Home Magnet Weekly CTF 11 - More Memory Analysis, More Addresses

Magnet Weekly CTF 11 - More Memory Analysis, More Addresses

Challenge 11 Part 1 – 20pts

What is the IPv4 address that myaccount.google.com resolves to?

This challenge asks us to get the IP address that myaccount.google.com resolved to for the user of this machine. Searching the internet for ways to do this results in a plugin for recovering the Windows DNS cache. However, it hasn’t been updated in four years and wasn’t wanting to cooperate with my Python installation. Searching through the forensics and memory forensics tools on the Kali tools page takes me to the page for bulk_extractor. The tool can be found on GitHub and easily installed. The tool has a lot of options, including exporting the network activity to a packet capture.

To use it and make it quicker, we want to disable all unnecessary scanners and enable the one scanner we need that will create our output packet capture. We can do this with bulk_extractor -x all -e net -o output_pcap memdump.mem. The -x all disables all scanners, then -e net enables the one scanner network scanner. -o output_pcap is used to name the output directory and file. After running this command, we now have our packet capture found at output_pcap/output_pcap.pcap. Opening this up in Wireshark, we can search for the address and filter for DNS packets. This results in a match.


We can see the DNS answer with the IP address. The solution to this challenge is

Challenge 11 Part 2 – 20pts

What is the canonical name (cname) associated with Part 1?

Well, this is easy. It is found in the exact same spot and can be seen in the image above. Although not titled cname or canonical name the solution to this question is www3.l.google.com.

Overall, probably the easiest challenges this month.

This post is licensed under CC BY 4.0 by the author.