Posts

Hexordia Weekly CTF Challenge 2024 - Week 4 Writeup

Image
  Android - TEaM U prep (15 points) What item that Rocco was shopping for came back in stock?  From the capitalized letters in the challenge "  TE a M U prep", it suggested that we probably should look into the direction of Temu, a Chinese online marketplace app. The Temu app was also installed on the Android device: The item that Rocco was shopping was likely browsed by Rocco in app or even added into shopping cart at some point. Following this direction, the Temu app SQLite databases from /data/data/com.einnovation.temu/databases  directory have been checked one by one. One of the SQLite databases " ChatDB_BCM6G5ASA5K73AN2N7S3TQYUS2MOBTVG2RFRUULJ_msgbox_2.db " contained some in-app messages that were pushed to Rocco. There was a summary text of " Almost sold out " from summary column where  id  = " 10000010 ''. The relevant info column appeared to have contained a JSON object: If this JSON object was sorted and beautified in NotePad++, it
Post a Comment
Read more

Hexordia Weekly CTF Challenge 2024 - Week 3 Writeup

Image
iOS - Those are Rookie Numbers (25 points) What percentage of players were beat by PlanterPapp? To solve this challenge, we are likely looking for something related to a game app and " PlanterPapp " is probably a gamer nickname. In Magnet AXIOM Examine, 2 hits for search term " PlanterPapp " could be found from the OCR text and both of them were identical screenshots of the same app: Both screenshots have the created time of 2023/12/17 00:20:15. When we look at what application was in focus around that time, the " com.activition.callofduty.shooter " app was in focus. A further Google search of "call of duty mobile chat" showed a similar chat screenshot in Reddit subreddit ( r/CallOfDutyMobile ). The application data of " com.activition.callofduty.shooter " could be found at " /private/var/mobile/Containers/Data/Application/3690AAA8-713A-482B-92F1-3F7D3BCC73E6 ". Under " /private/var/mobile/Containers/Data/Application/3690
Post a Comment
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi
Post a Comment
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Post a Comment
Read more