Magnet Forensics Weekly CTF #11

Challenge 11 (Dec 14-21) – 20pts

What is the IPv4 address that resolves to?

To solve this question, I decided to try using bulk_extractor. I haven’t used this tool before but just learned about it from BakerStreetForensics’ Week 10 writeup. This is a powerful tool that can extract tons of information from an image. In this case I was interested in the generated PCAP file, in order to find DNS queries. For more information on bulk_extractor see the Kali Tools page.

In the OUT directory specified above, we can find the generated PCAP. We can open the PCAP in Wireshark and search for the domain in question, where we will see DNS queries like the one below. In this DNS response we can see the IP returned was

Challenge 11 (Dec 14-21) Part 2 – 5pts

What is the canonical name (cname) associated with Part 1?

In the query above, we can also see the CNAME under the answers section:

Leave a Reply

Your email address will not be published. Required fields are marked *