Magnet CTF Week 11 - DNS Cache Analysis… sort of

Updated: 2 minute read

Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!

CTF Posts

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10

Getting Started

New image for December! It can be found here. This is a memory image, and this week has multiple questions. Note: I may jump between Volatility 2.6 and 3 as I’m playing around.

Q1: What is the IPv4 address that myaccount.google.com resolves to?

First I pinged myaccount.google.com. I was pretty sure the same resolution would not be it, but it was worth a try. Next, I looked for active connections. I found a few owned by Google, but no indication that they belong to “myaccount”.

I looked for a way to extact the DNS cache, but could not find any tool or tip that worked for me. After a long while running down some research leads, I decided to try a search for any Google IP addresses around “myaccount.google.com”. Hopefuly this would get me the DNS cache, even if I don’t know the structure.

$ strings memdump-001.0.mem | grep -B 5 -A 5  myaccount | grep 172\.
172.217.12.131
172.217.10.238le.com0

In the command above I am using strings on the memory image, and returning 5 rows before and after the hit for “myaccount”. Then I search for 172, which is what I guess is the first octet of a Google IP address.

Tried 131, but failed. Trying 172.217.10.238 and BING! Success.

Really looking forward to the writeup for this question!

Q2: What is the canonical name (cname) associated with Part 1?

I’m not sure if I did this one as intended, but I queried the current state of Google DNS.

$ dig myaccount.google.com

;; DiG 9.16.1-Ubuntu myaccount.google.com
;; global options: +cmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 16677
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[SNIP]
ANSWER SECTION:
myaccount.google.com.	2674	IN	CNAME	www3.l.google.com.
www3.l.google.com.	283	IN	A	172.217.31.174
[SNIP]

Trying www3.l.google.com and BING! Success.

Lessons Learned

I spent a lot of time looking for DNS cache in memory and didn’t find anything. I tried to look a bit at the structure that was returned during search. This is something I really want to look into more in the future. I’m excited to see what everyone came up with, and maybe there is an easy solution I didn’t find.