Ordiphone0

Forensic, 42 points

Description

Un nouvel apprenti vient d'effectuer une capture mémoire mais a oublié de noter la date du lancement de celle-ci.

Pour valider cette première étape, vous devez retrouver la date à laquelle le processus permettant la capture a été lancé. Le flag est au format FCSC{sha256(date)}, avec la date au format YYYY-MM-DD HH:MM en UTC.

lime.dump.7z (180M) : https://files.france-cybersecurity-challenge.fr/dl/android/lime.dump.7z

SHA256(lime.dump) = 21575c12bcb8d67e6ca269bac6c3d360847b16922f2f44b0b360790862afe46d.

Solution

At first, I noticed lime in the file name, which made me think directly of LiME as in Linux Memory Extractor (https://github.com/504ensicsLabs/LiME). I guessed then it was a Linux memory dump. Let's have more information about it:

$ strings lime.dump | grep -i "linux version" | uniq 

Kernel: Linux version 3.18.91+ (android-build@wphr1.hot.corp.google.com) (gcc version 4.9 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jan 9 20:30:51 UTC 2018
Linux version 4.4.124+ (forensics@fcsc2021) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #3 SMP PREEMPT Sun Mar 21 19:15:33 CET 2021
Could not get linux version: %s
Kernel: Linux version 3.18.91+ (android-build@wphr1.hot.corp.google.com) (gcc version 4.9 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jan 9 20:30:51 UTC 2018
Linux version 4.4.124+ (forensics@fcsc2021) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #3 SMP PREEMPT Sun Mar 21 19:15:33 CET 2021

Even though I had no experience at all with Android memory forensics, I considered it similar as a Linux memory forensics case. According to this article https://resources.infosecinstitute.com/topic/obtaining-information-dumping-memory/ and with my digital forensics knowledge, I searched for insmod entries which is used in association with LiME to dump linux memory. I guessed it could be found in the lime.dump file, like it could be found on a Linux case with, for instance, linux_bash command in volatility. For this reason, I pulled out strings again:

$ strings lime.dump | grep "insmod"

insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
[...]

Our guess was right, insmod is indeed used with LiME. Let's search for 5 lines before and after every matches, maybe I will get something interesting:

$ strings lime.dump | grep 'insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"' -B 5 -A 5

p33larudsb0jrflbmr90l6ikdbb4lcdaym7k5s3a6u28rx8sut7kp1347h6c4v78
mkdir /sdcard/very_secret
mount /dev/mapper/secrets /sdcard/very_secret
cd /sdcard/very_secret
sh script.sh
insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
audit(1616526782.263:7186): avc:  denied  { write } for  pid=1849 comm="system_server" name="timerslack_ns" dev="proc" ino=32400 scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=file permissive=0ive=0
Using -iter or -pbkdf2 would be better.
generic_x86_64:/sdcard/very_secret # insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
[...]

The first matches are quite interesting, I have the bash history, a weird string on the first line, an audit with a timestamp and two matches for our grep. We assume this timestamp can fit, as I only need to be accurate to the minute to flag. Moreover, it is just before or after the memory extraction and with our grep, I have no other audit, hence timestamp entry.

We might have a chance there, let's go: I go on https://www.epochconverter.com/, submit 1616526782.263 and get Tuesday 23 March 2021 19:13:02.263 which would make as a potential date flag 2021-03-23 19:13. We use a sha256 function to it, add our FCSC{} wrapper, and submit our flag: FCSC{b7dc08558ee16d1acbf54db67263c1d92e9a9d9603e6a1345550c825527adc06}.

Turns out, I flagged!