Magnet Virtual Summit CTF
01 June 2020
I've really enjoyed doing the CTF run by Magnet Forensics as part of their virtual summit this year. Below you will find solutions for all but 2 of the questions. The details are quite brief otherwise the blog would become huge but if you'd like to see a more detailed write up of any of these please leave a comment or tweet me.
If you also participated in this CTF and you have better, easier or just different ways of doing these questions I would love to hear about them!
The 2 questions I haven't solved yet are the NFC tag one and the malware one. My thoughts on them so far are right at the bottom- if you've done them I'd love to chat to you about them. I don't have much experience with network forensics or reverse engineering so this is an area I'd like to learn more about.
Questions are in green
Answers are in blue
I was working on a Windows 10 machine and these are the tools I used*
(*that I can remember)
- AXIOM 4
- iLEAPP & ALEAPP
- APOLLO
- RegRipper
- Google Reverse Image Search
- DB Browser
- PListExplorer
- PEStudio
- Volatility (I used the executable that came bundled with AXIOM but you can also get it from the Volatility Foundation)
- Bulk Extractor
- CyberChef
- OpenStego
- Unfurl
- Windows built-in Event Viewer
- FTK Imager
- VirtualBox
------------------------------------Egg Hunt------------------------------------
For each level, please copy the NEW block of text located below the now decoded portion.
Puzzle text:
Puzzle text:
-----STARTS-----
Zpv ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs dinnzs wg : KK91WUvvraIuNa91paEurUvzWS9GEI5VFGPzN2qiZw4urUvzWU5zsVEuqUzzM2Iup2MurUvzWVP1sbdgNGPdqmOco2J5WR0upKTbpaJ0YHcYo29vWVJzp3SuNbJcqbquNavfWUJdrmPlN20iZw4uN2l4WVdzNUqurUXlM2guMacupLFzWVNcNVB4NGPjNxcYMaJ5rU9ho2SvWU5gpQPcqVz5rmPhNbcupLvjM2zlWU9arQ4iZwPhNbcupaT6swPzpRcuqav6qkcY
-----ENDS-----
What is the color of the first egg? BLUE
How is the ORANGE egg encoded? Base64
What was the key used to unock this cipher? magnet
What is the special word? Onion
What is the final message of the completed egg hunt? bean
Decoding:
ROT13 amount -1
Result:
You have found the BLUE egg! The next piece of the puzzle is: Lbh unir sbhaq gur TERRA rtt (frperg jbeq = Bavba)... gur arkg cvrpr bs gur chmmyr vf : JJ91VTuuqzHtMz91ozDtqTuyVR9FDH5UEFOyM2phYv4tqTuyVT5yrUDtpTyyL2Hto2LtqTuyVUO1racfMFOcplNbn2I5VQ0toJSaozI0XGbXn29uVUIyo3RtMaIbpaptMzueVTIcqlOkM20hYv4tM2k4VUcyMTptqTWkL2ftLzbtoKEyVUMbMUA4MFOiMwbXLzI5qT9gn2RuVT5foPObpUy5qlOgMabtoKuiL2ykVT9zqP4hYvOgMabtozS6rvOyoQbtpzu6pjbX
Decoding:
ROT13 amount 13
Result:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK
Decoding:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK
Decoding:
From Base64
Result:
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs
Decoding:
Vigenere Decode with key = magnet
Result:
Result:
you have found the red egg... the next piece of the puzzle is:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm
Decoding:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm
Decoding:
Atbash Cipher
Result:
congrats! you found the golden egg... the flag is: bean
------------------------------------Android & Google Takeout ------------------------------------
Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay
What is the username for the Zynga Chess app?
Looking in the users tables of the app's database:
Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay
What is the username for the Zynga Chess app?
Looking in the users tables of the app's database:
data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite
Local user = chess.master.chester
Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg
What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
Gmail data from Google Takeout shows a thread with Warren:
Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg
What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
Gmail data from Google Takeout shows a thread with Warren:
While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg