-

 

MAGNET WEEKLY CTF #5

This is the first question that refers to 
a Linux image shared by Ali Hadi,
Assistant Professor at Vermont's Champlain College .
 

 The question refers to the original filename of a block ID.

The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way.

My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check 

/home/hadoop/.bash_history  to see if a file had been copied and enter

the original filename as the flag.


mapred-site.xml.template was not the answer, however.

 

Fortunately, I had multiple tries at the answer this week.

A keyword search in Autopsy for the block ID:



Turned up this related file:


Which was not the answer, either.


It could be time to spend 20 points on the hint.

It was a link to the same Kevvie SANS presentation that I had already viewed.

Maybe I should watch it again, more closely.

Along with the technical Hadoop info,

he mentioned an Edit Log:


It looks like the required information is there,

but where is the Edit Log? Could I find it without mounting the image in Hadoop?

Stack overflow showed the possible location in the file system:

 


but there was no hadoop folder in the HDFS image /var/lib.


So, where are the logs?

An Autopsy keyword search for log led me to an

enormous list which I scrolled down looking for hadoop-0.20.

I stumbled upon another log named

hadoop-hadoop-namenode-master.log

Master name log looked promising.

When I opened it in Notepad...


...and searched for block ID 1073741825, I found this:


 

which was the flag, but it was too late to try it.

Lesson learned: look to the LOGS!

I'm looking forward to the other writeups so that I can gain more familiarity with Hadoop and maybe even try installing an instance so that I may try out the hdfs command line tools.


Comments

Post a Comment

Popular posts from this blog

-
Image
MAGNET WEEKLY CTF #9     This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I  examined using Volatility as well as MemProcFS. MemProcFS allows the investigator to view the memory dump files in a virtual file system, allowing the files to be viewed using Windows Explorer. Part 1involves a conversation:       My first step was to look at the image with Volatility, so I needed to get the image info... ...then use pslist , to get an idea of which processes were running. Of the many options, two stood out to me as potentially containing text – slack and WINWORD:       I dumped the suspect processes to files...     ...ran strings | grep "password" on all of them, and discovered this:       Success!     On to Part 2:       At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, th
Read more
-
Image
  MAGNET WEEKLY CTF #4 This is the final question that refers to the Android image.   Thanks to the elephant-sized hint, I'll be narrowing my search to:   and search for a GUID, which will be in this format:   (according to Kalid Azad )   Following the philosophy of @CiofecaForensic and team NoToolsJustRight, I'm still using only open-source tools.   (Primarily because I believe that the best way to get the most complete answer is to know what is going on under the hood, but also because I'm a student without LEO or corporate access to the commercial toys.)   Starting with the awesome (especially in dark mode) ALEAPP from @AlexisBrignoni, I discovered this phishy item under recent activity : That looks like the answer, but is Effective_UID the same as the GUID?   I'm assuming it's related somehow, but the format is wrong. 10239 is not the enormous 128-bit number I'm looking for.   There's probably some way to view the GUID in ALEAPP, but it will require fu
Read more