Magnet Virtual Summit 2020 CTF (iOS)

Previous: Egg Hunt

If anything the iOS section of the Magnet CTF proved to me, you really need to deep dive into the database files to pull out all the information. I think it was fantastic how they made you go outside the box to find flags in this section.


iOS Device

Account Scout (5)

What's the Apple ID email associated with this device
Flag should look like: flag<sally@mail.com> (Don't include flag<>)

Parsing through using iLEAPP we can see
abrunswick8675309@gmail.com was the address associated with the Apple ID.


What's in the toolbox? (5)

What tool was used to perform the acquisition on this device? Note: You only have 1 attempt 

There was a MEAT.log in the evidence folder so naturally Jack Farley used his own tool for the acquisition!


Mobile Evidence Acquisition Toolkit

I would walk 3,264 miles just to hack you tonight (10)

What is the name of this user's favorite city in Apple Maps?

There weren’t many Apple Maps coordinates that were parsed out outside of the Burlington, Vermont

area and outside of the normal dates. Because of the hint in the title, we see one entry for London.

 

The name stuck out to me as something the creator would highlight, and it worked. Loserville


Not a HIPAA Violation (10)

What medication is this user currently on?

Medical information is stored as part of the Health app on an iPhone at the following path: 

/iOS_Filesystem/private/var/mobile/Library/MedicalID/MedicalIDData.archive 

The file is a plist which can be parsed. 

 
We we the user has some medication listed, Lysergic acid diethylamide.

Who am I? (10) 

What's the name of this device?

This can be pulled from:

/iOS_Filesystem/private/var/root/Library/Lockdown/data_ark.plist 

iLEAPP parses it quickly, “Alan's Fantastical iPhone” 

 

Ye ole 9 to 5 (10) 

What is the company associated with the contact "Chester Russell"?

AXIOM parses this out quickly from Contact Info. We can see Chester is associated with APT802

 

Back in my day we weren't glued to our phones (25)

How many seconds did the user have Safari open between the hours of 12:00:00 and 20:00:00 on March 23rd, 2020?

Only enter the number

We can calculate a sum of screen time application usage and filtering on Safari. Once we add up the 
seconds column, we get a total time of 1039 seconds. 


Creeper aw man (25) 

Looks like a MineCraft server was hosted on this device?? Find the username of a player who has joined 

I did a quick keyword search on “Creeper” which brought back some text files which appear to be text splash sayings: 

\usr\dev\cuberite.tar.gz\cuberite\Server\Plugins\NetworkTest\splashes.txt 

I went to the location and up a few folders to find the “players” folder which had a JSON file inside: 

\usr\dev\cuberite\Server\players\67\451c08-f6c8-436a-ba16-7eee924e3bd0.json 

Near the bottom we can see the flag, the username Thad_Castle_ 

 

Hackerman (25) 

What is the first IP address that this user targeted via a popular hacking tool?

As I assumed the iPhone was jailbroken from other questions, I found remnants of information related to the Metasploit framework. In traversing the iOS filesystem, we can see a bash history file at the following path: 

iOS_Filesystem/private/var/mobile/.msf4/history 

Inside the plaintext file shows two different IP addresses that were targeted, but the first was 184.171.152.175


Near Flag Communication (25) 

What is the Tag ID of the scanned NFC tag? Remember MC questions have a 1 attempt limit
  • 377EE22E104347
  • AD2A7A3E3C63F7
  • 96C8E50757329E
  • E5DB5FE6A6984D
  • 041146220F5E80
  • 2D52E5017D690E
  • 64DCD00FD51BFB
  • 64DCD00FD51B03
  • 925F65AC9786B6
I first checked any bluetooth connections to see if anything popped out but nothing so I ended up indexing the full dump and keyword searching brute force style. The flag 041146220F5E80 popped up in a syslog file found at:

/iOS_Filesystem/private/var/tmp/syslog



I assume this temp storage stored some connection info at one time, I'm not sure if there is an easier way to find this answer elsewhere.

Check out my Spotify (50)

This user's Spotify playlist is looking a bit suspicious..?

A quick keyword search for “playlist” shows Chester and Alan exchanged Twitter DM’s. The playlist can be found at https://t.co/0Qc9pWfe5x



The flag is Destroy Education Debt.

Plug it in plug it innnn (50)

What is the name of the computer that was used to sync with this device?

Good ole iLEAPP pulls this out right from the Data Ark:

/iOS_Filesystem/private/var/root/Library/Lockdown/data_ark.plist

On the main page of the report we can see it connected to DESKTOP-A108NFK:



SNAP.. That's going int my cringe compilation (50)

How many applications have iOS Snapshots?

Application Usage info can be pulled from the database at the following path:

/iOS_Filesystem/private/var/mobile/Library/FrontBoard/applicationstate.db

In the kvs_debug table we can filter the key down to XBApplicationSnapshotManifest resulting in 88 apps, the flag.


Spraaang Breaaaak (50)

How many guests were registered in the trip to Disney?

Warning: You only have 3 attempts at this


To start, let’s look at the installed applications:



We see multiple Disney applications but MyDisneyExperience is what we want to deep dive into. From the mobile_installation log we can see the following path contains app information:



Sifting through files, we can see an Itinerary DB file in the Library folder of the application path above.

Opening the database with DB Browser for SQLite, there is 4 tables with one of importance:


Exporting the BLOB to a plist, we can open that in an editor and see the answer for the question, 6 adults.


Thank you to evandrix for some hints post CTF on a few of these.