# Académie de l'investigation - Administration

### Énoncé

Ce poste administre un serveur distant avec le protocole SSH à l'aide d'une authentification par clé (clé protégée par mot de passe). La clé publique a été utilisée pour chiffrer le message ci-joint (flag.txt.enc).

Retrouvez et reconstituez la clé en mémoire qui permettra de déchiffrer ce message.

[dmp.tar.gz](https://drive.google.com/file/d/1MAMwyRsKcsdZi34AFF1zeVcO955YSHDW/view?usp=sharing)

### Étape 1 - Recherche d'une clé avec volatility <a href="#etape-1-recherche-dune-cle-avec-volatility" id="etape-1-recherche-dune-cle-avec-volatility"></a>

Nous devons retrouver une clé (privé) RSA dans la mémoire, c'est parti, et avec volatility.

Après avoir testé et vérifié absolument tous les plugins volatility existant je ne trouve aucune trace de clé rsa dans ce dump.

J'ai simplement un visuel sur l’existence de cette clé avec strings :

```
onosh@kali:/home/onosh/FCSC/FORENSIC/volatility# strings ../dmp/dmp.mem |grep -inH --color 'id_rsa'
(standard input):1078026:Enter passphrase for key '/home/Lesage/.ssh/id_rsa': 
(standard input):1788358:Enter passphrase for key '/home/Lesage/.ssh/id_rsa': 
(standard input):2191305:h/id_rsa
(standard input):2441815:/id_rsa'
(standard input):3498355:Enter passphrase for key '/home/Lesage/.ssh/id_rsa':
```

Et si volatility ne suffisait pas ?

### Étape 2 - RSAKEYFIND <a href="#etape-2-rsakeyfind" id="etape-2-rsakeyfind"></a>

Je découvre en cherchant sur notre bon vieux google, un outil, rsakeyfind. Il existe dans les dépot debian, le nom est plutot attirant, et en plus il prend en entrer un dump mémoire...

