Magnet Weekly CTF November Recap
Month two of the #MagnetWeeklyCTF has concluded – and wow, have we learned a lot about Linux forensics from November’s challenge. I want to take a moment to thank Ali Hadi for sharing the Linux image that was used for this challenge and for stepping things up with a multi-part challenge.
It has been an amazing month full of learning about Linux forensics. I have thoroughly enjoyed each of the writeups and social media posts from each of the participants about their solves. If you want to learn a bit about how some of these problems were solved check out some of the following blogs that included solves of the Linux challenges. Thank you all for sharing your knowledge with us!
- Baker Street Forensics
- Ciofeca Forensics
- Cloud Response
- Deagler’s 4n6 Blog
- Digital Forensic Science
- Jase IT
- JR
- KL_DFIR
- NotSteph
- peter m stewart dot net
- Stark 4n6
As well as the custom artifacts that have been created. During November, three custom artifacts were approved from the challenge! You can download these artifacts (plus another 180!) on the Artifact Exchange.
- Android 10 External.db parser by Kevin Pagano
- HDFS Audit Log Parser by Erik Kwan
- HDFS Properties by Eric Kwan
This brings us to the winners for the month of November. As with the previous month, there is a prize awarded for first place at the end of the challenge for the month as well as a CTF participant at a random who played each week. The winner for November is Eric Kwan! The winners for Weeks 5-8 are: erickwan (Week 5), arrow64 (week 6), cyberborne (week 7), and lactic (week 8). Congratulations to all of November’s Magnet Weekly CTF winners who will each get some MagSwag! We’ll be reaching out via the email you registered with to confirm your details for shipping.
Now let us take a look back at the challenges for the month of November and highlight each question and the answers. For an in-depth solve of the challenges, check out the recap below:
Week 5
Week 5 started our first of 4-weeks’ worth of Linux Challenges was written by Jamie McQuaid <link: https://twitter.com/reccetech>, Technical Forensic Consultant here at Magnet. The question titled “Had-A-Loop Around the Block”. Jamie’s solve can be seen in the Week 7 video.
Q: What is the original filename for block 1073748125?
A: AptSource
Week 6
The week 6 challenge was our first two-part question where solving the first question unlocked a second question. This challenge, “The Elephant in the Room” was written by Mike Williamson. The solve for this challenge by Mike is in the Week 8 video.
Part 1 Q: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On the secondary nodes (not the MAIN node) your colleague recollects seeing one particular dependency failed to install correctly. Your task is to find the specific error code that led to this failed dependency installation. [Flag is numeric]
Part 1 A: 404
Part 2 Q: Don’t panic about the failed dependency installation. A very closely related dependency was installed successfully at some point, which should do the trick. Where did it land? In that folder, compared to its binary neighbors nearby, this particular file seems rather an ELFant. Using the error code from your first task, search for symbols beginning with the same number (HINT: leading 0’s don’t count). There are three in particular whose name share a common word between them. What is the word?
Part 2 A: deflate
Week 7
The week 7 challenge, “Domains and Such”, upped the ante in parts and had 3 parts. This challenge was from Director of Solution Consultants, Craig Guymon. Tarah Melton, shows a walkthrough of this challenge is in our Week 9 video.
Part 1 Q: What is the IP address of the HDFS primary node?
Part 1 A: 192.168.2.100
Part 2 Q: Is the IP address on HDFS-Primary dynamically or statically assigned?
Part 2 A: statically or static
Part 3 Q: What is the interface name for the primary HDFS node?
Part 3 A: ens33
Week 8
The final challenge for the Linux image was brought to us by our first guest question author and creator of the Linux image we used throughout November, Ali Hadi, Assistant Professor at Champlain College. Part 2 was our first multiple-choice question. The solve for week 8 by Ali aired in our Week 10 video.
Part 1 Q: What package(s) were installed by the threat actor?
Part 1 A: php
Part 2 Q: Why?
- hosting a database
- serving a webpage
- to run a php webshell
- create a fake system service
Part 2 A: We accepted two answers:
- to run a php webshell
- create a fake system service
Thanks everyone for playing and sharing your solutions. There are some great things in store for the grand prize winner and the winners for the December challenges. We will also be having a live Zoom session on January 4 where we will announce the overall Winner of the Magnet Weekly CTF along with many of the folks who helped create the challenges. Hope everyone is enjoying closing out the year with some Memory forensics challenges. If you have any questions about the Magnet Weekly CTF, don’t hesitate to reach out to Trey Amick, Jessica Hyde, or Tarah Melton, or reach out on the Magnet Forensics Discord Server, and we will be happy to assist! Good luck everyone!