![grub4dos boot vmdk grub4dos boot vmdk](https://rmprepusb.com/rmprep/how-to-boot-from-usb-under-vmware-server/5b7946ddf39595b0ab5d025952b7b548.jpg)
#GRUB4DOS BOOT VMDK WINDOWS 10#
They gave me a Windows 10 and a Kali vmware virtual machines. Under /dev/mapper, we now have the whole disk and two LVM volumes virtual–rpi–vg-root and the associated swap.I have to work with VMWare images often, so I would like them to be run in Qubes.
#GRUB4DOS BOOT VMDK PASSWORD#
Otherwise we manually run cryptsetup to decrypt it with the password we already have: cryptsetup open /dev/loop0 challdisk In Gnome we get an automatic prompt asking for the password. We mount it as a loop device: losetup /dev/loop0 disk.raw -o $((501760 * 512)) Its start offset is 501760 and we take into account that the sector size is of 512 bytes. We suppose that the root partition is the last one. It worked, however the technique explained previously is more straightforward. So we decided to replace its hash in the grub.cfg by one we generated for a known password. We start the VM, type the encryption password and directly obtain a root shell:Īctually, during the challenge, we took another path: we tried to add the init parameter in the Grub prompt (by typing ‘e’ when selecting the OS to boot), however Grub was protected by a password. Now, in VirtualBox, we just have to change the VMDK in the VM settings under the Storage menu: remove the “connected_missile-disk1.vmdk” disk, add a new disk from existing file and select the new “disk.vmdk” file. VBoxManage convertfromraw -format vmdk disk.raw disk.vmdk We unmount the partition and convert back the raw image to a VMDK file: umount ~/disk.raw We analyze the grub configuration in /grub/grub.cfg and change it to add “init=/bin/bash” at the end of the kernel line (“linux /vmlinuz-3.16.0-4-586…”).
![grub4dos boot vmdk grub4dos boot vmdk](https://i2.wp.com/itremont.info/images/VirtualBox/Virtual-Machine-USB-Boot/Screenshot_15.png)
The /boot partition is not encrypted so we can directly browse it and confirm that we have indeed the /boot partition. We mount it with this command: mount -o loop,offset=$((2048*512)) disk.raw /media It starts at offset 2048 and we see that the sector size is of 512 bytes, so its start is at 2048*512 bytes. The first partition is small so we suppose it is the /boot partition. There is a well-known technique to elevate our privileges on Linux by changing the boot options to add a parameter to the kernel to replace the init program by a shell (e.g. Sector size (logical/physical): 512 bytes / 512 bytes Then we use fdisk to see how the drive is partitioned: # fdisk -l disk.rawĭisk disk.raw: 4 GiB, 4294967296 bytes, 8388608 sectors We convert the VMDK to the raw format (same format as for disk images obtained with the dd command) with the VBoxManage command (from VirtualBox): VBoxManage clonehd -format RAW connected_missile-disk1.vmdk disk.raw vmdk files (hard-drive image): tar -xvf connected_missile.ova The disk is encrypted but we know the password, so we can try to extract it and mount it, or we can simply try to obtain a root shell through a well-known trick.įirst, we can simply extract the OVA with the following command to obtain an. Nuit du Hack 2017 – CTF Challenge Writeup – Part 2.Nuit du Hack 2017 – CTF Challenge Writeup – Part 1.We encourage you to read the author’s writeup to discover the proper way to solve this whole challenge: We know that the flags are certainly stored in the VM so we decide to directly attack its drive instead of trying to use the webapp as the challenge author envisioned. Once started, we cannot login because we do not have any credential, however a webapp and the SSH service are exported and usable. We can boot the VM: the drive is encrypted but the password is given.
#GRUB4DOS BOOT VMDK DOWNLOAD#
We thank them for this interesting challenge and for the wonderful prize: a 3D-printer that is already sitting in our office!įor the last step of the challenge, we download an OVA file which is an exported virtual machine that can be imported, e.g. This technique is not new nor very clever, but it was still a fun bypass that interested many people so here are our explanations.ĭuring the Nuit du Hack XV conference, we participated and won the challenge organized by Wavestone: our booth neighbours. Tl dr: we bypassed several steps of a challenge, based on a virtual machine, by directly extracting, decrypting and mounting its disk instead of abusing its network services.