Magnet Virtual Summit CTF

01 June 2020

I've really enjoyed doing the CTF run by Magnet Forensics as part of their virtual summit this year. Below you will find solutions for all but 2 of the questions. The details are quite brief otherwise the blog would become huge but if you'd like to see a more detailed write up of any of these please leave a comment or tweet me.

If you also participated in this CTF and you have better, easier or just different ways of doing these questions I would love to hear about them!

The 2 questions I haven't solved yet are the NFC tag one and the malware one. My thoughts on them so far are right at the bottom- if you've done them I'd love to chat to you about them. I don't have much experience with network forensics or reverse engineering so this is an area I'd like to learn more about.

Questions are in green
Answers are in blue


I was working on a Windows 10 machine and these are the tools I used*
(*that I can remember)


------------------------------------Egg Hunt------------------------------------

For each level, please copy the NEW block of text located below the now decoded portion.

Puzzle text:
-----STARTS-----
Zpv ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs dinnzs wg : KK91WUvvraIuNa91paEurUvzWS9GEI5VFGPzN2qiZw4urUvzWU5zsVEuqUzzM2Iup2MurUvzWVP1sbdgNGPdqmOco2J5WR0upKTbpaJ0YHcYo29vWVJzp3SuNbJcqbquNavfWUJdrmPlN20iZw4uN2l4WVdzNUqurUXlM2guMacupLFzWVNcNVB4NGPjNxcYMaJ5rU9ho2SvWU5gpQPcqVz5rmPhNbcupLvjM2zlWU9arQ4iZwPhNbcupaT6swPzpRcuqav6qkcY
-----ENDS-----

What is the color of the first egg? BLUE
How is the ORANGE egg encoded? Base64
What was the key used to unock this cipher? magnet
What is the special word? Onion
What is the final message of the completed egg hunt? bean

Decoding:
ROT13 amount -1

Result:
You have found the BLUE egg! The next piece of the puzzle is: Lbh unir sbhaq gur TERRA rtt (frperg jbeq = Bavba)... gur arkg cvrpr bs gur chmmyr vf : JJ91VTuuqzHtMz91ozDtqTuyVR9FDH5UEFOyM2phYv4tqTuyVT5yrUDtpTyyL2Hto2LtqTuyVUO1racfMFOcplNbn2I5VQ0toJSaozI0XGbXn29uVUIyo3RtMaIbpaptMzueVTIcqlOkM20hYv4tM2k4VUcyMTptqTWkL2ftLzbtoKEyVUMbMUA4MFOiMwbXLzI5qT9gn2RuVT5foPObpUy5qlOgMabtoKuiL2ykVT9zqP4hYvOgMabtozS6rvOyoQbtpzu6pjbX

Decoding:
ROT13 amount 13

Result:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK

Decoding:
From Base64

Result:
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs

Decoding:
Vigenere Decode with key = magnet

Result:
you have found the red egg... the next piece of the puzzle is:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm

Decoding:
Atbash Cipher

Result:
congrats! you found the golden egg... the flag is: bean


------------------------------------Android & Google Takeout ------------------------------------

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay

What is the username for the Zynga Chess app? 
Looking in the users tables of the app's database:
data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite
Local user = chess.master.chester

Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg

Inserting image...Inserting image...

 What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
 Gmail data from Google Takeout shows a thread with Warren:

Inserting image...

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg

Inserting image...Inserting image...
Reverse image search lead to a match with Wikipedia (right): Oseberg Ship

How many tweets did Chester tweet?
Identify local user ID via file naming convention of Twitter app:

MUS_Android.tar\data\data\com.twitter.android\shared_prefs\profile1230174369462267904.xml (so Local user id = 1230174369462267904)

Support that this is linked to Chester via MUS_Android.tar\data\data\com.twitter.android\shared_prefs\1230174369462267904.xml:
Inserting image...
Filter for this author ID in AXIOM (Artifact view > Social Media > Twitter Tweets)

Inserting image...

5 tweets have this author id

How much warmer is it going to be tomorrow in Burlington?
12
Visible at the end of a video shared via snapchat. (This video was initially of interest because it shows the matrix background mentioned in a separate question.)
Inserting image...

Screenshot from the very end of this video:

Inserting image...

What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?
I used the computer’s RAM dump. Filter on “remote IP Address” within the netscan artifacts in AXIOM: port = 54281

Inserting image...

What train station did Chester get directions to? Bergen
Google takeout “cloud google activity” where action = “directions”:

Inserting image...
 
What was the path that Chesters train took? Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH
Reference map:

 Inserting image...

Google Takeout geo viewed via AXIOM’s world map display:

Inserting image...

The location of these points gives us the route and looking at points in each location gives timestamps from which to infer the direction of travel:
  •     10/03 07:24 Oslo (N)
  •     10/03 08:02 Dramen (M)
  •     10/03 08:30 Amot (L)
  •     10/03 08:57 Honesfoss (J)
  •     10/03 10:19 Gol (H)
  •     10/03 11:34 Finse (F)
  •     10/03 12:42 Vossevagen (C)
  •     10/03 13:55 Bergen (A) 
Route = NMLJHFCA

Unbeknownst to Chester and Alan, the app found in the question "Obfuscating Like a Pro" didn't store their chat logs securely. What is the chat message ID for where the target of the hack is declared?
In the app’s database (wf_database.db) the following message has chat_message_id = 18741612351

Inserting image...

What was the first move made by Chester in Chester's Chess game? 
  •     Flag is in chess notation (Ex. A1-B2)
  •     Chess board for refence, assume white starts on rows 7 and 8: 
Inserting image...

From wf_database users table: Chester’s user_id = 237046613

In the “moves” table the earliest move associated with this user is “createdAt” 2020-02-19T17:25:26Z. This is the second move listed in the table so Chester must have gone second, hence been black.

Inserting image...

Chester’s move details:
  •     Starting point: X1 = 4, Y1 = 1
  •     Ending point: X2 = 4, Y2 = 3 

The details in the “data” column also provide a useful visualisation of the board previous to the current move which we can make more intuitive with some line breaks and spaces:
Inserting image...

At the start of the first move:
Inserting image...

At the start of Chester’s move (indicates what the previous move was and therefore that white is represented by capitals):
Inserting image...

At the start of the move after Chester’s (indicates what Chester’s move was):
Inserting image...

Transposing Chester’s move onto the board provided gives E2-E4.

To show of his leet hacker skills to Alan, Chester downloaded a farm-themed package for his terminal. What is the name of the package? Cowsay
From MUS_Android.tar\data\data\com.termux\files\home\.bash_history
3rd time lucky!


What does the cow say? hello alan
data\data\com.google.android.apps.messaging\cache\image_manager_disk_cache\06358f4841ae28d5135cc11dd8b1cee079c63b9eb882aa266b5eccfae70cc627.0

Inserting image...

How many NHL (National Hockey League) Mascots are shown in the video?
12
Screenshots from video:
Inserting image...