Magnet Weekly CTF Challenge Week 6 Writeup

Here comes the week 6 challenge of the Magnet Weekly CTF challenge. For the first time, the challenge was divided into a two-parter. Participants would need to solve the 1st part of the challenge in order to view and solve the 2nd. The 1st part was relatively easy, as a gentle warm-up to the 2nd part.

Part I

The 1st part of the challenge asked the following:


Because the flag was a numerical error code attributed to a failed Hadoop dependency installation, the first thing to check had to be the Linux package manager logs. Since "apt" package manager was used on all nodes, the directory "/var/log/apt" on both HDFS secondary nodes should be inspected carefully:

From the contents of "history.log" file, there were errors occurred during the installation of Oracle Java 7 and 8 packages and the "dpkg" subprocess returned a "1" error code.  So the answer to part 1 challenge should be "1" and sadly it was not the correct answer. Since there was also a "term.log" file under the "/var/log/apt" directory,  the "term.log" file was inspected as well:
Judging from the contents, the "term.log" file was a log file for the "apt" package manager terminal output. The lines highlighted in yellow from the above screenshot showed a previously unseen factor (Oracle Java 7 installer download failed due to not found JDK7 tar.gz file on Oracle servers) contributing to the failed installation of Oracle Java 7 package. Therefore, the HTTP error code "404" was the answer to the 1st part of the challenge.

Part II

The 2nd part of the challenge asked the following:


The way I approached this question was to break it down into smaller sub-questions and tackle all the sub-questions one by one. With the benefit of hindsight, it is of utmost importance to have a grip on the keywords and their contexts:

1. "Don't panic about the failed dependency installation."

 From Part I, it was clear the "failed dependency installation" refers to Oracle Java 7.

2. "A very closely related dependency was installed successfully at some point, which should do the trick. Where did it land?"

Contrary to the "history.log" file, the "term.log" file also recorded the successful installation of Oracle Java 8 and 9. The installed Oracle Java 8 could be found at "/usr/local/jdk1.8.0_151", somewhere next to the Hadoop directory ("/usr/local/hadoop").

3. "In that folder, compared to its binary neighbors nearby, this particular file seems rather an ELFant."

Things got interesting from here. This sub-question suggested to look for a possibly gigantic binary ELF file from the dependency folder specified from sub-question 2. However, there was no binary ELF file immediately available from "/usr/local/jdk1.8.0_151". As the Java 8 binary ELF file should be inside "/usr/local/jdk1.8.0_151/bin" directory, the "bin" directory should be checked and it turned out that the "unpack200" was the largest binary ELF file (227 KB) under that directory.


4. "Using the error code from your first task, search for symbols beginning with the same number (HINT: leading 0's don't count)."

The next step to take would be searching for symbols beginning with "404". Linux built-in tool "readelf" could accomplish that easily and by using "readelf -s unpack200 | grep 404", the following result could be obtained:

 The second column shown in the screenshot above was symbol value, it was clear that there were exactly 3 symbol values began with "404", which led to the ultimate answer of the part 2 challenge.

5. "There are three in particular whose name share a common word between them. What is the word? "

The word "deflate" could be found from the three symbol names and thus could be concluded as the ultimate correct answer.

Extra - The Wrong Turn

Before arriving at the correct answer, I took a wrong turn at sub-question 3 and it quickly evolved into a sticky situation.

My first thought was to look for ALL binary ELF files under "/usr/local/jdk1.8.0_151" and its sub-directories. Then choose a binary ELF file with the largest file size. With that in mind, a gigantic "libjfxwebkit.so" shared library file (74,363 KB) was found.

When the "readelf" tool was used on "libjfxwebkit.so", it did not give the distinctive and clear results as the one of "unpack200" and I did get lost in search of a non-existent answer in the wild. For some reason, I had a funny feeling that this happened to a lot of the participants.
Eventually I decided to take a step back and look at the bigger picture and it was the necessary push for me to get back into the right track.



Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was ...
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa...
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi...
Read more