Magnet Virtual Summit 2024 CTF - iOS

Cipher | Android

Part two is upon us, here I'll be going through the iOS section.

Evidence: 00008110-000925383620A01E_files_full.zip

Why are your messages green?

On what date did Rocco and Chadwick first meet in person according to their conversations? YYYY-MM-DD format

Via iLEAPP we can check out the SMS messages. We see some messages about meeting at city hall and then later confirming after meeting on 2023-12-17.

Figure 1: SMS via iLEAPP

Where /r u going on safari?

What subreddit was visited in a browser?

Hit the the Safari browser history in iLEAPP and we can see that Twitch subreddit was visited.

Figure 2: Safari History via iLEAPP

Don't ghost me

At what time did Chadwick get annoyed at MYAI? YYYY-MM-DD HH:MM:SS UTC

I did a quick search for "myai" in AXIOM and found some Snapchat messages between Chadwick and the AI. We can see towards the bottom of the conversation he gets a bit angry with MYAI.

Figure 3: Snapchat conversation via AXIOM

We can see his message was sent on 2023-12-26 23:27:45 after proper formatting. We could also go to the source in the arroyo.db to find the answer on the "conversation_message" table.

00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\9A0EF110-47F4-45D4-B96D-C3EF301F18FC\Documents\user_scoped\29312c28c183c406b035a7b3d40e2c6921a13c1a99a71dca20d0062085989beb\arroyo\arroyo.db

IMAGEine living in pain

Chad seemed to be searching for pain relief medicine in a store, how much did it cost?

The hint here is IMAGE. From the Photos parsed in iLEAPP we can browse through to see a picture Arnicare Gel for $10.99.

Figure 4: Photos via iLEAPP

You can also find the image from the folder path at:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Media\DCIM\100APPLE\IMG_0017.HEIC

Your keyboard is salt-y

How many words were typed on the device? 

I original thought this was looking for something based off the user dictionary but this only will show unique words typed. Some research from Salt4n6 from a few years ago dives into a database that isn't parsed by any tool that I know of.

00008110-000925383620A01E_files_full.zip\private\var\mobile\Library\Keyboard\user_model_database.sqlite

In the "usermodeldurablerecords" table, we get some interesting statistics on the usage of the keyboard including the total amount of words typed, which was 1797.

Figure 5: user_model_database.sqlite > usermodeldurablerecords table

This is now parsed in the latest iLEAPP build as I made the parser after the CTF competition ended.

Build me up, buttercup

What is the current build version?

You can get the build version from the Device Details in iLEAPP or via the path:

00008110-000925383620A01E_files_full.zip\private\var\installd\Library\MobileInstallation\LastBuildInfo.plist

We see that the build version was 20F75.

Figure 6: Build Version via Device Details in iLEAPP

Answer the call

What is the guild ID of the discord server Chad was in?

Cached items for Discord live at the path:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\FE27BB5E-D91E-4417-8669-C68FD6C67A97\Library\Caches\com.hammerandchisel.discord\Cache.db

If you do a filter on "guild" in DB Browser for SQLite we see two different possibilities. The one on the bottom appears to be a profile so I tried the other and it worked, the answer was 136986169563938816.

Figure 7: Discord Cache in DB Browser for SQLite

Warning Signs

How many days did it take Chad to be warned about his Data Usage?

There are two locations that came to mind instantly, notifications or SMS. When I saw SMS earlier I noticed a welcome message from Boost Mobile on 2023-11-29. 

Figure 8: SMS via iLEAPP

On 2023-12-17 there was a warning which would be 18 days later.

Figure 9: Warning in SMS via iLEAPP

Watching streams to stay current

What is the name of Chad's streaming channel?

Since we know Chadwick was on Discord previously I looked through the chats there and came across a YouTube link which lead to Chadwick's channel. It was named ChadwickGames which was actually his Discord name as well and it worked.

Figure 10: Chadwick's YouTube channel

One is The Loneliest Number

What question did Chadwick ask to AI?

