Skip to content

Inaccessible Backup

Category: Memory Dump    |    Points: 3    |    Difficulty: Easy

🧠 Challenge Text

Hi, emergency troubleshooter,

One of our servers couldn’t withstand the surge of pure energy and burst into bright flames. It is backed up, but no one knows where and how the backups are stored. We only have a memory dump from an earlier investigation available. Find our backups as quickly as possible.

Stay grounded!

🔍 Hints Text

1. Hint The server was running on Debian 12 Bookworm.

🎨 Solution

Check the type of dump file 

$ file ~/inaccessible_backup.dump 

~/inaccessible_backup.dump: QEMU suspend to disk image

Next, find the underlying OS distribution using tools such as strings and other hints.

  1. https://packages.debian.org/bookworm/amd64/linux-image-6.1.0-38-amd64/download (Debian image)
  2. https://packages.debian.org/bookworm/amd64/linux-image-6.1.0-38-amd64-dbg/download (Debian image with symbols)
  3. Backup send to bkp@backup.powergrid.tcc via rsync
  4. bkp user uses ssh key /root/.ssh/backup_key

Extract the deb package into vmlinux-38 folder

dpkg-deb -x linux-image-6.1.0-38-amd64-dbg_6.1.147-1_amd64.deb ~/vmlinux-38

We can use volatility3 tool to restore file system using OS image with symbols.

sudo apt-get install -y golang git
git clone https://github.com/volatilityfoundation/dwarf2json
cd dwarf2json && go build -o dwarf2json

~/dwarf2json/dwarf2json linux --elf ~/vmlinux-38/usr/lib/debug/boot/vmlinux-6.1.0-38-amd64 > ~/linux-image-6.1.0-38-amd64-dbg.json

mkdir -p ~/symbols/linux
cp ~/linux-image-6.1.0-38-amd64-dbg.json ~/symbols/linux/linux-image-6.1.0-38-amd64-dbg.json

Check files from pagecache

vol -f ~/inaccessible_backup.dump -s ~/symbols/ linux.pagecache.Files > pagecache_files

0x8c0c1cba4000  /       8:1     135262  0x8c0c029ca1c0  REG     1       1       -rw-------      2025-09-03 12:39:01.164000 UTC      2025-09-03 12:22:11.770582 UTC  2025-09-03 12:37:04.122393 UTC  /root/.ssh/backup_key   419

SuperblockAddr  MountPoint  Device  InodeNum    InodeAddr   FileType    InodePages  CachedPages FileMode    AccessTime  ModificationTime    ChangeTime  FilePath    InodeSize   Recovered FileSize

0x8c0c1cba4000  /   8:1 135262  0x8c0c029ca1c0  REG 1   1   -rw-------  2025-09-03 12:39:01.164000 UTC  2025-09-03 12:22:11.770582 UTC  2025-09-03 12:37:04.122393 UTC  /root/.ssh/backup_key   419 419

We can recover filesystem using symbols and volatility3 tool to retrieve backup_key

SYM=~/symbols
IMG=~/inaccessible_backup.dump
OUTDIR=~/output
mkdir -p "$OUTDIR"

vol -f "$IMG" -s "$SYM" -o "$OUTDIR" linux.pagecache.RecoverFs

Log into backup server as bkp user with ssh backup_key

$ ssh -i ~/output/recovered_fs/recovered_fs/42fbcf78-cbbe-4966-a7ef-9a982001a7e0/root/.ssh/backup_key bkp@backup.powergrid.tcc
FLAG{VDg1-MfVg-LsJI-NOS4}