Magnet Virtual Summit CTF
01 June 2020
I've really enjoyed doing the CTF run by Magnet Forensics as part of their virtual summit this year. Below you will find solutions for all but 2 of the questions. The details are quite brief otherwise the blog would become huge but if you'd like to see a more detailed write up of any of these please leave a comment or tweet me.
If you also participated in this CTF and you have better, easier or just different ways of doing these questions I would love to hear about them!
The 2 questions I haven't solved yet are the NFC tag one and the malware one. My thoughts on them so far are right at the bottom- if you've done them I'd love to chat to you about them. I don't have much experience with network forensics or reverse engineering so this is an area I'd like to learn more about.
Questions are in green
Answers are in blue
I was working on a Windows 10 machine and these are the tools I used*
(*that I can remember)
- AXIOM 4
- iLEAPP & ALEAPP
- APOLLO
- RegRipper
- Google Reverse Image Search
- DB Browser
- PListExplorer
- PEStudio
- Volatility (I used the executable that came bundled with AXIOM but you can also get it from the Volatility Foundation)
- Bulk Extractor
- CyberChef
- OpenStego
- Unfurl
- Windows built-in Event Viewer
- FTK Imager
- VirtualBox
------------------------------------Egg Hunt------------------------------------
For each level, please copy the NEW block of text located below the now decoded portion.
Puzzle text:
Puzzle text:
-----STARTS-----
Zpv ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs dinnzs wg : KK91WUvvraIuNa91paEurUvzWS9GEI5VFGPzN2qiZw4urUvzWU5zsVEuqUzzM2Iup2MurUvzWVP1sbdgNGPdqmOco2J5WR0upKTbpaJ0YHcYo29vWVJzp3SuNbJcqbquNavfWUJdrmPlN20iZw4uN2l4WVdzNUqurUXlM2guMacupLFzWVNcNVB4NGPjNxcYMaJ5rU9ho2SvWU5gpQPcqVz5rmPhNbcupLvjM2zlWU9arQ4iZwPhNbcupaT6swPzpRcuqav6qkcY
-----ENDS-----
What is the color of the first egg? BLUE
How is the ORANGE egg encoded? Base64
What was the key used to unock this cipher? magnet
What is the special word? Onion
What is the final message of the completed egg hunt? bean
Decoding:
ROT13 amount -1
Result:
You have found the BLUE egg! The next piece of the puzzle is: Lbh unir sbhaq gur TERRA rtt (frperg jbeq = Bavba)... gur arkg cvrpr bs gur chmmyr vf : JJ91VTuuqzHtMz91ozDtqTuyVR9FDH5UEFOyM2phYv4tqTuyVT5yrUDtpTyyL2Hto2LtqTuyVUO1racfMFOcplNbn2I5VQ0toJSaozI0XGbXn29uVUIyo3RtMaIbpaptMzueVTIcqlOkM20hYv4tM2k4VUcyMTptqTWkL2ftLzbtoKEyVUMbMUA4MFOiMwbXLzI5qT9gn2RuVT5foPObpUy5qlOgMabtoKuiL2ykVT9zqP4hYvOgMabtozS6rvOyoQbtpzu6pjbX
Decoding:
ROT13 amount 13
Result:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK
Decoding:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK
Decoding:
From Base64
Result:
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs
Decoding:
Vigenere Decode with key = magnet
Result:
Result:
you have found the red egg... the next piece of the puzzle is:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm
Decoding:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm
Decoding:
Atbash Cipher
Result:
congrats! you found the golden egg... the flag is: bean
------------------------------------Android & Google Takeout ------------------------------------
Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay
What is the username for the Zynga Chess app?
Looking in the users tables of the app's database:
Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay
What is the username for the Zynga Chess app?
Looking in the users tables of the app's database:
data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite
Local user = chess.master.chester
Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg
What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
Gmail data from Google Takeout shows a thread with Warren:
Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg
What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
Gmail data from Google Takeout shows a thread with Warren:
While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg
Reverse image search lead to a match with Wikipedia (right): Oseberg Ship
How many tweets did Chester tweet?
Identify local user ID via file naming convention of Twitter app:
MUS_Android.tar\data\data\com.twitter.android\shared_prefs\profile1230174369462267904.xml (so Local user id = 1230174369462267904)
Support that this is linked to Chester via MUS_Android.tar\data\data\com.twitter.android\shared_prefs\1230174369462267904.xml:
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg
Reverse image search lead to a match with Wikipedia (right): Oseberg Ship
How many tweets did Chester tweet?
Identify local user ID via file naming convention of Twitter app:
MUS_Android.tar\data\data\com.twitter.android\shared_prefs\profile1230174369462267904.xml (so Local user id = 1230174369462267904)
Support that this is linked to Chester via MUS_Android.tar\data\data\com.twitter.android\shared_prefs\1230174369462267904.xml:
Filter for this author ID in AXIOM (Artifact view > Social Media > Twitter Tweets)
5 tweets have this author id
How much warmer is it going to be tomorrow in Burlington? 12
Visible at the end of a video shared via snapchat. (This video was initially of interest because it shows the matrix background mentioned in a separate question.)
