TL;DR: Week 11 of the #MagnetWeeklyCTF was a chance to check out
rekall, mainly because I was completely fail-whaling on getting the relevant Volatility plugin to work.
Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.
Get the first challenge
The weekly challenge for week 11 was only two parts. The first was:
What is the IPv4 address that myaccount.google.com resolves to?
This is continuing the theme from last week of using the memory image to dig into network traffic. This week, however, I moved out of Volatility and into Rekall as I wanted to use its
dns_cache() plugin and not bother trying to get Volatility’s to work. Because
rekall was a fork from Volatility, the syntax is basically the same, but you’re dropped into a shell immediately, instead of having to run
dns_cache() plugin dumped the DNS cache from the image, telling us what the machine thought each name resolved to when it was imaged. The entry for
myaccount.google.com is a CNAME record pointing to
www3.l.google.com. The entry for that domain name is a straight up A record pointing to IP address
126.96.36.199, which is our answer.
Get the second challenge
The second challenge was:
What is the canonical name (cname) associated with Part 1?
We ended up answering the second question on the way to solving the first question. The answer is
This week was really too fast to get much out of, unless you are unfamiliar with DNS. In that case, maybe there would be some interesting discovery of the different things a DNS record can point to.