Previous: Egg Hunt!
Round 2 of the Magnet Virtual Summit CTF was an Android phone, more specifically a Google Pixel 3. We are also provided a small but useful Google Takeout dump of the account as well. Lets dive in!
If you are looking for an image, it was probably deleted
How many emojis were used in the first snapchat received by the User?
I thought for sure we had a parser in ALEAPP for Snapchat but alas it doesn't do the newer arroyo.db so off to AXIOM I go for ease of answering. In Snapchat Chat Messages we can sort the message date and see a welcome message was received first. Inside we can see that there were 9 emojis used.
Figure 1: Snapchat emojis
ooo so popular!
What snapchat account sent the User the most messages?
We can see that there was only one sender for all the messages, which was "teamsnapchat".
Figure 2: Snapchat chat messages
Manually, you could check the arroyo.db database in the "conversation_message" table at the "sender_id" column to see all the same.
Pixel.tar\data\data\com.snapchat.android\databases\arroyo.db
Figure 3: Arroyo.db file for Snapchat
With this sender ID you can correlate to the main.db database in the "Friend" table at the "userId" and "username" columns and see that ID matches up with the username.
Pixel.tar\data\data\com.snapchat.android\databases\main.db
Figure 4: main.db file for Snapchat
BurgLARProof
What Live Action Role Play armor was the user building?
You can use either ALEAPP or AXIOM to get to this quickly. Under the Chrome web history visits we see some hits on LARP shield DYI's.
Figure 5: Chrome history in ALEAPP
You could always go to the direct source to find it too in the History file:
Pixel.tar\data\data\com.android.chrome\app_chrome\Default\History
Your charIoT awaits
What was the MAC address of the first IoT device connected? Format: XX:XX:XX:XX:XX:XX
Device connections are common over bluetooth so we can head on over to the bt_config.conf file.
Pixel.tar\data\misc\bluedroid\bt_config.conf
My understanding is that the items get listed in order they were connected, with the timestamp indicated the last seen date and time. It is odd that our first entry doesn't have this but we can see that the first entry is for a "Moto 360 DF00" watch with a MAC address of D0:5F:B8:33:DF:00.
Figure 6: bt_confing.conf
ID Please
What was the ICCID for the SIM card used with this device?
There are multiple locations you can potentially find this answer. I will give two different options. The first is the checkin.xml file.
Pixel.tar\data\data\com.google.android.gms\shared_prefs\Checkin.xml
In the "CheckinService_lastSim" key you get two values, the ICCID alongside the IMSI.
Figure 7: Checkin.xml
We can see the ICCID was "89148000007077222152". A second option to find this is the telephony.db found at:
Pixel.tar\data\user_de\0\com.android.providers.telephony\databases\telephony.db
If you look at the "siminfo" table you can see the "icc_id" column has the same number.
Figure 8: telephony.db
Never-ending
Podcasts can seem like they drag on forever, how long was Rafael's longest Podcast? HH:MM:SS
My first thought was to look at any databases or settings related to podcast type applications installed. The only two I saw were Google Podcasts and Spotify. I wasn't able to find any additional info that would show any episode length so I had to dig a bit further to find the answer.
I ended up in desperation doing a search for "podcast" across my AXIOM case which had a few hits in Pictures and Videos which I thought may show a screenshot or something. There ended up being two different podcast episodes in the Videos category that were downloaded to the path:
Pixel.tar\data\media\0\Android\data\com.google.android.googlequicksearchbox\files\Podcasts\Downloads\
The longer one (1644732498240_dcd660b73c8070f8ef7d846c3caf4c20.m4a) had a media duration of 12923.17 seconds. Using a calculator to get the proper format, the answer was 03:35:23. I'm really curious how these files get placed here and what further evidence can be found in this location, more research to be done.
Last 4
What were the last four digits of the Visa used to purchase the User's most-used video game?
A quick search for "Visa" led to the answer pretty quickly. Inside the parsed Gmail emails was a message from Mojang Studios. We see the last 4 digits of the credit card were "1815".
Figure 9: Email receipt
Expired Milk
What was the earliest expiration date for the user's guest wifi account? MM-DD-YYYY HH:MM
I had a very similar question on another recent CTF (the in-person one in Nashville) so I knew exactly where to go. In the Gmail Emails category in AXIOM there were multiple emails from Champlain College for guest wifi but we can look the timestamps to see which had the earliest expiration. The email in question showed an expiration of "Friday, January 28, 2022 17:01" which in the proper format equated to 01-28-2022 17:01.
Figure 10: Email for guest wifi
Water Water Everywhere
What is the zip code of the location that the image of the water was taken?
When I think of images and location data, I know to go straight for the EXIF info on photos in the DCIM folder.
Pixel.tar\data\media\0\DCIM\Camera
There were only three pictures, and only one that showed an icy lake, MVIMG_20220212_164314.jpg.
Figure 11: MVIMG_20220212_164314.jpg
Running the file through exiftool, we can pull out the GPS coordinates.
Figure 12: GPS info for the photo
When putting the latitude and longitude into Google Maps with the proper directional references we see the water picture was taken in Burlington, which has a zip code of 05401.
Figure 13: Google Maps coordinates
Keep on Moving
When is Next Vegas Show? Format MM/DD
The title gives you the hint to look at Google Keep. From ALEAPP we can find the note quick and see that the Next Vegas Show was on February 17th. In the proper format the flag was 02/17.
