TL;DR: Week 10 of the #MagnetWeeklyCTF was a healthy dose of humility towards the end of the questions.
Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.
Get the first challenge
The weekly challenge for week 10 was split into five parts, down from an all-time high of seven last week! The first was:
At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
Similar to last week, this week is all about remembering Volatility plugins. In the case of network connections for a Windows 7 image, the relevant plugin is
Looking through the results, the IP address which matched the format given in the question and still established was
Get the second challenge
The second challenge was:
What was the Local IP address and port number? same format as part 1
From the same output as the first question, the “Local Address” for the row which had the first answer is
Get the third challenge
The third challenge was:
What was the URL?
I solved this question outside of Volatility, by looking at Chrome’s History file, whose most recent entry is
https://www.google.com/. That is the right answer, you just have to make sure you dump the files first using Volatility’s
dumpfiles plugin on Chrome’s process ID (
Get the fourth challenge
The fourth challenge was:
What user was responsible for this activity based on the profile?
Similar to last week’s investigation into the user’s unique ID, we can use Volatility’s
getsids plugin to see who was actually using the browser.
In this case, we see the browser user was the same as the Word user from last week:
Get the fifth challenge
The fifth challenge was:
How long was this user looking at this browser with this version of Chrome? format: X:XX:XX.XXXXX Hint: down to the last second
I’ll admit up front, I went way down the wrong hole on this question. I spent a lot of time trying to make the Chrome History file’s
visit_duration work, which was not what they were looking for. I knew there was something about “looking at” that Chrome’s History file couldn’t actually answer, but the nagging feeling in the back of my mind didn’t stop me from trying almost 30 wrong answers.
Eventually, I bought the hint, since I would rather pay some points and get the right answer than die on a hill of pride. The hint was “Solving this challenge takes some FOCUS & time :slight_smile:”. This immediately brought to mind that Windows tracks user focus (that nagging feeling in the back of my head for the rest of the week). In this case, Volatility’s
userassist plugin will give you the answer.
From this output, we can see that the user was focused on the window for
3:36:47.301000. Now, there is a bit of discomfort with the fact that this doesn’t match the format that was asked, but it is easy enough to put it in the right format.
I really enjoyed this week (save the maddening chase of question 5 due to my own forgetfulness) as it did a lot to renew my comfort with Volatility.