Posts

Showing posts from November, 2020
-
Image
MAGNET WEEKLY CTF #7 This is the third week of analysis of a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .   Examining the image in Autopsy,  the IP address of the primary node is shown in /etc/hosts file:   Success!   On to part two:   Also in the /etc folder, the network / interfaces file shows that the address is static:     Success!  On to part three:   The /etc/network/interfaces file also holds the answer to the final question :     That's it for this week's challenge!
Post a Comment
Read more
-
Image
  MAGNET WEEKLY CTF #5 This is the first question that refers to  a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .     The question refers to the original filename of a block ID. The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way. My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check   /home/hadoop/.bash_history   to see if a file had been copied and enter the original filename as the flag. mapred-site.xml.template was not the answer, however.   Fortunately, I had multiple tries at the answer this week. A keyword search in Autopsy for the block ID: Turned up this related file: Which was not the answer, eit
Post a Comment
Read more
-
Image
  MAGNET WEEKLY CTF #4 This is the final question that refers to the Android image.   Thanks to the elephant-sized hint, I'll be narrowing my search to:   and search for a GUID, which will be in this format:   (according to Kalid Azad )   Following the philosophy of @CiofecaForensic and team NoToolsJustRight, I'm still using only open-source tools.   (Primarily because I believe that the best way to get the most complete answer is to know what is going on under the hood, but also because I'm a student without LEO or corporate access to the commercial toys.)   Starting with the awesome (especially in dark mode) ALEAPP from @AlexisBrignoni, I discovered this phishy item under recent activity : That looks like the answer, but is Effective_UID the same as the GUID?   I'm assuming it's related somehow, but the format is wrong. 10239 is not the enormous 128-bit number I'm looking for.   There's probably some way to view the GUID in ALEAPP, but it will require fu
Post a Comment
Read more