CTF

Magnet CTF Week 1: No Tools Required

 · 4 mins read

TL;DR: No need for tools on the first week of the #MagnetWeeklyCTF, just access to the command line.

Get the data

The sample file is hosted on Google Drive here. It ends up being a TAR file called MUS_Android.tar.

Get the challenge

The weekly challenge for week 1 was:

What time was the file that maps names to IP’s recently accessed? (Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)

The file which is used to map domain names to IPs on *nix-based operating systems is generally /etc/hosts, so we want to find that file and the time that was accessed.

Find the target file

We don’t need to go digging through 8GB of data to answer this question, we just need to extract the desired file from the TAR archive. In case you’re uncertain exactly what to look for in that 8GB file, here we will use the tar command to list (-t) out all the files inside the specified archive (-f) and then pipe that output to grep to find any that look like /etc/hosts.

[notta@cuppa 2020_magnet]$ tar -tf MUS_Android.tar | grep /etc/hosts
data/adb/modules/hosts/system/etc/hosts

Extract the target file

While that wasn’t the exact file we were expecting, since there was only one hit, the module output seems to be the ticket! Now we need to use the tar command to extract (-x) the file we want from the specified archive (-f). I’ve also included an ls command after the tar command completes to make sure we have the file we were expecting and used the long listing format (-l) to get an idea of what the answer might be.

[notta@cuppa 2020_magnet]$ tar -xf MUS_Android.tar data/adb/modules/hosts/system/etc/hosts
[notta@cuppa 2020_magnet]$ ls -l data/adb/modules/hosts/system/etc/hosts
-rw-r--r-- 1 notta notta 85 Mar  5  2020 data/adb/modules/hosts/system/etc/hosts

Check the target file’s stats

Finally, we use the stat command to see the relevant times for the target file.

[notta@cuppa 2020_magnet]$ stat data/adb/modules/hosts/system/etc/hosts
  File: data/adb/modules/hosts/system/etc/hosts
  Size: 85          Blocks: 8          IO Block: 4096   regular file
Device: fe00h/65024d  Inode: 34867480    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/  notta)   Gid: ( 1000/  notta)
Access: 2020-10-10 22:56:15.652145193 -0400
Modify: 2020-03-05 00:50:18.000000000 -0500
Change: 2020-10-10 22:56:15.652145193 -0400
 Birth: 2020-10-10 22:56:15.652145193 -0400

And looking in the modify timestamp we have the answer, once we change to UTC and put in the required format: 03/05/2020 05:50:18

An aside about file times and permissions

I am using the modify timestamp because the access and birth dates are set for the local files created from extracting the file from the TAR archive. If you think about what happened when you extracted that TAR archive, a new file (and a slew of directories) was created on your local disk. That new file would have its own creation date, not the creation date of the file which was on the phone. It also can’t have the ownership of the original file, since it is likely that user would not exist on your computer, instead it has your user as the owner and group. You see this behavior any time you see files move between different file systems, such as copying an image from your phone onto the SD Card and then onto your local computer. That’s technically three separate files, even if you’re “copying” the original.

As you look at files which move between different file systems, be sure you understand the difference between what was created for that system and what was part of the original file. What will follow the original file is any file metadata, such as EXIF information, or the modify time stamp, etc. What won’t follow the file (unless explicitly changed) are the things which the new file system will need to interact with it, such as the creation time and ownership.

Alternatives

If you want the version that fits in a tweet:

[notta@cuppa 2020_magnet]$ tar -xf MUS_Android.tar data/adb/modules/hosts/system/etc/hosts \
 && stat data/adb/modules/hosts/system/etc/hosts \
 | grep Modify
Modify: 2020-03-05 00:50:18.000000000 -0500

If you would prefer to use one of those “modern tools”, 7-Zip (7z) will give you the time right in its file listing (l, pay attention to your time zone):

[notta@cuppa 2020_magnet]$ 7z l MUS_Android.tar | grep /etc/hosts
2020-03-05 01:50:18 .....           85          512  data/adb/modules/hosts/system/etc/host

Conclusion

By using just the command line, this week’s answer should take less time to solve than starting any tools, let alone actually having them process an 8GB file. If you have to process the entire TAR archive, this will take far longer, so stick to the simple solutions when you can!