Wow, magique, il nous trouve deux clés.

```
onosh@kali:/home/onosh/FCSC/FORENSIC# rsakeyfind dmp/dmp.mem 
FOUND PRIVATE KEY AT c64ac50
version = 
00 
modulus = 
00 d7 1e 77 82 8c 92 31 e7 69 02 a2 d5 5c 78 de 
a2 0c 8f fe 28 59 31 df 40 9c 60 61 06 b9 2f 62 
40 80 76 cb 67 4a b5 59 56 69 17 07 fa f9 4c bd 
6c 37 7a 46 7d 70 a7 67 22 b3 4d 7a 94 c3 ba 4b 
7c 4b a9 32 7c b7 38 95 45 64 a4 05 a8 9f 12 7c 
4e c6 c8 2d 40 06 30 f4 60 a6 91 bb 9b ca 04 79 
11 13 75 f0 ae d3 51 89 c5 74 b9 aa 3f b6 83 e4 
78 6b cd f9 5c 4c 85 ea 52 3b 51 93 fc 14 6b 33 
5d 30 70 fa 50 1b 1b 38 81 13 8d f7 a5 0c c0 8e 
f9 63 52 18 4e a9 f9 f8 5c 5d cd 7a 0d d4 8e 7b 
ee 91 7b ad 7d b4 92 d5 ab 16 3b 0a 8a ce 8e de 
47 1a 17 01 86 7b ab 99 f1 4b 0c 3a 0d 82 47 c1 
91 8c bb 2e 22 9e 49 63 6e 02 c1 c9 3a 9b a5 22 
1b 07 95 d6 10 02 50 fd fd d1 9b be ab c2 c0 74 
d7 ec 00 fb 11 71 cb 7a dc 81 79 9f 86 68 46 63 
82 4d b7 f1 e6 16 6f 42 63 f4 94 a0 ca 33 cc 75 
13 
publicExponent = 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 
privateExponent = 
62 b5 60 31 4f 3f 66 16 c1 60 ac 47 2a ff 6b 69 
00 4a b2 5c e1 50 b9 18 74 a8 e4 dc a8 ec cd 30 
bb c1 c6 e3 c6 ac 20 2a 3e 5e 8b 12 e6 82 08 09 
38 0b ab 7c b3 cc 9c ce 97 67 dd ef 95 40 4e 92 
e2 44 e9 1d c1 14 fd a9 b1 dc 71 9c 46 21 bd 58 
88 6e 22 15 56 c1 ef e0 c9 8d e5 80 3e da 7e 93 
0f 52 f6 f5 c1 91 90 9e 42 49 4f 8d 9c ba 38 83 
e9 33 c2 50 4f ec c2 f0 a8 b7 6e 28 25 56 6b 62 
67 fe 08 f1 56 e5 6f 0e 99 f1 e5 95 7b ef eb 0a 
2c 92 97 57 23 33 36 07 dd fb ae f1 b1 d8 33 b7 
96 71 42 36 c5 a4 a9 19 4b 1b 52 4c 50 69 91 f0 
0e fa 80 37 4b b5 d0 2f b7 44 0d d4 f8 39 8d ab 
71 67 59 05 88 3d eb 48 48 33 88 4e fe f8 27 1b 
d6 55 60 5e 48 b7 6d 9a a8 37 f9 7a de 1b cd 5d 
1a 30 d4 e9 9e 5b 3c 15 f8 9c 1f da d1 86 48 55 
ce 83 ee 8e 51 c7 de 32 12 47 7d 46 b8 35 df 41 
prime1 = 
00 
prime2 = 
00 
exponent1 = 
00 
exponent2 = 
00 
coefficient = 
00 

FOUND PRIVATE KEY AT 1084c490
version = 
00 
modulus = 
00 d7 1e 77 82 8c 92 31 e7 69 02 a2 d5 5c 78 de 
a2 0c 8f fe 28 59 31 df 40 9c 60 61 06 b9 2f 62 
40 80 76 cb 67 4a b5 59 56 69 17 07 fa f9 4c bd 
6c 37 7a 46 7d 70 a7 67 22 b3 4d 7a 94 c3 ba 4b 
7c 4b a9 32 7c b7 38 95 45 64 a4 05 a8 9f 12 7c 
4e c6 c8 2d 40 06 30 f4 60 a6 91 bb 9b ca 04 79 
11 13 75 f0 ae d3 51 89 c5 74 b9 aa 3f b6 83 e4 
78 6b cd f9 5c 4c 85 ea 52 3b 51 93 fc 14 6b 33 
5d 30 70 fa 50 1b 1b 38 81 13 8d f7 a5 0c c0 8e 
f9 63 52 18 4e a9 f9 f8 5c 5d cd 7a 0d d4 8e 7b 
ee 91 7b ad 7d b4 92 d5 ab 16 3b 0a 8a ce 8e de 
47 1a 17 01 86 7b ab 99 f1 4b 0c 3a 0d 82 47 c1 
91 8c bb 2e 22 9e 49 63 6e 02 c1 c9 3a 9b a5 22 
1b 07 95 d6 10 02 50 fd fd d1 9b be ab c2 c0 74 
d7 ec 00 fb 11 71 cb 7a dc 81 79 9f 86 68 46 63 
82 4d b7 f1 e6 16 6f 42 63 f4 94 a0 ca 33 cc 75 
13 
publicExponent = 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 
privateExponent = 
62 b5 60 31 4f 3f 66 16 c1 60 ac 47 2a ff 6b 69 
00 4a b2 5c e1 50 b9 18 74 a8 e4 dc a8 ec cd 30 
bb c1 c6 e3 c6 ac 20 2a 3e 5e 8b 12 e6 82 08 09 
38 0b ab 7c b3 cc 9c ce 97 67 dd ef 95 40 4e 92 
e2 44 e9 1d c1 14 fd a9 b1 dc 71 9c 46 21 bd 58 
88 6e 22 15 56 c1 ef e0 c9 8d e5 80 3e da 7e 93 
0f 52 f6 f5 c1 91 90 9e 42 49 4f 8d 9c ba 38 83 
e9 33 c2 50 4f ec c2 f0 a8 b7 6e 28 25 56 6b 62 
67 fe 08 f1 56 e5 6f 0e 99 f1 e5 95 7b ef eb 0a 
2c 92 97 57 23 33 36 07 dd fb ae f1 b1 d8 33 b7 
96 71 42 36 c5 a4 a9 19 4b 1b 52 4c 50 69 91 f0 
0e fa 80 37 4b b5 d0 2f b7 44 0d d4 f8 39 8d ab 
71 67 59 05 88 3d eb 48 48 33 88 4e fe f8 27 1b 
d6 55 60 5e 48 b7 6d 9a a8 37 f9 7a de 1b cd 5d 
1a 30 d4 e9 9e 5b 3c 15 f8 9c 1f da d1 86 48 55 
ce 83 ee 8e 51 c7 de 32 12 47 7d 46 b8 35 df 41 
prime1 = 
00 
prime2 = 
00 
exponent1 = 
00 
exponent2 = 
00 
coefficient = 
00 
```