Figure 14: Google Keep notes
Snap Your Fingers
What is the username of the last friend added to the user's Snapchat?
There was only one real friend that was added to Snapchat. The user name was "angie_frank07".
Figure 15: Snapchat friends
You can verify from the main.db file in the "Friend" table.
Pixel.tar\data\data\com.snapchat.android\databases\main.db
Starting over
What day was the device factory reset? Format YYYY/MM/DD
If you haven't read Josh Hickman's wipeout post, do it. One thing we came across and added to ALEAPP was the "factory_reset" file. It's an empty flag file but it's timestamp is indicative of the reset of the phone.
Pixel.tar\data\misc\bootstat\factory_reset
Figure 16: Factory Reset from ALEAPP
You can see the timestamp and flag in proper format was 2022/01/14.
Hash it out
What hashing algorithm was used for Bumble's email confirmation email?
A quick search for Bumble in email, there are only 3 hits. What I failed to remember is that I still had the Google Takeout to look at. Inside we have access to the full .mbox file:
takeout-20220222T154448Z.zip\takeout-20220222T154448Z\Takeout\Mail\All mail Including Spam and Trash.mbox
A quick and dirty portable viewer I found called 4n6 MBOX Viewer easily opened the mailbox to filter. in the DKIM header, you can see the algorithm used was SHA256.
Figure 17: Bumble email header
So Tasking
What is the status of the Go grocery shopping list?
At the time of playing I had to find this answer the hard way by going into the Google Takeout, although it isn't that difficult. We can go to the Tasks.json file:
takeout-20220222T154448Z.zip\takeout-20220222T154448Z\Takeout\Tasks\Tasks.json
Only one task is found and you can see that the "Go grocery shopping" list had a status of "needsAction".
Figure 18: Tasks.json file
To make life easier, I made an RLEAPP parser for it shortly after the CTF so now you can parse Tasks much easier and quicker.
Figure 19: Google Tasks in RLEAPP
Surviving a Snake Bite
What is the name of the YouTube channel that hosts the video that was watched at 10:30 PM EST on Feb 1st?
Back to the Takeout we go. We can look at the YouTube watch history file at the path:
takeout-20220222T154448Z.zip\takeout-20220222T154448Z\Takeout\YouTube and YouTube Music\history\watch-history.html
Finding the approximate time we see the entry and the channel name.
Figure 20: YouTube watch history from Takeout
The channel name was "PythonMC".
Bee Sweater
What famous cartoon from the mid 1900s did the user watch a snippet of?
I took the hint that I should wonder back to the Bumble directories to hunt for the file in question. I scoured databases for clues of chat history or things shared but didn't find anything that had a link.
If all else fails try a Bumble keyword search and hope for the best right?! It narrowed the results down to 17 videos, 13 of which can be found in a cache folder at:
Pixel.tar\data\data\com.bumble.app\cache\files_cache\
After a short manual review of screencap previews only one fit the bill of what we were looking for:
Figure 21: cached Bumble video
The short clip was of the Peanuts cartoon, which this was actually from the newer 2015 movie.
A Recent Trick
What is the name of Step 5: Step 4 -?
This question was definitely an odd one as the wording was very specific. Two things that came to mind, either they were in a picture image or they were hidden somewhere in a file. A quick search for "trick" and "Step 5" led me nowhere. As always, read the titles because that gave the biggest clue.
In ALEAPP there is a category called "Recent Activity" that parses recent tasks and recent application snapshot images. Low and behold, one of the four entries found included a snapshot from Chrome that showed the answer:
Figure 22: Chrome recent snapshot
We see that the answer was "CA-CHUNK!". I would have thought AXIOM would have pulled snapshots out to their own category but I guess I was wrong. Sifting through 40k images isn't the best method so FOSS tools for the win for this one.
You can view the image natively at the path:
Pixel.tar\data\system_ce\0\snapshots\119.jpg
All Trail Blazer
How many miles were left until Stowe Pinnacle? Format: X.X
I spent a number of hours prepping parsers for AllTrails because I assumed some question's answer would be found nestled in the databases somewhere (ALEAPP parser still coming for this). When it came to this one, nothing apparent was found even by looking for Stowe.
When all else fails, keyword searching for "alltrails" will help narrow down what artifacts were pulled from the path for the app. I had a feeling it would be in an image or a video cached so manual review was necessary. Luckily the data set was only ~300 results so I found the image nested in the following location:
Pixel.tar\data\data\com.alltrails.alltrails\cache\image_manager_disk_cache\99d1b2a262de7eebbbc66541fde9228b55e8d8b6d7dbe0f85e6f3f26fe57017a.0
It shows a wooden trail sign with the Stowe Pinnacle being 3.6 miles away. I don't think even OCR would have caught this.
Figure 23: AllTrails cached image
Seeing Through the Trees
What was the last street that Google told the user to turn on to on the way to Sugarbush Mountain?
This was a wild guess but I knew ALEAPP had some audio guidance for Google Maps so I went to the parser and checked out the very last timestamped entry. The audio clip sounds like this:
The answer was Forest Drive. The original audio clip can be found at the path:
Pixel.tar\data\data\com.google.android.apps.maps\app_tts-cache\-1160035261_1643549893503