Magnet Weekly CTF Challenge Week 2 Writeup

Magnet recently rolled out the very first Magnet Weekly CTF Challenge. From Oct 5, 2020, a new challenge would be provided for the CTF participants to solve on every Monday at 11 AM ET until the end of 2020. 

In fact, I only found out this CTF event on week 2, therefore missed week 1's challenge. To be honest, it is a bit of pity for me. Regardless, I still found fulfilment from cracking the new challenges and learning from other people's write-ups😀. If you were still reading this blog entry in Oct 2020, I suppose it would not be too late to join the CTF and have fun from it.

For all challenges on Oct 2020, an Android image would be used for analysis.

And the challenge of week 2 looked like this:


Seeing the "What domain was most recently viewed via an app" part made me wonder if I needed to look into web browsing history on the Android image first. Just in case you don't know about the "picture-in-picture" (PIP) capability from Android, Android Developers documentation gave a short, comprehensive explanation: "Android 8.0 (API level 26) allows activities to launch in picture-in-picture (PIP) mode. PIP is a special type of multi-window mode mostly used for video playback. It lets the user watch a video in a small window pinned to a corner of the screen while navigating between apps or browsing content on the main screen."

From the screenshot below, you could see a music video of Rick Astley's "Never Gonna Give You Up" playing in PIP mode.

It is noteworthy that the mainstream web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge and Opera) all offered PIP support:


Back on the Android image, the only web browser appeared to be Google Chrome. Thus, it would be necessary to locate the Chrome History SQLite Database (which can be located at "/data/data/com.android.chrome/app_chrome/Default/History".



Afterwards, a SQLite Database Viewer (I used DB Browser for SQLite here) could be used to examine its contents. Our answer should be inside the "urls" table and a descending sort could be done on the "last_visit_time" column to locate the most recent visited domain:


Now the most recent visited URL was "http://malliesae.com/investor-page/". However, the challenge only asked of the domain. Therefore, "malliesae.com" is the correct answer for this challenge.

I hope you enjoyed reading my write-up of Magnet Weekly CTF Challenge week 2 challenge. Stay tuned and I will keep presenting new write-ups every week!

Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi
Read more