Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges:

iOS - Crewmates are Sus (15 marks)

What is Chad's user ID for the multiplayer social game?

The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us"

From iLEAPP "Application State report" page, Among Us (com.innersloth.amongus) was installed and the sandbox path for Among Us can be found at 

/private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2



Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID:

Using plistEditor Pro, the plist files could be opened and one of them (com.innersloth.amongus.plist) has a userid key with value

001381.5ced44f175f640fb9264ce19cc43683f.2043

which was the flag for this challenge.




iOS - Apocalist Now (25 marks)

What is the timestamp of the last crossed out entry?
FORMAT: YYYY-MM-DD HH:MM:SS

The term "last crossed out entry" suggested we could be possibly looking for a checklist/notepad application

Using Magnet AXIOM, an app with package name "com.ztnstudio.notepad" had some application history and had an app snapshot that contains crossed out checklist entries:


A bit of further digging will reveal this is a notes and to-do list app available on Google Play Store:

Then it comes down to the question of locating the database that contained the checklist/notepad data. I have extracted the app directory and have used grep on WSL to look for the term "Preppy" by issuing the command:

grep -r "Preppy" *

The reason for using the term "Preppy" is the app snapshot reveals a potential list named "Preppy practice". Turned out there is only an exact hit of "Preppy" for a binary file "/data/data/com.ztnstudio.notepad/files/default.realm":


So it would appear that this app utilized Realm database technology. This "default.realm" could be opened with Realm Studio. Upon opening "default.realm" in Realm Studio, a class named "ChecklistItem" caught my attention.

On further inspection, it would appear that "id" column seemingly corresponded to an Epoch timestamp in milliseconds and "checkItemCrossedOut" column indicated whether an item has been crossed out as implied by its name. After sorting "id" in descending order, the first item with "checkItemCrossedOut" with a value of "true" is "Learn to can". It is noteworthy that this "Learn to can" item was also present and crossed out in the app screenshot.


The "id" value of "Learn to can" was "1703720188280" and it could be converted into the timestamp value of 2023-12-27 23:36:28, which was also the flag to this question.


Android - Karma's a relaxing thought (25 marks)

When was the user upvoted?
(Format: YYYY-MM-DD HH:MM:SS)

The terms "Karma" and "upvoted" suggested we should be looking for Reddit. In case you haven't used or heard of Reddit, here is a quick primer to break into this subject by Reddit user u/jgoga:


We would then start by looking at Reddit app databases, they could be found at "/data/data/com/reddit/frontpage" directory. There were a couple of files that had my attention, namely "reddit_db_anonymous" and "reddit_db_NarrowEcho136". On the surface of it, "NarrowEcho136" seemingly looks like a Reddit user ID.



If a search was performed for "NarrowEcho136" on Reddit, we could see such a user still exists on Reddit and this user had a Cake Day of "Dec 26, 2023" and 1 Post Karma.


Because of this, we would take a deeper look into "reddit_db_NarrowEcho136". There was one table that named "karma_statistics" and inside that table it contained a karma entry with an Epoch timestamp of "1703627653479".

The Epoch timestamp of "1703627653479" could be converted into the timestamp value of 2023-12-26 21:54:13, which was the flag to this question.


Android - Cleanup Aisle #13 (15 marks)

What is the average rating of the item Rocco was recently viewing?

Using Magnet AXIOM with OCR enabled, it would be easy to locate a few screenshots by searching the word "Aisle". The screenshot was taken with an item "30kg Ready-to-Use Concrete Mix" by Quikrete inside a shopping app.


Even though there was no immediate clue from the paths of these screenshots that could be directly traced back to the original source app, a Home logo with "The Home Depot" could be found at the bottom left corner of the screenshot shown above, which pointed us towards an app that related to "The Home Depot".


So the focus was changed to Home Depot mobile app, ALEAPP showed that a "Home Depot" app with package name "com.thehomedepotca":

This time we would also start by looing at the app-related databases of "com.thehomedepotca".


The SQLite database "HD_DATA_BASE" would be examined first, as the others were seemingly less related to the Home Depot app itself from their names. Inside "HD_DATA_BASE", there was a "recently_viewed_items" table that contained exactly an item of "30kg Ready-to-Use Concrete Mix" by Quikrete. This entry corresponded to the earlier discovered screenshot. 

More importantly, it also contained an "average_rating" value of 4.63450002670288, which was also the flag to this question.



Conclusion

So this concluded my writeup for the week 1 of Hexordia Weekly CTF Challenge 2024. My week 2 writeup will also follow soon. 

If anyone is interested in taking part in this challenge, you can still sign up at https://hex2024weekly.ctfd.io/

Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was ...
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi...
Read more