La première ne fonctionne pas, je test la deuxième avec ce petit script :

```
from Crypto.PublicKey import RSA

modulus = '00d71e77828c9231e76902a2d55c78dea20c8ffe285931df409c606106b92f62408076cb674ab55956691707faf94cbd6c377a467d70a76722b34d7a94c3ba4b7c4ba9327cb738954564a405a89f127c4ec6c82d400630f460a691bb9bca0479111375f0aed35189c574b9aa3fb683e4786bcdf95c4c85ea523b5193fc146b335d3070fa501b1b3881138df7a50cc08ef96352184ea9f9f85c5dcd7a0dd48e7bee917bad7db492d5ab163b0a8ace8ede471a1701867bab99f14b0c3a0d8247c1918cbb2e229e49636e02c1c93a9ba5221b0795d6100250fdfdd19bbeabc2c074d7ec00fb1171cb7adc81799f86684663824db7f1e6166f4263f494a0ca33cc7513'

publicExponent = '10001'

privateExponent = '62b560314f3f6616c160ac472aff6b69004ab25ce150b91874a8e4dca8eccd30bbc1c6e3c6ac202a3e5e8b12e6820809380bab7cb3cc9cce9767ddef95404e92e244e91dc114fda9b1dc719c4621bd58886e221556c1efe0c98de5803eda7e930f52f6f5c191909e42494f8d9cba3883e933c2504fecc2f0a8b76e2825566b6267fe08f156e56f0e99f1e5957befeb0a2c92975723333607ddfbaef1b1d833b796714236c5a4a9194b1b524c506991f00efa80374bb5d02fb7440dd4f8398dab71675905883deb484833884efef8271bd655605e48b76d9aa837f97ade1bcd5d1a30d4e99e5b3c15f89c1fdad1864855ce83ee8e51c7de3212477d46b835df41'

modulus_int = long(modulus,16)
publicExponent_int = long(publicExponent, 16)
privateExponent_int = long(privateExponent, 16)

private_key = RSA.construct((modulus_int, publicExponent_int, privateExponent_int))

pem_key = private_key.exportKey('PEM')
print(pem_key)
```

