Magnet Virtual Summit CTF 2024 - Android Writeup
Info
Problem: There’s an Android logical image to analyze and a series of questions to answer.
1. Press x to Respawn
Prompt: On what platform did Rocco share his Call of Duty Username?
The Call of Duty folder is in /data/data/com.activision.callofduty.shooter. Under shared_prefs, there’s an XML file __hs_lite_sdk_store.xml that identifies Rocco’s username as OkClick5789.
A quick keyword search in Autopsy gives a hit in /data/data/com.twitter.android/databases/1719897971716685824-dm.db-wal; Rocco shared his username in a Twitter DM.
Answer: Twitter
2. Warm Up
Prompt: What Southern state’s sports team did Rocco search up?
In Autopsy, under Data Artifacts -> Web History, Chrome history reveals Rocco searched up the Louisiana Ragin’ Cajuns.
Answer: Louisiana Ragin’ Cajuns
3. Can you Handle this
Prompt: What was Rocco’s Twitter account name?
Back in the Twitter databases (/data/data/com.twitter.android/databases), I found Rocco’s username in the users table of the 1719897971716685824-66.db database: RoccoSachs96775.
Answer: RoccoSachs96775
4. Need to reach those heights
Prompt: What is the SIM operator name?
SIM information can be found in the telephony.db database, which I found in the device encrypted storage at /data/user_de/0/com.android.providers.telephony/databases. The siminfo table contains three entries with two carriers: T-Mobile and Boost Mobile. Considering that Boost Mobile has the data_roaming column set to 1, and the iso_country column set to ‘us’, that’s probably the primary SIM operator.
Answer: Boost Mobile
5. Not to be basic but…
Prompt: What is the default Internet Browser?
According to the Autopsy Data Artifacts -> Web History findings, it seems that Chrome is the most prevalent browser that was used.
New artifact alert! It seems you can find out default applications from the roles.xml file, which can be found on this phone at /data/misc_de/0/apexdata/com.android.permission. This file lists Chrome as the default browser application.
Answer: Chrome
6. Survival Mode Activated
Prompt: What conference did Rocco show interest in?
In Autopsy, under Data Artifacts -> Web History, Chrome history indicates Rocco was interested in Preppercon.
Answer: Preppercon
7. Sign me up!
Prompt: What email is associated with the device?
Android account information can be found in /system_ce/0/accounts_ce.db or /system_de/0/accounts_de.db. In both of these databases, there’s a table accounts, and both contain the email address roccotsachs@gmail.com.
Answer: roccotsachs@gmail.com
8. Not so popular
Prompt: How many messages were sent from Rocco in Twitter Direct Messages?
In the Twitter database (/data/data/com.twitter.android/databases/1719897971716685824-66.db), there’s a table conversation_entries that contains direct messages and user ids. From the filename, and from the users table from task 3, Rocco’s user id seems to be 1719897971716685824.
In the conversation_entries table, it’s just a matter of summing up the DMs corresponding to that ID, which comes out to be 8.
Answer: 8
9. No two cents about them
Prompt: According to exCHANGEs in discord with Chad, what did Chad want back from Rocco?
Combing through the Discord folders, I stumble on a database at /data/data/com.discord/files/kv-storage/@account.1185636389107273799/a that contains Discord messages in the table messages0. In this table, there are records between Chad and Rocco that indicate Chad wanted money back from Rocco after he scammed him.
Answer: money
10. You can never be too ready
Prompt: How many additional survival tips were provided in the $9 book Rocco was looking into?
In Autopsy, under Data Artifacts -> Web History, there are a couple Amazon entries.
Following the URLs takes me to a page for a ~9 dollar book: How to Fight a Bear…and Win: And 72 Other Real Survival Tips We Hope You’ll Never Need.
Rocco also took a photo of the book with a $9 sticker on it; it’s located in /data/media/0/DCIM/Camera/PXL_20231215_202654750.jpg.
Answer: 72
11. Tag you’re it!
Prompt: What city was the user in when they identified an AirTag on them?
In the Discord chat messages, there’s one message from Rocco that was sent on 2023-12-27 indicating they had become aware of the AirTag.
Luckily, there are some photos that were taken on 2023-12-27 with GPS metadata, which I used exiftool to extract (exiftool PXL_20231227_163049844.jpg | grep GPS).
Plugging these coordinates in to Google Maps reveals Rocco was in Windsor, ON.
Answer: Windsor, ON
12. A game of Cat and Mouse
Prompt: What game did two beloved cartoon charachters promote in an Ad?
This one is a ridiculous challenge, and I ended up consulting Kevin Pagaro’s writeup for this one. The “ad” is actually part of a tutorial located in the Android tips directory at /data/data/com.google.android.apps.tips/files/download/asset/83c4649ef9ea3b1825f2ee682accc363a31a0e5d. Autopsy doesn’t display it, so I extracted it and tacked on a .mp4 to the filename. 3/4 of the way through, the game Tom and Jerry: Chase is shown.
