June 2020 - Stark 4N6

Monday, June 8, 2020

Magnet Virtual Summit 2020 CTF (Windows)
June 08, 20200 Comments

Previous: Egg Hunt | iOS | Memory | Android

The last part of Magnet Virtual Summit CTF once again proved that not everything can be automatically parsed by the tools, you have to dive into the artifacts a bit to pull out the proper answers.


Begin Exam Try 2 (5)

When did the windows image acquisition start?


Go to where we have the evidence stored and there is a text document for the output of FTK Imager. We can see the acquisition started on 2020-04-22 17:55:30.

Call Me Maybe? (5)

What is the user's phone number? (Format: 555-555-5555)

The first thing that came to mind when looking for a phone number was Google Autofill. We got lucky and the user Warren had it saved under his profile. His number is 802-265-5115.

Feelin' Lucky? (5)

How many people won Quarterly Drawing 31?







A quick search for “Quarterly Drawing 31” reveals a Vermond 2nd Chance Lottery ticket. If we Google the lottery, we can see from the history of the lottery draw, they had 100 winners for that drawing.

Update the Résumé  (5)

When did the user start working in their current position?

(Example: flag<July 1776>)

From Chrome Login artifacts we can see the user accessed his LinkedIn account using a Gmail account.

A quick search and a hint of location information, we can see Warren started working at Mallie Sae on July 2014.

Another day, another dollar (10)

How many times did Warren sign in to his machine?

AXIOM parses this from the SAM file, we can see Warren logged in 24 times.

Hash Crash (10)

What is the earliest created file associated with the following MD5: 3d908e1b40140c1e0167603ffca07701

Using FTK Imager I created a full file hash list for the E01 image. There were only two hits for that MD5 hash. Doing a search of each file name, AccessMUISet.msi had a created date 4 hours before 3a7a1c9.msi.

Sticky Situation (10)

How many dollars does the user CURRENTLY owe from gambling? Format 99,900

Hunting in the documents folder for the user we can see a loan sheet:

C:\Users\Warren\Documents\Loan Tracking\LoanBook4.xlsx

We can add the amount due minus the amounts paid and see that he still owes $16,080.


Money, money, money, Money! (25)

How many dollars to directly buy in to the tournament on Sunday?

A quick search for “tournament” yielded one rebuilt webpage for us to browse and see pulled from WebCache. The answer was 162 dollars.

Sorry, eh? (25)

When was the image downloaded from www.sciencenews.org viewed? Format MM/DD/YYYY HH:MM:SS (24 hour clock) ex 05/12/2020 17:45:00

A quick keyword search for www.sciencenews.org we see one image was downloaded.

Since we want to know when the file was actually viewed we can look at LNK files for the poker.jpg.

The creation of a LNK file usually indicates the file first opening/viewed, which we see was 02/18/2020 21:25:36.

Stay PAWsitive (25)

What is the name of the movie written in the text file within a PNG?

Once again, the question title gives a clue. I was able to find a folder labeled “Cats” with some pictures, only one of which was a PNG file. 

I exported it out and opened it with OpenStego, a common steganography tool.

With no need for a password, the exported text file has the answer. Godzilla.

What happens when you text and drive? (25)

Name the bug check code in the most recent Windows crash (Blue Screen)

Blue screen crash logs can be located at C:\Windows\Minidump. There are two so we can export the folder and view them in the free tool from Nirsoft, BlueScreenView and see the Bug Check code was 0x0000000a for the most recent crash.

You're GUIDing, right? (25)

What is the GUID for the application that was last used to access C:\Users\Warren\Documents?

AXIOM pulls that one out fairly quickly after searching for the folder path. We can look under MRU Folder Access to find the GUID of 4ED5B83C-7A8C-4917-B107-E9FF0864EDFB.

Poker, I don't even... (50)

How many total seconds did the user spend on the page when they searched for quick online poker? format: x.xxx

A simple keyword search in AXIOM for “quick online poker” brings up 2 Chrome web history files. 

Using Ryan Benson’s awesome tool Unfurl we can try out both searches. The answer they were looking for was found for the “quick online poker tips” search, 6.294 seconds.

Friday, June 5, 2020

Magnet Virtual Summit 2020 CTF (Android)
June 05, 20200 Comments

Previous: Egg Hunt | iOS | Memory

The Android image had some of the toughest questions yet in this CTF. This section gave me fits while playing live but giving it more time to digest and think it through, came out with almost all the answers.


Obfuscating Like a Pro (5)

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name)

Hint: https://youtu.be/wEv0zOeA2FU?t=152

Parsing the TAR file using Alexis Brignoni’s ALEAPP, we can see installed applications on the phone. The hint here helps narrow down exactly what they are looking for. Jack Ryan was chatting through a game, one of the only installed games was Chess with Friends. Since they are looking for the package name we see it here:


Just another pawn (5)

What is the username for the Zynga Chess app?

I was able to find the associated login for Zynga Chess through Chrome Login in ALEAPP:


The College Lifestyle- Artic Edition (5)

Where did Chester get ramen in Norway? (Restaurant Name)

Going to DCIM folder we can see only one picture that fits.


Pulling EXIF metadata shows coordinates of:

Plugging in Google Maps we can see that it was at Koie Ramen.

Blocked for security reasons! (10)

What is the name of the file that this user attached/linked and emailed to Warren?

We can do a quick keyword search on “Warren” and look at emails sent. This helped to narrow the scope down to two separate emails, both can be found parsed from the Google Takeout in AXIOM.

For some reason AXIOM didn’t strictly pull out this attachment for some reason but it was the flag:


bOat-SINT (10)

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?

Once again we can look at the DCIM folder and see a large boat.


EXIF data shows coordinates as follows:

This plots us right next to Vikingskipshuset or Viking Ship Museum in Oslo, Norway. A quick Wikipedia hunt on the museum shows the famous Oseberg ship.

Fastest Thumbs in the West (10)

How many tweets did Chester tweet?

AXIOM pulled out the user info for Chester quickly

Knowing the User ID we can check out all Tweets with 1230174369462267904 as the author:

We can see that Chester sent out 5 tweets.

It's not the heat, it's the humidity (10)

How much warmer is it going to be tomorrow in Burlington?

I somewhat stumbled upon this looking for another answer to a question but found a screen capture video that showed a Silent Notification of Google Weather. Seen below in the screenshot, we can see it will be 12 degrees warmer.

New IP Who Dis? (10)

What local port was Warren's computer listening on while connected to the IP during the memory dump?

A quick keyword search for the IP shows a hit on the memory image under the netscan (Network Info) parse.

From the local IP address we see it was open on port 54281.

The Polar Express (10)

What train station did Chester get directions to?

A quick look at Google Maps Queries we see searches with destinations to Bergen Station.

Trans-Siberian Railway (10)

What was the path that Chesters train took?

Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH

I had to snag the map key from forensic8or since I didn't save it after the CTF.

We can add the parsed Google Map Queries and Cloud Google Location History to the world map view in AXIOM to see a rough outline of location plots.