Hi all, this is Jessica Hyde from Magnet Forensics. As you may know we ran a weekly Capture the Flag (CTF) contest from October through December of 2020. Each month featured a different image and questions each week. We recognize that CTFs can serve a great purpose for learning and images for testing and even tool validation. So we wanted to share this post that will have links to all of the images as well as have the questions, including ones that required the previous question to be answered to unlock it. This contest utilized an Android, Linux, and Memory image during the contest. If you are looking for the answers, please check out the writeups participants did. At the end of this post is a listing of some of those blogs.
Android Image and Challenges
This image came from the Magnet Virtual Summit 2020 CTF. Thanks to the great students from Champlain College, Jack Farley, Jordan Kimball, and Garrett Mahoney who created this image.
Challenge 1: Mapping the Digits – What time was the file that maps names to IP’s recently accessed? (Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)
Challenge 2: PIP Install – What domain was most recently viewed via an app that has picture-in-picture capability?
Challenge 3: Cargo Hold – Which exit did the device user pass by that could have been taken for Cargo?
Challenge 4: Animals That Never Forget – Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?
Linux Image and Challenges
Challenge 5: Had-A-Loop Around the Block – What is the original filename for block 1073741825?
Challenge 6 Part 1: The Elephant in the Room – Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On the secondary nodes (not the MAIN node) your colleague recollects seeing one particular dependency failed to install correctly. Your task is to find the specific error code that led to this failed dependency installation. [Flag is numeric]
Challenge 6 Part 2: Don’t panic about the failed dependency installation. A very closely related dependency was installed successfully at some point, which should do the trick. Where did it land? In that folder, compared to its binary neighbors nearby, this particular file seems rather an ELFant. Using the error code from your first task, search for symbols beginning with the same number (HINT: leading 0’s don’t count). There are three in particular whose name share a common word between them. What is the word?
Challenge 7 Part 1: Domains and Such – What is the IP address of the HDFS primary node?
Challenge 7 Part 2: Is the IP address on HDFS-Primary dynamically or statically assigned?
Challenge 7 Part 3: What is the interface name for the primary HDFS node?
Challenge 8 Part 1: What package(s) were installed by the threat actor? *Select the most correct answer!*
Challenge 8 Part 2: Why? *Select the most correct answer!*
* () hosting a database
* () serving a webpage
* () to run a php webshell
* () create a fake systemd service
Challenge 9 Part 1: The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
Challenge 9 Part 2: What is the md5 hash of the file which you recovered the password from?
Challenge 9 Part 3: What is the birth object ID for the file which contained the password?
Challenge 9 Part 4: What is the name of the user and their unique identifier which you can attribute the creation of the file document to? Format: #### (Name)
Challenge 9 Part 5: What is the version of software used to create the file containing the password? Format ## (Whole version number, don’t worry about decimals)
Challenge 9 Part 6: What is the virtual memory address offset where the password string is located in the memory image? Format: 0x########
Challenge 9 Part 7: What is the physical memory address offset where the password string is located in the memory image? Format: 0x#######
Challenge 10 Part 1: At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
Challenge 10 Part 2: What was the Local IP address and port number? *same format as part 1*
Challenge 10 Part 3: What was the URL?
Challenge 10 Part 4: What user was responsible for this activity based on the profile?
Challenge 10 Part 5: How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * *Hint: down to the last second*
Challenge 11 Part 1: What is the IPv4 address that myaccount.google.com resolves to?
Challenge 11 Part 2: What is the canonical name (cname) associated with Part 1?
Challenge 12 Part 1: What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed!
Challenge 12 Part 2: What is the product version of the application from Part 1? Format: XX.XX.XXXX.XXXXX
This post intentionally does not contain answers so folks can find solutions on their own. However, if you are stuck, want to check your answers or see how others solved the challenges – check out some of these blogs from awesome participants that cover how to solve each problem.
- Baker Street Forensics
- Ciofeca Forensics
- Cloud Response
- Deagler’s 4n6 Blog
- Digital Forensic Science
- Jase IT
- peter m stewart dot net
- Stark 4n6