Previous: Egg Hunt | iOS | Memory
Android
Obfuscating Like a Pro (5)
Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name)
Hint: https://youtu.be/wEv0zOeA2FU?t=152
Parsing the TAR file using Alexis Brignoni’s ALEAPP, we can see installed applications on the phone. The hint here helps narrow down exactly what they are looking for. Jack Ryan was chatting through a game, one of the only installed games was Chess with Friends. Since they are looking for the package name we see it here:
Com.zynga.chess.googleplay
Just another pawn (5)
What is the username for the Zynga Chess app?
I was able to find the associated login for Zynga Chess through Chrome Login in ALEAPP:
chess.master.chester
The College Lifestyle- Artic Edition (5)
Where did Chester get ramen in Norway? (Restaurant Name)
Going to DCIM folder we can see only one picture that fits.
/data/media/0/DCIM/Camera/IMG_20200309_172817.jpg
Pulling EXIF metadata shows coordinates of:
Plugging in Google Maps we can see that it was at Koie Ramen.
Blocked for security reasons! (10)
What is the name of the file that this user attached/linked and emailed to Warren?
We can do a quick keyword search on “Warren” and look at emails sent. This helped to narrow the scope down to two separate emails, both can be found parsed from the Google Takeout in AXIOM.
For some reason AXIOM didn’t strictly pull out this attachment for some reason but it was the flag:
Chestnut_CV.exe
bOat-SINT (10)
While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?
Once again we can look at the DCIM folder and see a large boat.
/data/media/0/DCIM/Camera/IMG_20200308_144240.jpg
EXIF data shows coordinates as follows:
This plots us right next to Vikingskipshuset or Viking Ship Museum in Oslo, Norway. A quick Wikipedia hunt on the museum shows the famous Oseberg ship.
Fastest Thumbs in the West (10)
How many tweets did Chester tweet?
AXIOM pulled out the user info for Chester quickly
Knowing the User ID we can check out all Tweets with 1230174369462267904 as the author:
We can see that Chester sent out 5 tweets.
It's not the heat, it's the humidity (10)
How much warmer is it going to be tomorrow in Burlington?
I somewhat stumbled upon this looking for another answer to a question but found a screen capture video that showed a Silent Notification of Google Weather. Seen below in the screenshot, we can see it will be 12 degrees warmer.
New IP Who Dis? (10)
What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?
A quick keyword search for the IP shows a hit on the memory image under the netscan (Network Info) parse.
From the local IP address we see it was open on port 54281.
The Polar Express (10)
What train station did Chester get directions to?
A quick look at Google Maps Queries we see searches with destinations to Bergen Station.
Trans-Siberian Railway (10)
What was the path that Chesters train took?
Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH