Previous: Egg Hunt
If anything the iOS section of the Magnet CTF proved to me, you really need to deep dive into the database files to pull out all the information. I think it was fantastic how they made you go outside the box to find flags in this section.
Account Scout (5)What's the Apple ID email associated with this device
Flag should look like: flag<firstname.lastname@example.org> (Don't include flag<>)
Parsing through using iLEAPP we can see
What's in the toolbox? (5)What tool was used to perform the acquisition on this device? Note: You only have 1 attempt
There was a MEAT.log in the evidence folder so naturally Jack Farley used his own tool for the acquisition!
Mobile Evidence Acquisition Toolkit
I would walk 3,264 miles just to hack you tonight (10)
What is the name of this user's favorite city in Apple Maps?
There weren’t many Apple Maps coordinates that were parsed out outside of the Burlington, Vermont
area and outside of the normal dates. Because of the hint in the title, we see one entry for London.
The name stuck out to me as something the creator would highlight, and it worked. Loserville
Not a HIPAA Violation (10)
Medical information is stored as part of the Health app on an iPhone at the following path:
The file is a plist which can be parsed.
Who am I? (10)
This can be pulled from:
iLEAPP parses it quickly, “Alan's Fantastical iPhone”
Ye ole 9 to 5 (10)
AXIOM parses this out quickly from Contact Info. We can see Chester is associated with APT802.
Back in my day we weren't glued to our phones (25)
Only enter the number
We can calculate a sum of screen time application usage and filtering on Safari. Once we add up the
seconds column, we get a total time of 1039 seconds.
Creeper aw man (25)
I did a quick keyword search on “Creeper” which brought back some text files which appear to be text splash sayings:
I went to the location and up a few folders to find the “players” folder which had a JSON file inside:
Near the bottom we can see the flag, the username Thad_Castle_
What is the first IP address that this user targeted via a popular hacking tool?
As I assumed the iPhone was jailbroken from other questions, I found remnants of information related to the Metasploit framework. In traversing the iOS filesystem, we can see a bash history file at the following path:
Inside the plaintext file shows two different IP addresses that were targeted, but the first was 22.214.171.124.
Near Flag Communication (25)
I assume this temp storage stored some connection info at one time, I'm not sure if there is an easier way to find this answer elsewhere.
Check out my Spotify (50)
This user's Spotify playlist is looking a bit suspicious..?
A quick keyword search for “playlist” shows Chester and Alan exchanged Twitter DM’s. The playlist can be found at https://t.co/0Qc9pWfe5x
The flag is Destroy Education Debt.
Plug it in plug it innnn (50)
What is the name of the computer that was used to sync with this device?
Good ole iLEAPP pulls this out right from the Data Ark:
On the main page of the report we can see it connected to DESKTOP-A108NFK:
SNAP.. That's going int my cringe compilation (50)
How many applications have iOS Snapshots?
Application Usage info can be pulled from the database at the following path:
In the kvs_debug table we can filter the key down to XBApplicationSnapshotManifest resulting in 88 apps, the flag.
How many guests were registered in the trip to Disney?
Warning: You only have 3 attempts at this
To start, let’s look at the installed applications:
We see multiple Disney applications but MyDisneyExperience is what we want to deep dive into. From the mobile_installation log we can see the following path contains app information:
Sifting through files, we can see an Itinerary DB file in the Library folder of the application path above.
Opening the database with DB Browser for SQLite, there is 4 tables with one of importance:
Exporting the BLOB to a plist, we can open that in an editor and see the answer for the question, 6 adults.
Thank you to evandrix for some hints post CTF on a few of these.