Magnet Forensics has recently launched a weekly capture-the-flag (CTF) challenge that will run through the last quarter of 2020! Head on over to their blog for more details on the challenge and how to sign up.
For challenge one, we are provided with an Android image which is a tar file containing what appears to be a filesystem extraction of an Android phone.The challenge question was:
What time was the file that maps names to IP's recently accessed?
(Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)
I had to first figure out which is the file that maps names to IP addresses on Android. According to this answer on StackOverflow, it is no different than on a standard Linux system - i.e. the /etc/hosts
file. However I could not find an /etc/hosts
file in the given Android tar image.
Running a search for an "etc/hosts" file in the tarball points me to data/adb/modules/hosts/system/etc/hosts
.
$ tar -tvf MUS_Android.tar | grep "etc/hosts"
-rw-r--r-- 0/0 85 2020-03-05 05:50 data/adb/modules/hosts/system/etc/hosts
A quick check of the contents of the file after extracting confirms it to be the one we are after.
$ cat data/adb/modules/hosts/system/etc/hosts
127.0.0.1 localhost
::1 ip6-localhost
184.171.152.175 malliesae.com
Based on the above output, the file was last modified on 5th March 2020 at 05:50 UTC but we also need the seconds for the answer. A quick search on the internet indicates that the --full-time
option is available for both the ls
and tar
commands, giving us timestamp information in ISO format.
So listing the specific file in our tarball with the --full-time
option gives us:
$ tar --full-time -tvf MUS_Android.tar 'data/adb/modules/hosts/system/etc/hosts'
-rw-r--r-- 0/0 85 2020-03-05 05:50:18 data/adb/modules/hosts/system/etc/hosts
While the challenge technically asked for recently accessed (i.e. last accessed) instead of last modified, I could not find any other timestamp. Checking with 7zip also revealed only a single modified timestamp.
Answer: 03/05/2020 05:50:18
No comments:
Post a Comment