Il me ressors gentiment une clé privé :

```
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1x53goySMedpAqLVXHjeogyP/ihZMd9AnGBhBrkvYkCAdstn
SrVZVmkXB/r5TL1sN3pGfXCnZyKzTXqUw7pLfEupMny3OJVFZKQFqJ8SfE7GyC1A
BjD0YKaRu5vKBHkRE3XwrtNRicV0uao/toPkeGvN+VxMhepSO1GT/BRrM10wcPpQ
Gxs4gRON96UMwI75Y1IYTqn5+FxdzXoN1I577pF7rX20ktWrFjsKis6O3kcaFwGG
e6uZ8UsMOg2CR8GRjLsuIp5JY24Cwck6m6UiGweV1hACUP390Zu+q8LAdNfsAPsR
cct63IF5n4ZoRmOCTbfx5hZvQmP0lKDKM8x1EwIDAQABAoIBAGK1YDFPP2YWwWCs
Ryr/a2kASrJc4VC5GHSo5Nyo7M0wu8HG48asICo+XosS5oIICTgLq3yzzJzOl2fd
75VATpLiROkdwRT9qbHccZxGIb1YiG4iFVbB7+DJjeWAPtp+kw9S9vXBkZCeQklP
jZy6OIPpM8JQT+zC8Ki3biglVmtiZ/4I8Vblbw6Z8eWVe+/rCiySl1cjMzYH3fuu
8bHYM7eWcUI2xaSpGUsbUkxQaZHwDvqAN0u10C+3RA3U+DmNq3FnWQWIPetISDOI
Tv74JxvWVWBeSLdtmqg3+XreG81dGjDU6Z5bPBX4nB/a0YZIVc6D7o5Rx94yEkd9
Rrg130ECgYEA5Eyu3hb9n4NVW4RKzxzxN5Wtyil/LW4ygaQrJhSWHUAF7AyvPyxv
LOi/He7Qs+98W56ITyqLDkq9t4z6EA472mitQSvklvp/gFJfB58OO16WRRoTK5TO
HwdphTX8aWNb+Pg/zp1AHnyt+57O4AH471ld3AB5q4o/gKJ2MpSp6mUCgYEA8Thg
kA0MLj005ZDqIUMfaGMWeyWN3oIrUvij/Q855+leMnUVfdDJzgbl+6nLIuXbSQny
5relp3UukS0rXfFIYUVD1738EXO1EZ+yGDpvNqfC0xhN8MUfcIybxR2VqFqejLFL
aiqEdizYT0ewgYQCRfCF+AxtpwxNLLJbgXD9bhcCgYEAjQfF+pJPSMvT3f4CTKF/
bav8OOeblc/+SVHGCfcrqJQVVHWdiLQFVcPN1ErkCFPICb0MTYNldYW8XvgqveJd
HRYO+TSJOK80NmwsIkQigZBz2eo6r3B0SHzGtbDc5amodku89wDzTCIPRGIdQApX
4lvdfHuardpwUiGKTMLDmHUCgYEA7SRcoiGBoQ+hKjMOSccAYJJRbp2b3G0iBH7W
URmf9uORLI+4oikZzEcx3/ir8NICg8qZFsLiwz9LmYPLh56GZsI+kSGAZvPWxc22
u2TvIs9IlFjnftV8NBy3otCT6Z+1EWHXXzcPZFJwEXjMCHfr+DAetJ4bSseoM1Hg
7d9T9t8CgYEAhtlM7mVhwRmp1XSb1cr2gysGtCD+RSno4/rhTyiOYy90wzpcmvWe
Dg3F/qBMAM57pBkXWa8TOgOPVPVgOS7ZBrN81pAGQXfzk+F6AUHBj/5MiDnb3nGe
WNFJUICyWk9pi7j+Y9RCPTdhqEz/tplM9FHgRKppeT+BpGE9JukEUmQ=
-----END RSA PRIVATE KEY-----


```

J'essaye de déchiffrer le fichier avec la clé trouvée :

```
onosh@kali:/home/onosh/FCSC/FORENSIC/rsakeyfind-master# openssl rsautl -decrypt -inkey THEKEY.txt -in flag.txt.enc -out flag.txt && cat flag.txt
FCSC{ac5cad66114d4866a4b55e43cb8896cc4947855241b5af8d2f8a123c36083d98}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.onosh.ovh/ctf/france-cybersecurity-challenge/academie-de-linvestigation-administration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.