We'll cover how to mount a VMDK, which contains multiple partitions, originating from a NetScaler VM. This is to support analysis in relation to CVE-2023-3519.
We have our VMDK representing a single disk from a compromised system. In this example, we're just using the VMDK available from the installer archive provided by Citrix. We've setup a test VM using the same VMDK, run through the initial setup (setting IP, netmask, gateway, etc) and the system is operational.
This also assumes you have a single flat VMDK, and not a standalone snapshot. If you have a snapshot, you need to consolidate it first so you can examine the resultant disk.
$ guestfish -a NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell
><fs> run
100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
><fs>
We'll first attempt to list identified filesystems, but given UFS support is sometimes questionable, we're not sure whether it will be identified or not.
><fs> list-filesystems
libguestfs: error: list_filesystems: sfdisk exited with status 1: sfdisk: /dev/sda: partition 5: partition table contains only 4 partitions
This is what the same VMDK looks like in FTK Imager.
This maps to the following disk size information from the NetScaler console itself
Regarding our VMDK, we'll be interested in the following;
/dev/md0 (the RAM disk/partition)
/dev/da0s1a
/dev/da0s1e
Side note: If this was a live system, you could image each using dd and transfer them to another host via SSH, which would make life a lot easier;
