Description
As a result of the previously reported intrusion, Antarctic Vault initiated a procedure to clean up the attacker’s tracks.
We suspect that this was not sufficient and that the attacker became angry. Indeed, we have lost access to the node. Unfortunately, we do not have a team on site (unlike the attacker) and the next boat will take about two months to reach the node. We absolutely need to get our hands on this safe.
During the previous attack, we dumped the filesystem while removing sensitive data (logs, secrets, etc.). Besides, while looking at the network traces given by our Wi-Fi access point, we noticed some unusual frames. We think that the memory image of the first part, the partial filesystem, as well as this capture will allow you to give us back the control on our equipment, all this without travelling.
We count on you!
Notes:
- a generous anonymous benefactor has provided a profile for Volatility2. The patch applied to the profile generator is included. It has been adapted to match the Linux version in use.
- Since Volatility2 does not work on the most recent Linux kernels, additional patches to the profile generator will have to be done.
This challenge has been split into two parts:
Files
-
out.lime.xz
36.71 MiB – 70c4afc26a1f18ee89132b7c16ff9203a5c82e36a02c21844fe661e83a10283b -
capture2.pcap
848 B – bbf3afc9a1db9d9fb464aa0192f469d97ea4bd09d8e414c8ad249d587fe12ca8 -
out.tar.xz
252.06 MiB – 753b6d772983944715abd3d7b24ae5483e2b1e2fe4f4fdd034827868fce1ff3e -
RPiOSFCSC2022.zip
959.89 KiB – f259eeae0c298ed073dbacc8ce03e8ddcc99444fea349ea0f135204fee208092 -
volatility2.patch
6.51 KiB – b4bdf41d91a7effd4354c2a9ed932af16375c6539c97cf5aa59d457b99ec04cc
Author
Flag
Submit your solution
You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.
You need to be logged in to submit a writeup.