmP0lKDKM8x1EwIDAQABAoIBAGK1YDFPP2YWwWCs
Ryr/a2kASrJc4VC5GHSo5Nyo7M0wu8HG48asICo+XosS5oIICTgLq3yzzJzOl2fd
75VATpLiROkdwRT9qbHccZxGIb1YiG4iFVbB7+DJjeWAPtp+kw9S9vXBkZCeQklP
jZy6OIPpM8JQT+zC8Ki3biglVmtiZ/4I8Vblbw6Z8eWVe+/rCiySl1cjMzYH3fuu
8bHYM7eWcUI2xaSpGUsbUkxQaZHwDvqAN0u10C+3RA3U+DmNq3FnWQWIPetISDOI
Tv74JxvWVWBeSLdtmqg3+XreG81dGjDU6Z5bPBX4nB/a0YZIVc6D7o5Rx94yEkd9
Rrg130ECgYEA5Eyu3hb9n4NVW4RKzxzxN5Wtyil/LW4ygaQrJhSWHUAF7AyvPyxv
LOi/He7Qs+98W56ITyqLDkq9t4z6EA472mitQSvklvp/gFJfB58OO16WRRoTK5TO
HwdphTX8aWNb+Pg/zp1AHnyt+57O4AH471ld3AB5q4o/gKJ2MpSp6mUCgYEA8Thg
kA0MLj005ZDqIUMfaGMWeyWN3oIrUvij/Q855+leMnUVfdDJzgbl+6nLIuXbSQny
5relp3UukS0rXfFIYUVD1738EXO1EZ+yGDpvNqfC0xhN8MUfcIybxR2VqFqejLFL
aiqEdizYT0ewgYQCRfCF+AxtpwxNLLJbgXD9bhcCgYEAjQfF+pJPSMvT3f4CTKF/
bav8OOeblc/+SVHGCfcrqJQVVHWdiLQFVcPN1ErkCFPICb0MTYNldYW8XvgqveJd
HRYO+TSJOK80NmwsIkQigZBz2eo6r3B0SHzGtbDc5amodku89wDzTCIPRGIdQApX
4lvdfHuardpwUiGKTMLDmHUCgYEA7SRcoiGBoQ+hKjMOSccAYJJRbp2b3G0iBH7W
URmf9uORLI+4oikZzEcx3/ir8NICg8qZFsLiwz9LmYPLh56GZsI+kSGAZvPWxc22
u2TvIs9IlFjnftV8NBy3otCT6Z+1EWHXXzcPZFJwEXjMCHfr+DAetJ4bSseoM1Hg
7d9T9t8CgYEAhtlM7mVhwRmp1XSb1cr2gysGtCD+RSno4/rhTyiOYy90wzpcmvWe
Dg3F/qBMAM57pBkXWa8TOgOPVPVgOS7ZBrN81pAGQXfzk+F6AUHBj/5MiDnb3nGe
WNFJUICyWk9pi7j+Y9RCPTdhqEz/tplM9FHgRKppeT+BpGE9JukEUmQ=
-----END RSA PRIVATE KEY-----
J'essaye de déchiffrer le fichier avec la clé trouvée :
onosh@kali:/home/onosh/FCSC/FORENSIC/rsakeyfind-master# openssl rsautl -decrypt -inkey THEKEY.txt -in flag.txt.enc -out flag.txt && cat flag.txt
FCSC{ac5cad66114d4866a4b55e43cb8896cc4947855241b5af8d2f8a123c36083d98}Dernière mise à jour