Hexordia Weekly CTF Challenge 2024 - Week 3 Writeup

iOS - Those are Rookie Numbers (25 points)

What percentage of players were beat by PlanterPapp?

To solve this challenge, we are likely looking for something related to a game app and "PlanterPapp" is probably a gamer nickname.

In Magnet AXIOM Examine, 2 hits for search term "PlanterPapp" could be found from the OCR text and both of them were identical screenshots of the same app:




Both screenshots have the created time of 2023/12/17 00:20:15. When we look at what application was in focus around that time, the "com.activition.callofduty.shooter" app was in focus. A further Google search of "call of duty mobile chat" showed a similar chat screenshot in Reddit subreddit (r/CallOfDutyMobile).



The application data of "com.activition.callofduty.shooter" could be found at "/private/var/mobile/Containers/Data/Application/3690AAA8-713A-482B-92F1-3F7D3BCC73E6".

Under "/private/var/mobile/Containers/Data/Application/3690AAA8-713A-482B-92F1-3F7D3BCC73E6" app data directory, there was a "screenshot.jpg" under the "Documents" subdirectory. There was one line of "You beat 19.9% players in ranked. from "screenshot.jpg", where 19.9 was the correct answer.



iOS - That's a lot of Hiking (15 points)

What's the total elevation? 

For this challenge, I happened to stumble across the answer from a photo while searching for photos on the device:


This photo could be found from "00008110-000925383620A01E_files_full.zip\private\var\mobile\Media\PhotoData\Thumbnails\V2\DCIM\100APPLE\IMG_0028.HEIC\5005.JPG", the photo captured a sign with a number of names from different places and different values of  ELEV. (which should be abbreviation of elevation).

The last step would involve adding all ELEV. numbers and the sum of these numbers (71159) would be the intended answer.




iOS - Take Control (15 points)

What item was disabled in position 3?

This is a slightly vague question, but I thought this could be related to iOS Control Center given the emphasis of Control in the question name "Take Control".

In iLEAPP, there were iOS Control Center plugins to show list of active or disabled controls. From "Control Center - Disabled Controls" results page, there were 4 items and an app bundle name "com.apple.mobiletimer.controlcenter.timer" could be found in position 3, in which "com.apple.mobiletimer.controlcenter.timer" was the correct answer.





 





Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi
Read more