I think this would take a while to find, but a way to find it would be to look through Autopsy’s files through File Views -> File Types -> By MIME Type -> video.
Answer: Tom and Jerry: Chase
13. Always achieving new heights
Prompt: What was the new score achieved on the video game Rocco watched on Youtube?
There’s a statuses table in the Twitter database (/data/data/com.twitter.android/databases/1719897971716685824-66.db) that contains tweets that Rocco viewed, posted, and retweeted. One of these tweets links a YouTube video of a new Subway Surfers high score.
The high score achieved in the video is 5187.
Answer: 5187
14. LIVE your life
Prompt: What two sports did Rocco capture in a photo?
In the photos directory (/data/media/0/DCIM/Camera) there’s a live photo PXL_20231218_020011968.jpg where I can just barely make out golfing and skiing.
Answer: golfing and skiing
15. Remember your floaties
Prompt: What fun outdoor activity location was searched for?
In Autopsy, under Data Artifacts -> Web History, there’s an entry from Chrome history for Big Water Campgrounds in Timmins, Ontario.
Answer: Big Water Campgrounds, Timmins, Ontario
16. R-E-J-E-C-T-E-D Rejected
Prompt: When was the last shutdown that was initiated by Rocco? (YYYY-MM-DD HH:MM:SS) UTC 24 hour time.
There’s an interesting folder /data/system/shutdown-checkpoints that contains files with information about shutdowns, including those requested by the user. One file, checkpoints-1703807249418 contains the latest timestamp for a user-requested shutdown at 2023-12-28 23:47:29 UTC.
Answer: 2023-12-28 23:47:29 UTC
17. Out of Stock
Prompt: What is the most recent score in Subway Surfer?
It sure is a hit to the confidence to have to consult Kevin’s writeup again, but I need to keep reminding myself that I’m still learning. And now I know a little more about Android than I did before!
Android keeps track of recent activity in /data/system_ce/0/recent_tasks. In here, there’s a file 256_task.xml that references a Subway Surfer session and a snapshot.
One directory up, there’s a folder named snapshots. In here, there’s a file 256.jpg that is seemingly linked to the 256_task.xml file, and reveals the score achieved in the latest session: 1899.
Answer: 1899
18. So Salty!
Prompt: What is the handle of the person who is talking about how upset they are with Rocco?
I recall seeing in the Discord messages with Chad an exchange about a Twitter account that was causing Rocco grief.
I find a few screenshots of the tweets in /data/media/0/Pictures/Screenshots that gives the handle: @larissajenna9.
Answer: @larissajenna9
19. Don’t let them see you down
Prompt: What was added using Photoshop?
In /data/media/0/Pictures there’s a folder Photoshop Express with four screenshots of a Connections game. It seems Rocco might have removed the “Next Time!” text.
It doesn’t seem like Connections would say “Next Time!” when he assumedly won the game. I navigate to the Screenshots folder in /data/media/0/Pictures and find the original screenshot, without the Success sticker and “Good Job!” text, which he added.
Answer: Success
20. It’s the eye of the tiger
Prompt: When is Rocco’s Bday? (YYYY-MM-DD)
I know Facebook keeps track of birthdays, and luckily, we have a Facebook archive. I find Rocco’s birthday in /facebook-61554919820462-2024-01-06-49fzodcA/personal_information/profile_information/profile_information.html; his birthday is 1974-09-29.
Answer: 1974-09-29
21. Secrets Secrets are no Fun
Prompt: What did Rocco search in the App Store to download the app used to hide photos?
Google Play data can be found in /data/data/com.android.vending. Under databases, I find a database suggestions.db that contains “queries”. One of these is calculator vault, which is an app that is used to hide photos.
Answer: calculator vault
22. Stalker Alert
Prompt: Shortly after logging into Facebook with IP address 72.38.231.98, a photo was taken. Where was this photo taken?
The Facebook archive stores information about logins/logouts at /facebook-61554919820462-2024-01-06-49fzodcA/security_and_login_information/logins_and_logouts.html. The login from 72.38.231.98 took place on 2023-12-27 16:16:01 UTC.
In Rocco’s photos (/data/media/0/DCIM/Camera) the photo with the closest timestamp is PXL_20231227_163049844.jpg. Running a grep for GPS on the EXIF data (exiftool PXL_20231227_163049844.jpg | grep GPS) gives the coordinates.
Plugging these coordinates in to Google Maps shows the photo was taken at Devonshire Mall, 3100 Howard Ave Unit B7, Windsor, ON N8X 3Y8, Canada.
Answer: Devonshire Mall, 3100 Howard Ave Unit B7, Windsor, ON N8X 3Y8, Canada
Debrief
It was nice to get back into Android for a change. There’s a lot more to the OS than I figured, and I learned a few new artifacts that I think will come extremely in handy for future challenges. I hope to participate live at next year’s summit, and see if I can hold my own alongside the DF greats.