Writeup by naacbin for Ordiphone 2

forensics memory android

November 7, 2023

Table of contents

Ordiphone 2

Resolution

After unzipping the sdcard.zip we found a file named secrets that seems to be a LUKS encrypted partition :

secrets: LUKS encrypted file, ver 2 [, , sha256] UUID: 26040e95-2800-4129-be0f-4879b4579f22

We have a memory dump, so if the partition was open during the dump we could try to extract the AES key with programs like findaes. By using it we get 6 different keys of 256 bits. We try to open the luks partition with each one.

echo "d59cd96303c84041e11f083c5eaefd737eda32362853762ff314380297fdb779" | xxd -r -p > key1
echo "4c23303dc0cf28229979e25b08aab22550f463c94281f3c19ff5914ef54b5ec6" | xxd -r -p > key2
echo "d004723b9319dd084ca8bb8b9619b067b27ca802cc201b1723c357142d003d82" | xxd -r -p > key3
echo "9a6429e9045226def1be293dbe8d385fea08f1636ef0e5a1dc3178e884b2be2f" | xxd -r -p > key4
echo "8f51b80fc7d58913a342ddda460c6f6e951b79bc18524aa8ba101326624fdc3d" | xxd -r -p > key5
echo "fd0090fe95927256ee94bd26adb2a3beaf0f0a7e492a215ef1f35c0fc83cf846" | xxd -r -p > key6
cryptsetup luksOpen secrets secret --master-key-file key3
mount /dev/mapper/secret /mnt/mountpoint

We found that the correct key was the third then we mount the LUKS partition. In this partition we have a flag.enc file and the following script.sh file :

aleatoire=$(cat /dev/urandom | head | xxd -p -l 30 | tr -d " ")
echo $aleatoire > /dev/kmsg
aleatoirebis="$aleatoire$(pidof adbd | tr -d ' ')$(pidof vold | tr -d ' ')$(pidof logd | tr -d ' ')"
echo $aleatoirebis | /data/data/com.termux/files/usr/bin/openssl aes-256-cbc -in flag -out flag.enc -pass stdin
/data/data/com.termux/files/usr/bin/shred flag
rm flag#

To view the content of /dev/kmsg, we run the command linux_dmesg. We also execute linux_pslist to get the pid of the processes.

$ volatility --profile=LinuxGolfishx64 -f ./lime.dump linux_dmesg
[63788233965.63] 387e8985bd75be1b922eddaadde934e70465424ab4b0c3da98763c094432

$ volatility --profile=LinuxGolfishx64 -f ./lime.dump linux_pslist
0xffff8800481192c0 logd                 1529            1               1036            1036   0x00000000482fb000 0
0xffff880047c4a580 vold                 1539            1               0               0      0x00000000483f8000 0
0xffff8800480e0000 adbd                 1581            1               2000            2000   0x0000000048223000 0

We concatenate the ouput of both volatility module to get the password and recover the flag :

$ openssl aes-256-cbc -d -in flag.enc -pass pass:"387e8985bd75be1b922eddaadde934e70465424ab4b0c3da98763c094432158115391529" -out flag.png 2>/dev/null

Flag

FCSC{ba5dc3f62c971c212133bb45b76084732c86936b76a026dc89c7b34fd3df29ae}