CTF

Magnet CTF Week 2: We Don't Need No Stinking Tools

 · 3 mins read

TL;DR: Still no need for tools on the second week of the #MagnetWeeklyCTF, just access to the command line.

Review

Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.

Get the challenge

The weekly challenge for week 2 was:

What domain was most recently viewed via an app that has picture-in-picture capability?

The file which is used to map domain names to IPs on *nix-based operating systems is still /etc/hosts, so we can likely use the hosts file we identified in week 1 to find this answer (data/adb/modules/hosts/system/etc/hosts).

Open the target file

To view the file we looked at last week, we will use cat to display the contents.

[notta@cuppa 2020_magnet]$ cat data/adb/modules/hosts/system/etc/hosts
127.0.0.1       localhost
::1             ip6-localhost
184.171.152.175 malliesae.com

“Analysis”

There is only one non-localhost domain listed in the file (malliesae.com) and this being a CTF, we might as well try that for the answer. Turns out, that is the answer!

An aside about domains

This answer is very CTF-y, since I didn’t bother trying to identify which application was in use and I wouldn’t expect someone to be editing their hosts file directly (although you’ll notice the device has been rooted later on, this story gets interesting). In a real-world example, you would likely start with information from the actual application to determine which domains it might point to, but in a CTF, odds are good if it looks like a duck and it quacks like a duck, it probably is the answer and you’ll waste time trying to validate as well as you would in real life.

Why this was still an insightful guess

One of my favorite scenes for explaining analysis is early in Men In Black, as the prospective candidates are being tested in the shoot house. Will Smith’s character is asked why he shot the little girl. His answer was she was the only one that seemed dangerous, noting the incongruity of a child after dark with quantum physics books surrounded by monsters was an indication she was up to no good. Knowing what looks right well enough to know what doesn’t is incredibly important for good analysis1.

In this case, knowing that most people aren’t editing their hosts file2, even on a real computer let alone a phone, meant that seeing a domain in there was going to be my first choice, regardless of applications used. Odds are, it was up to no good.

Alternatives

If you want the version that fits in a tweet, this prints out the hosts file with cat, pipes the output into grep to remove all versions of localhost (-v localhost) , and pipes that output to cut to split the line based on spaces (-d " ") and snag the second field (-f 2) to show just the domain name for all that remain:

[notta@cuppa 2020_magnet]$ cat data/adb/modules/hosts/system/etc/hosts \
| grep -v localhost \
| cut -d " " -f 2

malliesae.com

Conclusion

By using just the command line, this week’s answer again takes less time to solve than starting any tools, or even watching the intro video. Don’t make things harder than they have to be (but if you’re answering this for real on an investigation, please consider looking into the actual application, not just checking the hosts file).

Footnotes

  1. If you don’t like the MiB reference, I’ll also happily go with “My favorite game is Sesame Street’s ‘One of these things is not like the other’.” 

  2. Yes, I’ll grant that most readers of this blog likely have edited their hosts file at least once in some environment. However, the vast vast majority of the Internet’s users don’t know this file exists, let alone how or why they would edit it. Change my mind.