TL;DR: No need for tools on the first week of the #MagnetWeeklyCTF, just access to the command line.
Get the data
The sample file is hosted on Google Drive here. It ends up being a TAR file called
Get the challenge
The weekly challenge for week 1 was:
What time was the file that maps names to IP’s recently accessed? (Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)
The file which is used to map domain names to IPs on *nix-based operating systems is generally /etc/hosts, so we want to find that file and the time that was accessed.
Find the target file
We don’t need to go digging through 8GB of data to answer this question, we just need to extract the desired file from the TAR archive. In case you’re uncertain exactly what to look for in that 8GB file, here we will use the
tar command to list (
-t) out all the files inside the specified archive (
-f) and then pipe that output to
grep to find any that look like /etc/hosts.
Extract the target file
While that wasn’t the exact file we were expecting, since there was only one hit, the module output seems to be the ticket! Now we need to use the
tar command to extract (
-x) the file we want from the specified archive (
-f). I’ve also included an
ls command after the
tar command completes to make sure we have the file we were expecting and used the long listing format (
-l) to get an idea of what the answer might be.
Check the target file’s stats
Finally, we use the
stat command to see the relevant times for the target file.
And looking in the modify timestamp we have the answer, once we change to UTC and put in the required format:
An aside about file times and permissions
I am using the modify timestamp because the access and birth dates are set for the local files created from extracting the file from the TAR archive. If you think about what happened when you extracted that TAR archive, a new file (and a slew of directories) was created on your local disk. That new file would have its own creation date, not the creation date of the file which was on the phone. It also can’t have the ownership of the original file, since it is likely that user would not exist on your computer, instead it has your user as the owner and group. You see this behavior any time you see files move between different file systems, such as copying an image from your phone onto the SD Card and then onto your local computer. That’s technically three separate files, even if you’re “copying” the original.
As you look at files which move between different file systems, be sure you understand the difference between what was created for that system and what was part of the original file. What will follow the original file is any file metadata, such as EXIF information, or the modify time stamp, etc. What won’t follow the file (unless explicitly changed) are the things which the new file system will need to interact with it, such as the creation time and ownership.
If you want the version that fits in a tweet:
If you would prefer to use one of those “modern tools”, 7-Zip (
7z) will give you the time right in its file listing (
l, pay attention to your time zone):
By using just the command line, this week’s answer should take less time to solve than starting any tools, let alone actually having them process an 8GB file. If you have to process the entire TAR archive, this will take far longer, so stick to the simple solutions when you can!