Magnet Weekly CTF – Week 7 – Domains and Such

The Magnet Forensics Weekly CTF has been running since October and sets one question each week using an image that changes each month. The October questions were based on an Android filesystem dump. November’s image is Linux, more specifically a Hadoop cluster comprising of three E01 files. The images were created by Ali Hadi as part of his OSDFCon 2019 Linux Forensics workshop; the November CTF questions are based on Case 2, which can be downloaded here.

This week was another multi-part challenge – three questions related to the network configuration of the primary node. You can find my other Magnet Weekly CTF write-ups here.

Part 1 (15 points)

What is the IP address of the HDFS primary node?

We start, as usual, by mounting the E01 image for the primary node (HDFS-Master.E01). Based on the Week 5 challenge we know that the sector offset for the beginning of the primary partition is 2048, and the sector size is 512 bytes.

# ewfmount /mnt/hgfs/Shared/mwctf/linux/HDFS-Master.E01 /mnt/ewf
# losetup --read-only --offset $((2048*512)) /dev/loop20 /mnt/ewf/ewf1
# mount -o ro,noload,noexec /dev/loop20 /mnt/ewf_mount/

Compared to the previous Linux challenges this one is pretty straightforward. The location that immediately comes to mind when dealing with network configuration is the interfaces file.

cat /mnt/ewf_mount/etc/network/interfaces

This file is used to configure the network interfaces available on the host, and contains all the information we need to complete this week’s challenge.

First, the IP address is listed as 192.168.2.100

Flag (Part 1)

192.168.2.100

Part 2 (5 points)

Is the IP address on HDFS-Primary dynamically or statically assigned?

The interface is statically assigned, rather than using DHCP.

Flag (Part 2)

statically

Part 3 (5 points)

What is the interface name for the primary HDFS node? (2 attempts)

The host has two network interfaces configured. Given that the first two parts have referred to the statically configured one, ens33 is a safe bet.

Flag (Part 3)

ens33

Digging into DHCP

That completes the Week 7 challenge but I started thinking about the DHCP configuration of the other interface, and where I might find more details. After some searching I found the following files, one for each interface:

/var/lib/dhcp/dhclient.enp0s3.leases
/var/lib/dhcp/dhclient.ens36.leases

These files contain the DHCP lease details for each interface, and while they were not relevant in this challenge, might be a good source for future investigations.

sansforensics@siftworkstation: ~
$ cat /mnt/ewf_mount/var/lib/dhcp/dhclient.enp0s3.leases 
lease {
interface "enp0s3";
fixed-address 192.168.2.100;
option subnet-mask 255.255.255.0;
option routers 192.168.2.222;
option dhcp-lease-time 86400;
option dhcp-message-type 5;
option domain-name-servers 192.168.2.222,192.168.88.1;
option dhcp-server-identifier 192.168.2.222;
option broadcast-address 192.168.2.255;
option domain-name "w1re";
renew 4 2017/11/09 00:14:43;
rebind 4 2017/11/09 00:14:43;
expire 4 2017/11/09 00:14:43;
}
sansforensics@siftworkstation: ~
$

 

sansforensics@siftworkstation: ~
$ cat /mnt/ewf_mount/var/lib/dhcp/dhclient.ens36.leases 
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 21:20:30;
rebind 0 2019/10/06 21:20:30;
expire 0 2019/10/06 21:20:30;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 21:35:23;
rebind 0 2019/10/06 21:49:23;
expire 0 2019/10/06 21:53:08;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 21:48:26;
rebind 0 2019/10/06 22:01:38;
expire 0 2019/10/06 22:05:23;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 22:02:30;
rebind 0 2019/10/06 22:14:41;
expire 0 2019/10/06 22:18:26;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 22:16:55;
rebind 0 2019/10/06 22:28:45;
expire 0 2019/10/06 22:32:30;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 22:31:54;
rebind 0 2019/10/06 22:43:10;
expire 0 2019/10/06 22:46:55;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 22:45:49;
rebind 0 2019/10/06 22:58:09;
expire 0 2019/10/06 23:01:54;
}
lease {
interface "ens36";
fixed-address 172.16.64.137;
option subnet-mask 255.255.255.0;
option routers 172.16.64.2;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 172.16.64.2;
option dhcp-server-identifier 172.16.64.254;
option broadcast-address 172.16.64.255;
option netbios-name-servers 172.16.64.2;
option domain-name "localdomain";
renew 0 2019/10/06 22:59:47;
rebind 0 2019/10/06 23:12:04;
expire 0 2019/10/06 23:15:49;
}
sansforensics@siftworkstation: ~
$

One thought on “Magnet Weekly CTF – Week 7 – Domains and Such

Leave a Reply

Your email address will not be published.