Magnet Weekly CTF Challenge Week #6

Challenge 6 (Nov. 9–16) The Elephant in the Room 25

Part One: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On the secondary nodes (not the MAIN node) your colleague recollects seeing one particular dependency failed to install correctly. Your task is to find the specific error code that led to this failed dependency installation. [Flag is numeric]

Part two: Don’t panic about the failed dependency installation. A very closely related dependency was installed successfully at some point, which should do the trick. Where did it land? In that folder, compared to its binary neighbors nearby, this particular file seems rather an ELFant. Using the error code from your first task, search for symbols beginning with the same number (HINT: leading 0’s don’t count). There are three in particular whose name share a common word between them. What is the word?

Part 1

With any installing or packaging activity, we can look in /var/log/apt/history.log to find some potential leads.

I tried 1 but that would have been to easy so I gave grepping keywords over any log files on the disks.

grep -r -i --include "*.log" "failed" /mnt/ewf_mount*
grep -r -i --include "*.log" "error" /mnt/ewf_mount*

I reviewed the output and noticed Java seemed to have failed to install. During last weeks question, I had noticed Java was one of Hadoop’s main dependencies. In the log we can see a 404 error was found when trying to install Java 7.

Answer to Part 1: 404

Part 2

So to summarise what I think is being asked in the next part:

  • We are looking for the folder where the JDK 7 replacement landed.
  • There should be a file in that folder that is unique from the others
  • There should be symbols that start with 404 in that file
  • There should be 3 symbols that all have a common word in their name.

Continuing to review the term.log file, there were mentions of Java 8 and Java 9 being installed in its place.

Using the .bash_history, the user tried to install using apt-get but eventually removed them. An archive landed in /home/hadoop/temp/ and then moved to /usr/local/jdk1.8.0_151.

This didn’t seem right as it wasn't a binary file nor where there “binary neighbours” in the same folder. I also didn’t see anything referring to symbols or 404.

I did some other searches on 404 and the ASCII character for 404 as “symbols” was a key term in the question.

I researched a bit more about ELF files and the symbol tables that are contained within them but was still not sure what files to look at.

I caved in and bought a hint but wasn’t able to get a good direction out of it.

It was the last day of the challenge and I had one more go at part 2. I decided to just start looking at the symbol tables of binaries close to where I thought the installation happened using readelf. I ran readelf -s * | grep 404 across /usr/local/jdk1.8.0_151/bin to see if I could score some last-minute luck and found that there were some hits for 404. The last 3 all had the work deflate in it which was the answer for part 2!!

I ran it without the grep and found that this file was called unpack200. This file was the biggest in the folder so maybe that was what “ELFant” hint was referring to.

Answer: deflate