Table of contents
Ordiphone 0
Resolution
Found time of start in audit log, looking at loading of kernel module by greping on insmod :
strings lime.dump | grep -i "audit" | grep -i "insmod"
type=1400 audit(1616526815.693:11968): avc: denied { module_load } for pid=4752 comm="insmod" path="/storage/emulated/0/lime.ko" dev="sdcardfs" ino=57349 scontext=u:r:su:s0 tcontext=u:object_r:sdcardfs:s0 tclass=system permissive=1
We convert epoch timestamp 1616526815 to human readable with epochconverter : 2021-03-23 19:13
Flag
FCSC{b7dc08558ee16d1acbf54db67263c1d92e9a9d9603e6a1345550c825527adc06}