Magnet Virtual Summit 2020 CTF (Android) - Stark 4N6

Friday, June 5, 2020

Magnet Virtual Summit 2020 CTF (Android)

Previous: Egg Hunt | iOS | Memory


The Android image had some of the toughest questions yet in this CTF. This section gave me fits while playing live but giving it more time to digest and think it through, came out with almost all the answers.

Android

Obfuscating Like a Pro (5)

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name)


Hint: https://youtu.be/wEv0zOeA2FU?t=152


Parsing the TAR file using Alexis Brignoni’s ALEAPP, we can see installed applications on the phone. The hint here helps narrow down exactly what they are looking for. Jack Ryan was chatting through a game, one of the only installed games was Chess with Friends. Since they are looking for the package name we see it here:



Com.zynga.chess.googleplay


Just another pawn (5)

What is the username for the Zynga Chess app?


I was able to find the associated login for Zynga Chess through Chrome Login in ALEAPP:



chess.master.chester


The College Lifestyle- Artic Edition (5)

Where did Chester get ramen in Norway? (Restaurant Name)


Going to DCIM folder we can see only one picture that fits.


/data/media/0/DCIM/Camera/IMG_20200309_172817.jpg


Pulling EXIF metadata shows coordinates of:



Plugging in Google Maps we can see that it was at Koie Ramen.


Blocked for security reasons! (10)

What is the name of the file that this user attached/linked and emailed to Warren?


We can do a quick keyword search on “Warren” and look at emails sent. This helped to narrow the scope down to two separate emails, both can be found parsed from the Google Takeout in AXIOM.

For some reason AXIOM didn’t strictly pull out this attachment for some reason but it was the flag:


Chestnut_CV.exe

bOat-SINT (10)

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?


Once again we can look at the DCIM folder and see a large boat.

/data/media/0/DCIM/Camera/IMG_20200308_144240.jpg

EXIF data shows coordinates as follows:

This plots us right next to Vikingskipshuset or Viking Ship Museum in Oslo, Norway. A quick Wikipedia hunt on the museum shows the famous Oseberg ship.

Fastest Thumbs in the West (10)

How many tweets did Chester tweet?


AXIOM pulled out the user info for Chester quickly


Knowing the User ID we can check out all Tweets with 1230174369462267904 as the author:


We can see that Chester sent out 5 tweets.

It's not the heat, it's the humidity (10)

How much warmer is it going to be tomorrow in Burlington?


I somewhat stumbled upon this looking for another answer to a question but found a screen capture video that showed a Silent Notification of Google Weather. Seen below in the screenshot, we can see it will be 12 degrees warmer.


New IP Who Dis? (10)

What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?


A quick keyword search for the IP shows a hit on the memory image under the netscan (Network Info) parse.


From the local IP address we see it was open on port 54281.

The Polar Express (10)

What train station did Chester get directions to?


A quick look at Google Maps Queries we see searches with destinations to Bergen Station.

Trans-Siberian Railway (10)

What was the path that Chesters train took?


Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH


I had to snag the map key from forensic8or since I didn't save it after the CTF.


We can add the parsed Google Map Queries and Cloud Google Location History to the world map view in AXIOM to see a rough outline of location plots.