Magnet Virtual Summit CTF

01 June 2020

I've really enjoyed doing the CTF run by Magnet Forensics as part of their virtual summit this year. Below you will find solutions for all but 2 of the questions. The details are quite brief otherwise the blog would become huge but if you'd like to see a more detailed write up of any of these please leave a comment or tweet me.

If you also participated in this CTF and you have better, easier or just different ways of doing these questions I would love to hear about them!

The 2 questions I haven't solved yet are the NFC tag one and the malware one. My thoughts on them so far are right at the bottom- if you've done them I'd love to chat to you about them. I don't have much experience with network forensics or reverse engineering so this is an area I'd like to learn more about.

Questions are in green
Answers are in blue


I was working on a Windows 10 machine and these are the tools I used*
(*that I can remember)


------------------------------------Egg Hunt------------------------------------

For each level, please copy the NEW block of text located below the now decoded portion.

Puzzle text:
-----STARTS-----
Zpv ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs dinnzs wg : KK91WUvvraIuNa91paEurUvzWS9GEI5VFGPzN2qiZw4urUvzWU5zsVEuqUzzM2Iup2MurUvzWVP1sbdgNGPdqmOco2J5WR0upKTbpaJ0YHcYo29vWVJzp3SuNbJcqbquNavfWUJdrmPlN20iZw4uN2l4WVdzNUqurUXlM2guMacupLFzWVNcNVB4NGPjNxcYMaJ5rU9ho2SvWU5gpQPcqVz5rmPhNbcupLvjM2zlWU9arQ4iZwPhNbcupaT6swPzpRcuqav6qkcY
-----ENDS-----

What is the color of the first egg? BLUE
How is the ORANGE egg encoded? Base64
What was the key used to unock this cipher? magnet
What is the special word? Onion
What is the final message of the completed egg hunt? bean

Decoding:
ROT13 amount -1

Result:
You have found the BLUE egg! The next piece of the puzzle is: Lbh unir sbhaq gur TERRA rtt (frperg jbeq = Bavba)... gur arkg cvrpr bs gur chmmyr vf : JJ91VTuuqzHtMz91ozDtqTuyVR9FDH5UEFOyM2phYv4tqTuyVT5yrUDtpTyyL2Hto2LtqTuyVUO1racfMFOcplNbn2I5VQ0toJSaozI0XGbXn29uVUIyo3RtMaIbpaptMzueVTIcqlOkM20hYv4tM2k4VUcyMTptqTWkL2ftLzbtoKEyVUMbMUA4MFOiMwbXLzI5qT9gn2RuVT5foPObpUy5qlOgMabtoKuiL2ykVT9zqP4hYvOgMabtozS6rvOyoQbtpzu6pjbX

Decoding:
ROT13 amount 13

Result:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK

Decoding:
From Base64

Result:
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs

Decoding:
Vigenere Decode with key = magnet

Result:
you have found the red egg... the next piece of the puzzle is:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm

Decoding:
Atbash Cipher

Result:
congrats! you found the golden egg... the flag is: bean


------------------------------------Android & Google Takeout ------------------------------------

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay

What is the username for the Zynga Chess app? 
Looking in the users tables of the app's database:
data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite
Local user = chess.master.chester

Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg

Inserting image...Inserting image...

 What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
 Gmail data from Google Takeout shows a thread with Warren:

Inserting image...

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg