Tags: zfs
Rating:
plaidctf forensic 400 - quick writeup - by alanh0 @ VXRL
1. use tools like "USF Explorer Pro" to recover "disk"
2. firstly you find one file "not_the_key", well it's not key, dig deeper.
3. use the tool "USF Explorer Pro" to recover the "disk" file, there's a folder containing "key.xor_encrypted" and "xor_key"
4. by self-explanatory file names, tried to do xor for these two files
5. python code:
---------------------------
from binascii import unhexlify, hexlify
def get_bytes_from_file(filename):
return open(filename, "rb").read()
encByte = get_bytes_from_file('key.xor_encrypted')
keyByte = get_bytes_from_file('xor_key')
s = ''.join(chr(ord(c1) ^ ord(c2)) for c1, c2 in zip(encByte[-len(keyByte):], keyByte))
print s
---------------------------
6. got the shark :)
< ZFS_daTa_1s_s4f35t_d4t4 >
the detailed writeup with screenshots / hex analysis approach will be provided soon