Magnet Virtual Summit 2021 CTF - Mac

Previous: Chromebook | Hunt! | iPhone

I will say that the Mac image was by far the most difficult for me. I have very little experience other than SANS DFIR NetWars in looking at Macs forensically. I'm thankful to have AXIOM by my side for this one to help ease my pain, as well as Yogesh Katri's mac_apt tool (it's free!).

Question 1 - Call me by your name (5 points)

What is the Local Host Name of this device?

 Heading on over  to the OS info we can see the local host name is "Elis-Mac-mini".

Figure 1: Local host name of the Mac

Question 2 - I love it when you call me big sur (5 points)

What is the Product Build Version?

From the last screenshot we can get the build number as well. It was 20D74.

Question 3 - Whose got your back(up)? (5 points)

What is the IMEI of the iOS device that is backed up?

Under the iOS Backups section in Additional Sources, we can see that the IMEI for Eli's iPhone was 356759080486567.

Figure 2: iPhone backup details

Question 4 - Bottoms up, and the devil laughs (10 points)

What is Eli's preferred energy drink brand?

 Looking at Safari web history we see some entries for Amazon and energy drinks. 


Browsing to the link shows Eli's drink of choice is Bang.

Figure 3: Bang energy from Amazon

In Safari web history, there was also Google searches for "bang energy buy".

Question 5 - LaxBro (10 points)

Which college lacrosse team schedule did Eli often look at?

A quick keyword search for "lacrosse" reveals multiple hits in Safari History and Bookmarks for schedules and articles for University of Albany.

Figure 4: Safari History for Albany lacrosse

Question 6 - Stop playing with me (10 points)

How many websites have permissions to autoplay?

This one gave me fits, because it seemed like it would be easy but nothing from the obvious web related artifacts showed results. Navigating to the Safari folder in the file system showed what was needed in a plist (of course!).

stu-21-155-171-184-20210406-134216-files.zip\Users\eliflatt\Library\Safari\SitesAllowedToAutoplay.plist

This file has a list of each website that have permissions to autoplay with entries starting at 0 and going up to 164 for a total of 165 webpages.

Figure 5: Autoplay allowed list

Question 7 - Finder's Keepers (25 points)

What Source Version is the Finder app on this device?

Under Installed Applications, we get some information on versioning for Finder (com.apple.finder). It has a Display Version and an Internal Version listed. I interpreted Source to me the Internal so I tried 1350.2.10, which was correct.

Figure 6: Finder details

Question 8 - it's raining it's pouring (25 points)

What is the size in bytes of the application found within Eli's trash?

In the Trash Items under Operating System there were only three different items, one folder, one .DS_Store file and the file we are looking for, the DMG file for installing checkra1n. It was 9,389,392 bytes in size.

Figure 7: Trash Item

Question 9 - Oh Sheet! (25 points)

What is the name of the spreadsheet Eli often navigated to?

I originally looked for most recently used files but didn't see anything but the key here was the word "navigated". Looking through Safari web history there were plenty of visits to Google Docs spreadsheets with the titled being "To-Purchase", the answer. There were also a few recently closed tabs for the same webpage.

Figure 8: Google Docs spreadsheet Safari History

Question 10 - Remind me Later (25 points)

What time and date in EST did Eli add a notification permission on Safari? Answer in MM/DD/YYYY HH:MM:SS

Similar to the "SsitesAllowedToAutoplay" question we can head back to the Safari folder for Eli and check out the "UserNotificationPermission.plist". There was only one permission set.

Figure 9: Notification permission

Be aware that the date/time shown is UTC but the question is asking for EST. So we can set this back 5 hours and we get the answer of 02/21/2021 23:14:06.

Question 11 - Secrets Secrets are no fun (50 points)

What is Eli's system password hint?

I was expecting this to be much more difficult for the point amount. Under Recovery Account Information for Operating System, we can see Eli's password hint was set to "Fix something!".

Figure 10: Password hint

Question 12 - There are no penguins at the North Pole (50 points)

What is the SHA1 hash of Eli's profile picture on the device?

I knew from the previous question that his image was set to a penguin (obviously from the question wording too) but I wasn't too sure where that image was stored. The penguin is actually a sample image found in the Pictures folder for which I found and tried the hash value of but it didn't like it.

Looking again at the recovery info path, I opened up the CryptoUserInfo.plist file:

stu-21-155-171-184-20210406-134216-files.zip\System\Volumes\Preboot\943CAEE3-8306-426A-A65E-4E0F4B52EBDB\var\db\CryptoUserInfo.plist

AXIOM gives you the option to save out the file bytes for PictureData (score).

Figure 11: CryptoUserInfo.plist

Saving the bytes, adding a JPG extension, and then dropping it into Hasher, shows that the SHA1 was 3CC4E757872A7A9C534AD42BFFAA9F8170A99553.

Figure 12: penguin profile pic hash

Question 13 - WallStreetBet You Can't Get This One (50 points)

Eli searched for 4 stock quotes (not a web search). What was the second stock he searched for? answer in ticker form ex: $MVS

I can understand why this one took so long to figure out. There was no way I would know where to look instantly for this. After hunting for a while literally clicking through anything remotely in folders named Stocks I came across the following path for a specific user:

stu-21-155-171-184-20210406-134216-files.zip\Users\eliflatt\Library\Containers\com.apple.stocks

There aren't any specific parser for this yet (custom perhaps?!) but buried further down in the Caches folder is a sqlite database call (so originally) "cache-database". On the "quote_details" table there are some info with stock tickets and last updated timestamps. Since we only care about the second searched stock quote, the answer is $SPCE.

Figure 13: Stock quotes

Question 14 - Where are my keys!? (50 points)

What is the encryption-key for Eli's iCloud (SHA256)?

The keychain database file for Eli lives at the following path:

Users\eliflatt\Library\Keychains\622523FF-A9E8-5BFC-9142-B14980A33465\keychain-2.db

The database houses a lot of different tables and fields inside. The hint here is to look for something related to SHA256 which is easy to see once navigating to the "ckdevicestate" table. Under the "octagonpeerid" column we can see a few different keys. My assumption was since we were looking at the Mac that we should filter down  the "osversion" column to macOS. Using what was provided gave us the correct answer of "fUpf9J+cLRI3OCJ/KdFpZoaZXgfj2DC3ZrQnW7XT9Os=".

Figure 14: key from keychain-2.db

Comments