We know that he previously had conversations with AI in Snapchat but I didn't seen anything that stuck out as an answer. Via the Installed Apps in iLEAPP I noticed that OpenAI was installed.

Figure 11: Installed Apps via iLEAPP

ChatGPT is one of the most popular AI tools out so far. The app folder location lives at:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\6BFA5EA3-61CB-4652-A60A-2A955B651E05

Inside one of the subfolders is a folder named "conversations-b5c12911-e3c0-4961-bbe7-aec0a3ec3dd6" which gives a clue about the contents. Inside that are 3 different JSON files, one of which had the answer.

Figure 12: B00981C1-4A49-4F45-B4D8-59DFF84412CA.json

We can see he asked How to make online friends.

Watch me sUAVely win this game

How many kills did Chad have on his CoD Mobile winning game?

Having already found the video on Chadwick's YouTube channel, we can watch it to the 1:14 mark to see that he had 7 kills.

Figure 13: Chadwick's YouTube video

For when I cant Find My gear

What outdoor activity store did Chadwick Visit?

The hint here in the title is Find My, so we can look at the parsed locations in AXIOM under the Connected Devices section. One entry is for an iPhone device, with coordinates of 39.9840710007878, -105.249781880352 which if put into Google Maps plants us near Neptune Mountaineering.

Figure 14: Google Maps coordinates from Find My

Just a couple steps away

How many steps did Chad take on 12/3/2023?

Apple Health tracks steps so we just have to filter down to the day. This can be done in iLEAPP or AXIOM as both parse it.

Figure 15: Apple Health steps from iLEAPP TSV output

If we total up the 4 entries we get a grand sum of 968 steps.

Another regularly scheduled program

What Tattoo shop was visited on 12/27/2023?

In AXIOM we can do a date filter to check locations. The previously used location from Find My occurred during that day as well. If we do a nearby search with Google Maps we see a hit for Auspicious Tattoo, which as an educated guess was in fact the answer.

Figure 16: Google Maps results

I hear Stanley cups are all the rage

What was the final score of the hockey game Chad went to? (home - away)

Having looked through Chadwick's Snapchat messages prior I had seen he sent some pictures of a hockey game to MYAI. 

Figure 17: Snapchat picture

We see that the Avalanche are home for this game. In one of the messages after the picture he comments on the final score of 6-4, which was the answer.

Figure 18: Snapchat message

Devil is in the details

Whose bitmoji is dressed like a devil?

One of the harder questions in my opinion in the whole CTF was this one. A keyword search for bitmoji in AXIOM did reveal any quick results so I went over to iLEAPP to see if anything hit and there were a few results in iOS Notifications. If we copy the one JSON dump out to a better viewer we can see a URL link to a bitmoji image from Sofiakhan.

Figure 19: Embedded JSON in iOS Notifications

If we navigate to the URL we see this user was the devil.


Figure 20: Devil dressed bitmoji

Excuse Moi?  What did you say?

What is the content of the 2nd message that Chad deleted on Dec 18, 2023

This this one, you had to dive deep into the sms.db off the filesystem. You can find it at path:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Library\SMS\sms.db

The table of interest is the "message" table. I didn't see any direct flag that showed a message was deleted so I looked for outliers. There were two messages that had NULL text for that day so I chose the later one.

Figure 21: SMS.db in DB Browser for SQLite

We can see the message of the text in the hex contents.

Figure 22: SMS.db blob

The answer was "Excuse me?! That's quite a bold statement considering I'm the one who walked away with a black eye and spent $30 last night on products to avoid one!"

Boost this server

What is the 16 character carrier code?

This question was fairly vague so I didn't exactly know where to begin. I started looking at SIM related artifacts on the SANS poster and I thought I found a possible answer at the path:

private\var\wireless\Library\Preferences\com.apple.commcenter.plist

There was a 16 character reference here which worked. The answer was 310240_GID1-6432.

