Magnet Weekly CTF, Week 11 Solution Walk Through

Challenge 11, Part 1: What is the IPv4 address that resolves to?

I was able to find this pretty quick going back to last week’s artifacts. In week 10, I used bulk_extractor to carve a PCAP out of the memory image.

Opening the same PCAP file I applied a String filter for ‘myaccount’.

Wireshark viewing PCAP carved from Memory

In the highlighted row we can see a DNS resolution for coming back as [Flag 1]

Challenge 11, Part 2: What is the canonical name (cname) associated with Part 1?

Scrolling further to the right on the same entry, we see that the CNAME for was [Flag 2]