Magnet Weekly CTF Challenge Week 3 Writeup

The following is the week 3 writeup for the Magnet Weekly CTF Challenge and this week's challenge looked like this:


Seeing the words "Which exit did the device user pass by" and "Cargo" made me wonder if I should look for a sign that has an exit ID on it. Despite that, none of the Photos found from the Android image showed nothing like a sign:


Magnet Forensic Staff normally would give some hints on this week's challenge on their YouTube channel on Monday 11ET and so did they last week

I had to say Jessica Hyde's hint was instrumental for me to crack this challenge quickly. With some Google searches, the webminar mentioned by Jessica could be found. This webminar was delivered by Jessica Hyde and Christopher Vance and the topic was about the comparison of artifacts between Android and iOS.

The highlighted part from the above screenshot immediately caught my attention and I suddenly realized I had to look at the Motion Photos on the Android image. "Motion Photo" is  a function offered by Google on Pixel phones starting from Pixel 2, which could be toggled on/off from the Google Camera interface shown below:


The Motion Photo files should have their file names started with "MVIMG" prefixes. Therefore, the first order of business would be exporting all image files that had :MVIMG" prefixes in their file names for analysis.


After that, there were at least two possible ways to solve this challenge:

The Quick Fix

By default, Windows could only view the exported Motion Photo files as static JPEG files. As I have had experience using the Motion Photo feature before, I know the Google Photos mobile app could view the Motion Photo properly. Therefore, I imported all found Motion Photo files into my own Pixel 3 and used the Google Photos app to view them. Most motion photos did not contain the information needed, until I came across MVIMG_20200307_130326.jpg.


Clicking on the top-right encircled play button would start playing the motion photo, which would look like this:

From the captured GIF, you might very well saw a traffic sign was passed by in the blink of an eye. In reality, the clip was played in an higher speed than this GIF did. So a way had to be found in order to spot the text on the sign. Google Photos has a handy function that allowed users to see the motion photo in a frame-to-frame manner, such that they got to choose the best shot from the motion photo. This function indeed helped a lot in spotting the best shot where the text on sign was actually readable.

From the screenshot above, the texts "Sør-Gardermoen", "Cargo", "Gardermoen vest", "Kulturpark" and an exit ID look-alike "F16" could be identified from the sign. Thus, I submitted the answer of this challenge as "F16".

However, this isn't the end of this writeup.

The Geolocation data showed that the photo was taken near the Oslo airport. Is it possible to find the actual sign?


As seen in the GIF above, a series of orange-colored structure could be seen from the Android device owner's viewpoint. They are part of the Approach Lighting System (ALS) used in airports to allow the aircraft pilots to visually identify the runway environment and align the aircraft with the runway upon arriving at a prescribed point on an approach. Moreover, ALS is usually installed on the approach end of an airport runway. 

By using Google Maps in satellite view and searching around the Oslo airport runways, a match could be found:

Google Street View was then used to verify if the sign shown on the satellite view was indeed the sign seen in the motion photo.

Clearly, the sign should be the one observed in the motion photo. However, the actual exit ID was not "F16", instead it should be "E16". 😂

The Conventional Way

The structure of the motion photo was rather simple. Fernando García Álvarez has written a detailed write-up about the structure of the motion photo. In short, the motion photo is basically an MP4 file appended to the end of a JPEG file. GitHub contributor Keith Turner had written a shell script to extract the MP4 file from the motion photo. This script could be used to obtain all the MP4 files from the motion photos. By inspecting all MP4 files, the same highway sign could be found in this way.


So this marks the actual end of the week 3 write-up of the Magnet Weekly CTF Challenge. I hope you enjoyed this week's write-up and see you next week!


Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Read more

An Android Casting (Device) Story: "cast.db"

Image
  This article will briefly document a SQLite database (" cast.db ") found from Android devices, which would store the information of detected casting devices on the Wi-Fi network. The said " cast.db " can be recovered at " /data/com.google.android.gms/databases/cast.db ".  Using Joshua Hickman's Android 10 image as an example, " DeviceInfo " table from  " cast.db "  would store the casting device ID (SSDP UDN), device friendly name, device model name, device IP address and port number, hotspot BSSID , etc. Apart from the basic information of the casting devices, some interesting Epoch timestamps in milliseconds like " last_published_timestamp_millis ", " last_discovered_timestamp_millis " and " last_discovered_by_ble_timestamp_millis " could be discovered as well.  There were some other intriguing tables such as " NetworkInfo ", which probably records the last connected time to a Wi-Fi networ
Read more