Screenshot from the very end of this video:
What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?
I used the computer’s RAM dump. Filter on “remote IP Address” within the netscan artifacts in AXIOM: port = 54281
What train station did Chester get directions to? Bergen
Google takeout “cloud google activity” where action = “directions”:
What was the path that Chesters train took? Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH
Reference map:
Google Takeout geo viewed via AXIOM’s world map display:
The location of these points gives us the route and looking at points in each location gives timestamps from which to infer the direction of travel:
Unbeknownst to Chester and Alan, the app found in the question "Obfuscating Like a Pro" didn't store their chat logs securely. What is the chat message ID for where the target of the hack is declared?
In the app’s database (wf_database.db) the following message has chat_message_id = 18741612351
What was the first move made by Chester in Chester's Chess game?
From wf_database users table: Chester’s user_id = 237046613
In the “moves” table the earliest move associated with this user is “createdAt” 2020-02-19T17:25:26Z. This is the second move listed in the table so Chester must have gone second, hence been black.
Chester’s move details:
The details in the “data” column also provide a useful visualisation of the board previous to the current move which we can make more intuitive with some line breaks and spaces:
At the start of the first move:
At the start of Chester’s move (indicates what the previous move was and therefore that white is represented by capitals):
At the start of the move after Chester’s (indicates what Chester’s move was):
Transposing Chester’s move onto the board provided gives E2-E4.
To show of his leet hacker skills to Alan, Chester downloaded a farm-themed package for his terminal. What is the name of the package? Cowsay
From MUS_Android.tar\data\data\com.termux\files\home\.bash_history
5 tweets have this author id
How much warmer is it going to be tomorrow in Burlington? 12
Visible at the end of a video shared via snapchat. (This video was initially of interest because it shows the matrix background mentioned in a separate question.)
Screenshot from the very end of this video:
What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?
I used the computer’s RAM dump. Filter on “remote IP Address” within the netscan artifacts in AXIOM: port = 54281
What train station did Chester get directions to? Bergen
Google takeout “cloud google activity” where action = “directions”:
What was the path that Chesters train took? Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH
Reference map:
Google Takeout geo viewed via AXIOM’s world map display:
The location of these points gives us the route and looking at points in each location gives timestamps from which to infer the direction of travel:
- 10/03 07:24 Oslo (N)
- 10/03 08:02 Dramen (M)
- 10/03 08:30 Amot (L)
- 10/03 08:57 Honesfoss (J)
- 10/03 10:19 Gol (H)
- 10/03 11:34 Finse (F)
- 10/03 12:42 Vossevagen (C)
- 10/03 13:55 Bergen (A)
Unbeknownst to Chester and Alan, the app found in the question "Obfuscating Like a Pro" didn't store their chat logs securely. What is the chat message ID for where the target of the hack is declared?
In the app’s database (wf_database.db) the following message has chat_message_id = 18741612351
What was the first move made by Chester in Chester's Chess game?
- Flag is in chess notation (Ex. A1-B2)
- Chess board for refence, assume white starts on rows 7 and 8:
From wf_database users table: Chester’s user_id = 237046613
In the “moves” table the earliest move associated with this user is “createdAt” 2020-02-19T17:25:26Z. This is the second move listed in the table so Chester must have gone second, hence been black.
Chester’s move details:
- Starting point: X1 = 4, Y1 = 1
- Ending point: X2 = 4, Y2 = 3
The details in the “data” column also provide a useful visualisation of the board previous to the current move which we can make more intuitive with some line breaks and spaces:
At the start of the first move:
At the start of Chester’s move (indicates what the previous move was and therefore that white is represented by capitals):
At the start of the move after Chester’s (indicates what Chester’s move was):
Transposing Chester’s move onto the board provided gives E2-E4.
To show of his leet hacker skills to Alan, Chester downloaded a farm-themed package for his terminal. What is the name of the package? Cowsay
From MUS_Android.tar\data\data\com.termux\files\home\.bash_history
3rd time lucky!
What does the cow say? hello alan
data\data\com.google.android.apps.messaging\cache\image_manager_disk_cache\06358f4841ae28d5135cc11dd8b1cee079c63b9eb882aa266b5eccfae70cc627.0
How many NHL (National Hockey League) Mascots are shown in the video? 12
What does the cow say? hello alan
data\data\com.google.android.apps.messaging\cache\image_manager_disk_cache\06358f4841ae28d5135cc11dd8b1cee079c63b9eb882aa266b5eccfae70cc627.0
How many NHL (National Hockey League) Mascots are shown in the video? 12
- Video: MUS_Android.tar\data\data\com.twitter.android\cache\precache\200.0.1582346614153.v3.exo
- I also found GIF online which has a clearer view.
- And reference images of what the mascots look like.
Screenshots from video:
