CTF

Magnet CTF Week 11: I Can't Rekall How To Install Plugins

 · 2 mins read

TL;DR: Week 11 of the #MagnetWeeklyCTF was a chance to check out rekall, mainly because I was completely fail-whaling on getting the relevant Volatility plugin to work.

Review

Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.

Get the first challenge

The weekly challenge for week 11 was only two parts. The first was:

What is the IPv4 address that myaccount.google.com resolves to?

This is continuing the theme from last week of using the memory image to dig into network traffic. This week, however, I moved out of Volatility and into Rekall as I wanted to use its dns_cache() plugin and not bother trying to get Volatility’s to work. Because rekall was a fork from Volatility, the syntax is basically the same, but you’re dropped into a shell immediately, instead of having to run volshell.

[notta@cuppa case3]$ rekal -f memdump.mem --profile=Win7SP1x64

>>> dns_cache()
                    Name                          record           type       data
----------------------------------- -------------- ---------------- ----
  zkjvdaxa                               0x58b1b50 HTABLE               00=0x7fef96a38fb (\x90)
. zkjvdaxa                                0xb962f0 UNKNOWN (255)
  clients4.google.com                    0x58b1c60 HTABLE
. clients4.google.com                     0xb75750 CNAME            clients.l.google.com
...
. ns2.google.com                          0xb735d0 AAAA
  myaccount.google.com                   0x58b1ef0 HTABLE
. myaccount.google.com                    0xb74950 CNAME            www3.l.google.com
. www3.l.google.com                       0xb74a10 A                172.217.10.238

Running the dns_cache() plugin dumped the DNS cache from the image, telling us what the machine thought each name resolved to when it was imaged. The entry for myaccount.google.com is a CNAME record pointing to www3.l.google.com. The entry for that domain name is a straight up A record pointing to IP address 172.217.10.238, which is our answer.

Get the second challenge

The second challenge was:

What is the canonical name (cname) associated with Part 1?

We ended up answering the second question on the way to solving the first question. The answer is www3.l.google.com.

Conclusion

This week was really too fast to get much out of, unless you are unfamiliar with DNS. In that case, maybe there would be some interesting discovery of the different things a DNS record can point to.