Magnet Virtual Summit 2020 CTF (Android)

Previous: Egg Hunt | iOS | Memory


The Android image had some of the toughest questions yet in this CTF. This section gave me fits while playing live but giving it more time to digest and think it through, came out with almost all the answers.

Android

Obfuscating Like a Pro (5)

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name)


Hint: https://youtu.be/wEv0zOeA2FU?t=152


Parsing the TAR file using Alexis Brignoni’s ALEAPP, we can see installed applications on the phone. The hint here helps narrow down exactly what they are looking for. Jack Ryan was chatting through a game, one of the only installed games was Chess with Friends. Since they are looking for the package name we see it here:



Com.zynga.chess.googleplay

Just another pawn (5)

What is the username for the Zynga Chess app?


I was able to find the associated login for Zynga Chess through Chrome Login in ALEAPP:



chess.master.chester

The College Lifestyle- Artic Edition (5)

Where did Chester get ramen in Norway? (Restaurant Name)


Going to DCIM folder we can see only one picture that fits.


/data/media/0/DCIM/Camera/IMG_20200309_172817.jpg


Pulling EXIF metadata shows coordinates of:



Plugging in Google Maps we can see that it was at Koie Ramen.


Blocked for security reasons! (10)

What is the name of the file that this user attached/linked and emailed to Warren?


We can do a quick keyword search on “Warren” and look at emails sent. This helped to narrow the scope down to two separate emails, both can be found parsed from the Google Takeout in AXIOM.

For some reason AXIOM didn’t strictly pull out this attachment for some reason but it was the flag:


Chestnut_CV.exe

bOat-SINT (10)

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?


Once again we can look at the DCIM folder and see a large boat.

/data/media/0/DCIM/Camera/IMG_20200308_144240.jpg

EXIF data shows coordinates as follows:

This plots us right next to Vikingskipshuset or Viking Ship Museum in Oslo, Norway. A quick Wikipedia hunt on the museum shows the famous Oseberg ship.

Fastest Thumbs in the West (10)

How many tweets did Chester tweet?


AXIOM pulled out the user info for Chester quickly


Knowing the User ID we can check out all Tweets with 1230174369462267904 as the author:


We can see that Chester sent out 5 tweets.

It's not the heat, it's the humidity (10)

How much warmer is it going to be tomorrow in Burlington?


I somewhat stumbled upon this looking for another answer to a question but found a screen capture video that showed a Silent Notification of Google Weather. Seen below in the screenshot, we can see it will be 12 degrees warmer.


New IP Who Dis? (10)

What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?


A quick keyword search for the IP shows a hit on the memory image under the netscan (Network Info) parse.


From the local IP address we see it was open on port 54281.

The Polar Express (10)

What train station did Chester get directions to?


A quick look at Google Maps Queries we see searches with destinations to Bergen Station.

Trans-Siberian Railway (10)

What was the path that Chesters train took?


Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH


I had to snag the map key from forensic8or since I didn't save it after the CTF.


We can add the parsed Google Map Queries and Cloud Google Location History to the world map view in AXIOM to see a rough outline of location plots.


Comparing to the key we can see the route of NMLJHFCA.

You Get a Database! And You Get a Database! (10)

Unbeknownst to Chester and Alan, the app found in the question "Obfuscating Like a Pro" didn't store their chat logs securely. What is the chat message ID for where the target of the hack is declared?


Since we know the Chess with Friends app was used, let's look at the folder for DB’s in the app:


Data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite


The obvious choice of tables is “chat_messages”, and we can see they are targeting Mallie Sae:


Message ID is 18741612351.


Chess Master Chester (25)

What was the first move made by Chester in Chester's Chess game?


Flag is in chess notation (Ex. A1-B2)


Chess board for reference, assume white starts on rows 7 and 8: https://www.dummies.com/wp-content/uploads/201843.image0.jpg


As the previous question, we can look at the wf_database.sqlite database except on a different table. To correlate info to Chester, we look at the “users” table:



Seeing he is 237046613, we can correlate that to specific moves in the “moves” table:


Relaying the layout of the table to the x/y coordinates was a bit tricky. With coordinates of 4-1 to 4-3, I assumed the numbering started at 0, so it would be a pawn moving first. I tried D2-D4 at first but I guess the numbering started in bottom right instead of left so it was incorrect. With a quick fix, I switched to E2-E4 which was the answer. This seemed to be good ole honest luck.

Old McDonald's Penguin Farm (25)

To show of his leet hacker skills to Alan, Chester downloaded a farm-themed package for his terminal. What is the name of the package?


Learning from the iOS dump, you really need to dig into the folders to find more app info. I Googled terminals for Android and the second option was Termux, which from the output of ALEAPP we can see was installed on Chester's phone.


A quick scan through the tar shows a bash history file at the following path:


MUS_Android.tar\data\data\com.termux\files\home\.bash_history


We can see a few install but the most obvious because of the clue, was cowsay. More info on the program here.


Root for the home team! (25)

How many NHL (National Hockey League) Mascots are shown in the video?


There is a 4 frame cached video found at:

MUS_Android.tar\data\data\com.twitter.android\cache\precache\200.0.1582346614153.v3.exo

I honestly don't know what the final answer was for this, I spotted 11 different mascots.


Snapchat Deletes Your Data... Right? (25)

What did Chester set his emoji for the mutual best friend indicator in Snapchat to?


You have 1 attempt at this


 Nerd 🤓

 Vulkan Hand 🖖

 Sunglasses 😎

 Rock on 🤘


A good place to start is the main.db file for Snapchat that is located:


data\data\com.snapchat.android\databases\main.db


Here we can see a bunch of tables but we want to focus on Friendmoji one specifically. 

The mutual BF’s shows it should be Sunglasses.

Take the Red Pill, Chester (25)

Chester configured a moving matrix background on his phone. What did Chester set the falling speed of the characters to?


Demonstration video located at data/media/0/AzRecorderFree


We can look at the preferences for the wallpaper application here:


Data\data\com.gulshansingh.hackerlivewallpaper\shared_prefs\com.gulshansingh.hackerlivewallpaper_preferences.xml


Falling speed is set to 50.

Best Foot Forward (50)

What was the percentage likelihood that the Android user was walking on Fri Mar 6 2020 at 20:50:27 UTC?


I started looking at Cloud Google Location History but didn’t see my specific time parsed out properly so I had to dig deeper into the JSON. By manually converting the millisecond timestamps using epochconverter.com I found a match. The confidence level of walking was 95.

Smells phishy (50)

What is the effective UID for the application used to create the Phisy Phish phish document?


A search of of “phish” shows that it was found in an Evernote database.

Now that we know it came from Evernote we can look at the packages.xml file to see information about the apk installed on the phone:


\data\system\packages.xml


We can see under userID that the flag is
10239.