Magnet Weekly CTF Challenge Week #1: hosts

svch0st
Oct 12, 2020

--

Challenge 1 (OCT 5–11) — Mapping the Digits 20

What time was the file that maps names to IP’s recently accessed?

(Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)

So the key for this one was afile that maps names to IP. This immediately jumps out as a DNS related artefact, specifically, thehosts file.

A hosts file is a local file that your computer will check when resolving domain names before it reaches out to a DNS server. It is a list of FQDNs that map to IPs. For example, if I added an entry like below, it would mean that when I type magnetforensics.com into my browser, it will resolve to whatever I'm hosting on my loopback address (127.0.0.1).

127.0.0.1  magnetforensics.com

Here are the locations of file on the major OSs.

  • Windows: C:\Windows\System32\drivers\etc\hosts
  • Linux: /etc/hosts
  • MacOS: /private/etc/hosts
  • iOS: /etc/hosts (requires root access)
  • Android: /system/etc/hosts

In MUS_Android.tar, there are 2 hosts files but the one the system would have been using is /data/adb/modules/hosts/system/etc/hosts.

There is also a copy of this file in the downloads folder? Maybe the hosts file in the system was replaced by one that was downloaded?

We can see that the file was modified on ‎Thursday, ‎5 ‎March ‎2020, ‏‎4:50:18 PM (My time zone).

But the UTC timezone is 05/03/2020 05:50:18 or 03/05/2020 05:50:18 in American format.

FTK Imager

If we peek inside, we see an unusual entry which could be covered in the next challenges…

Answer: 03/05/2020 05:50:18

--

--