Figure 23: com.apple.commcenter.plist

The easy way or the hard way

What is the timestamp of the message Chad sent to Rocco but was never received? YYYY-MM-DD HH:MM:SS UTC

I nice feature in AXIOM is being able to have multiple evidence items inside one case. We can select both the Android SMS and iOS SMS and compare the results in one view pane. When hunting there was one message that Chad appeared to send to Rocco but was not present on Rocco's Android dump. It was sent on 2023-12-21 06:29:36.

Figure 24: SMS via AXIOM

I couldn't find a specific flag in the iOS SMS.db that would indicate it was never received but I guess the flags are more geared to those with the same OS (blue bubble/green bubble conversation).

Its been a long time

When did Chad last login to Facebook? YYYY-MM-DD HH:MM:SS UTC

We were given a dump of a Facebook Return but I found out quickly that this return was for Rocco and not Chad based off the last login report.

Figure 25: Facebook Return

Since we didn't have a return for Chad back to the iOS extraction. Per the historical app report in iLEAPP, the Facebook app lived at the path:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\BF2FEA88-C397-405D-90EE-A56B2720896C

A recursive search in the folder and subfolders lead me to a two different SQLite databases that started with the naming convention of "time_in_app_".

Figure 26: time_in_app files for Facebook

Given we are looking for the last login I went with the newest file. Of note, you will need to apply the -wal for the most recent results (see the modified dates). On the "metadata" table was a entry for "last_logging_timestamp", a unix epoch timestamp. Converting it lead to the answer of 2023-12-27 21:34:55.

Figure 27: Last login for Facebook

Can anyone Kelp?

What game was Chad asking to know the strategy to?

I just did keyword search for "strategy" and the results were slim but produced the answer. In a screenshot of application activity from Rocco's phone showed a Facebook status update from Chadwick.

Figure 28: Facebook update from Android app activity

He was looking for help with Terrarium. Sometimes it's helpful to search across all of your evidence and not just one specific to the question category.

Chat GPT is my PREFERENCE for AI

What is the ChatGPT userID associated with chawickmr95@gmail.com?

From one of the previous questions, we knew the OpenAI app folder was located at:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\6BFA5EA3-61CB-4652-A60A-2A955B651E05

Usually preferences are saved in plists on iOS so I filtered on subfolders for just plists to start. There were a few in the Preferences folder with one leading to the answer. The file was com.openai.chat.StatsigService.plist and the answer was user-xurgQ0xumvrujH5ESG17Yhcw.

Figure 29: com.openai.chat.StatsigService.plist file

You can see the email address there as well.

Read my mind

What message was sent to Rocco in a video game?

Based off the apps installed, there were only a handful of games, Call of Duty, Clash of Clans, and Subway Surf. Having not played any of them on mobile, I just did a quick search to see if they even supported it and Call of Duty does, so I started with that. Based off the iLEAPP report, the folder was at:

00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\3690AAA8-713A-482B-92F1-3F7D3BCC73E6

In just browsing the subfolders there was a little too obvious choice of folder titled ChatCache. In the extensionless file 2023-12-20 is a JSON formatted content with the chat.

Figure 30: Call of Duty ChatCache

The answer was "I know youre reading my messages".

Season's Greetings

What was the first emoji that was sent to Susan?

I previously saw messages to and from Susan in the SMS.db. There was a message that AXIOM parsed that failed to interpret the emoji sent on 2023-12-25 at 19:06:24.

Figure 31: Missing emoji SMS.db

I just copy and pasted the character into Google and it was able to interpret quickly to show that it was supposed to be the Potted Plant.

Figure 32: Potted Plant Google Search

Follow the Breadcrumbs

How many times did Chad's keyboard become visible within the Amazon app on 12/24/2023?

iLEAPP has a quick and dirty parser for text input sessions via Biomes. We can filter for Amazon and for the timestamp to see the keyboard was used 2 times that day.

Figure 33: Biome Text Input Sessions via iLEAPP

It's much easier to go this route than the manual breadcrumb approach of sifting through embedded JSON.

And that wraps the iOS evidence questions!