CTF

Magnet CTF Week 7: /etc/network/interfaces

 · 3 mins read

TL;DR: Week 7 of the #MagnetWeeklyCTF tests your knowledge of the presence of a single file on a Linux machine.

Review

Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.

Get the first challenge

The weekly challenge for week 6 was split into three, short parts. The first was:

What is the IP address of the HDFS primary node?

If you had access to the system itself, this would be quickly answered with ifconfig or the more modern ip addr. Without access to the running system, the answer is just as simple if you know where that information is kept.

Open the target file(s)

On Debian-based distributions1, you can find the information you would normally expect from ip addr in /etc/network/interfaces/. The analysis here is going to be really straight forward, we’re going to cat the file and read.

[notta@cuppa network]$ cat interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens33
iface ens33 inet static
  address 192.168.2.100
  netmask 255.255.255.0
  #gateway 192.168.2.1
  dns-nameservers 192.168.2.1 8.8.8.8
  network 192.168.2.0
  broadcast 192.168.2.255

auto ens36
iface ens36 inet dhcp

#auto ens33
#iface ens33 inet dhcp

There are three potential interfaces listed, lo, ens33, and ens36 with ens33 having a commented out entry for a dynamic IP and a static entry that is active. The only entry that has an IP address is the static entry for ens33, which happens to match the IP address we see in the Hadoop logs. Based on that, “192.168.2.100” is the right answer.

Get the Second Challenge

The second weekly challenge was:

Is the IP address on HDFS-Primary dynamically or statically assigned?

Based on the same file and the same entry we got the IP address from, the answer must be “static”.

Get the Third Challenge

The third weekly challenge was:

What is the interface name name for the primary HDFS node?

Based on the same file and the same entry we got the IP address from, the answer must be “ens33”.

Alternatives

I honestly couldn’t come up with an easier way to answer the question. But in the interests of having a tweet, I came up with a more complicated way of reading the file.

[notta@cuppa case2_master]$ cat etc/network/interfaces \
| grep 'iface\|address'

iface lo inet loopback
iface ens33 inet static
  address 192.168.2.100
iface ens36 inet dhcp
#iface ens33 inet dhcp

Conclusion

This week trended towards the “too easy” end, with one file answering all three parts of the question. There is still no need for tools other than the command line, and I can’t imagine any commercial tool could do this without taking a few hundred times as long to load and let you display the answer. On the off chance this becomes a competition, here are the stats to beat using the complicated method:

[notta@cuppa case2_master]$ time cat etc/network/interfaces | grep 'iface\|address'
iface lo inet loopback
iface ens33 inet static
  address 192.168.2.100
iface ens36 inet dhcp
#iface ens33 inet dhcp

real  0m0.006s
user  0m0.003s
sys 0m0.005s

Footnotes

  1. See Debian’s Wiki for more information.