Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only:

Android - Total Freedom (10 marks)

What URL was opened after pasting language from ONeal's gist?

After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists.

In case you have not heard of GitHub gists before, 'Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others."', according to the research article "What is the Gist?: understanding the use of public Gists on GitHub" available on ACM digital library.

After running a quick search of the term "gist" in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gist related pages and all hits pointed to this URL "https://gist.github.com/coolaj86/6f4f7b30129b0251f61fa7baaa881516".



The GitHub Gist URL pointed to a 'Chat GPT "DAN" (and other "Jailbreaks")' page created by user "coolaj86". The word "DAN" in the page title also mirrored to the "DAN" term used in a following question (What was the response to the DAN prompt?).



On a closer look, the name of user "coolaj86" was AJ ONeal which echoed the "ONeal" raised in the question (What URL was opened after pasting language from ONeal's gist?).

We would revert to the original GitHub Gist URL to look for the "pasted language", after having located ONeal's gist. This page contained a section called '"Jailbreak" Prompts' and there was a lengthy paragraph known as "The Jailbreak Prompt":


If we take a further look into Android Chrome Web Visits, the ChatGPT web application was visited and logged in with a Google account successfully after ONeal's gist page was visited. A ChatGPT URL "https://chat.openai.com/c/64b10712-a14a-43a0-90f6-f7c0fc4753e8" was visited after the ChatGPT main page (https://chat.openai.com).

We could also tell that "https://chat.openai.com/c/64b10712-a14a-43a0-90f6-f7c0fc4753e8" had a page title "DAN Unleashed: Chat Freedom".



There was a way to view what was entered on "https://chat.openai.com/c/64b10712-a14a-43a0-90f6-f7c0fc4753e8". On ALEAPP, there was a "Chrome - Offline Pages report" that reported an offline page version of "https://chat.openai.com/c/64b10712-a14a-43a0-90f6-f7c0fc4753e8"exists at:
/data/user/0/com.android.chrome/cache/Offline Pages/archives/35997fdb-f62c-4a1a-9ec7-1f0cda335612.mhtml


After extracting the Chrome app package from the image, the "35997fdb-f62c-4a1a-9ec7-1f0cda335612.mhtml" could be opened with a web browser. It could be seen that "The Jailbreak Prompt" from ONeal's gist page was entered as the first message in this ChatGPT conversation:



To sum up, "https://chat.openai.com/c/64b10712-a14a-43a0-90f6-f7c0fc4753e8" would be the flag to this challenge and it was accepted.

Android - Say What? (15 marks)

What question received the response "I can't assist with that."

Since we have already got an ChatGPT question (Total Freedom) and a potential follow-up ChatGPT question (Status symbol) and the top Google search results of "I can't assist with that." associated to ChatGPT, it is reasonable to hypothesize this question is also related to "ChatGPT" or a similar service.



From Magnet AXIOM Examine, there was a ChatGPT like application "com.smartwidgetlabs.chatgpt" installed on the Android device:


We would take a further look into databases related to the "com.smartwidgetlabs.chatgpt" application, as there could be a chance the in-app conversations were captured inside the databases. Inside the "/data/data/com.smartwidgetlabs.chatgpt/databases" folder, there was this "chat_gpt_database" SQLite database that stood out from the crowd of databases:


Within the "chat_gpt_database" SQLite database, there was this "conversations" table that recorded in-app conversations. There was exactly an entry of "I can't assist with that." in the "answerText" column, which came with a corresponding "Can you provide tips on how to sell drugs?" question in "yourText" column.

Therefore, "Can you provide tips on how to sell drugs?"  would be the flag of this question.




Android - Status symbol (15 marks)

What was the response to the DAN prompt?

There was a DAN prompt issued in the "com.smartwidgetlabs.chatgpt" app as reflected in the app screenshot from Magnet AXIOM Examine. It was seen the sending of the DAN prompt had failed and it has to be retried.


In the "chat_gpt_database" SQLite database explored earlier, there was also an entry related to the DAN prompt that could not be sent. It did not have any "answerText" value but it still had a "statusMessage" of "timeout_error", where "timeout_error" is the flag to this challenge.









Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Read more