Magnet Weekly CTF (Week 1) - Hosts File


The good folks at Magnet Forensics are hosting a weekly CTF challenge for anyone interested. More details on registration and scoring here. It kicked off this week with a question from Jad.

Challenge 1 (OCT 5-11) - Mapping the Digits (20)

What time was the file that maps names to IP's recently accessed? (Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)

As part of the Magnet User Summit CTF from the summer, I had already come across this file so I almost instantly knew where to look. The file of interest is at the following path:


This file is home to IP addresses and hostnames useful for redirection on a mobile device.

This file is the file that tells your OS what path a given domain has. You can, for example, map to go to a specific IP address, similar to how DNS works for most domains. - The Polyglot Developer

As you can see in the screenshot below, the modified date shows the file was changed on 2020-03-05 05:50:18.

Screenshot out of Magnet AXIOM

You can now get these IP's and hostnames parsed into a nicer looking report utilizing the my new script in Alexis Brignoni's ALEAPP. I also submitted a custom artifact to ingest the ALEAPP TSV output into Magnet AXIOM.