Monday, November 9, 2020

Magnet Weekly CTF (Week 5) - Hadoop Logs

Previous: Week 1 | Week 2 | Week 3 | Week 4

Linux month is upon us and I must admit, it's probably my least comfortable operating system in terms of knowledge of structure and artifacts. So I tried to keep an open mind when looking at this week's question.

Challenge 5 (Nov. 2-9) Had-A-Loop Around the Block (75)

What is the original filename for block 1073741825?

Doing a little research knowing this was Ali Hadi's training images gave me a little more background on what we were looking at. The question wording gives a hint we are looking at a Hadoop server configuration that was compromised (oh look another elephant!!!). Without knowing much about block storage I decided to run a keyword search on "1073741825" to see if anything pops up.

We can see in the screenshot below from X-Ways, we get some hits in some namenode and datanode log files. 

Note: This search could probably be performed using any tool (GREP), X-Ways just seemed to be the quickest for what I had available in my toolkit

Let's take a look at the keyword hit inside the log at the following path:


Timestamped at 2017-11-08 20:46:33,602 shows some information commits to the specific block we are looking for:

2017-11-08 20:46:33,602 INFO org.apache.hadoop.hdfs.server.namenode.FSNamesystem: BLOCK* blk_1073741825_1001 is COMMITTED but not COMPLETE(numNodes= 0 <  minimum = 1) in file /text/AptSource._COPYING_

The mentioned commit is to file "AptSource._COPYING_" which as a first educated guess, ended up being the correct answer. I'm looking forward to learning more about Linux and Hadoop in the coming weeks.

No comments:

Post a Comment