By Dr Tristan Jenkinson

Introduction

I have long extolled the virtues of CTF (Capture the Flag) type events for forensic practitioners. I personally find that they are a great way to keep your skills sharp. Not just the obvious forensic skills, but research and testing, learning new tools or using features of tools that you may not use in everyday forensic work.

Hexordia started a new CTF last week, with an interesting few tweaks! There are additional points available for writing up solutions, and developing new tools or scripts for the community which may assist in the solution. I think that the latter in particular is a great addition (although as someone who doesn’t really script it does put me at a slight disadvantage). CTFs (and even the underlying data that is not part of a particular solution) have often led to additional scripts and support in tools, as we find new artefacts to investigate and pull information from. This approach from Hexordia is a great way to encourage more tools for the forensic community, which can only be a good thing.

The CTF started last week, though sadly I didn’t get much time to play with it, due to work and personal commitments. I did manage to grab two flags late on the Saturday evening, and found myself heading down a number of cul-de-sacs with the remaining challenges at 2am in the morning!

I thought I would write up my solutions (and failures) in case others are interested.

Crewmates are Sus (iPhone)

In retrospect, this should have been far more obvious than it was, given the name of the challenge.

I had already had a flick through the browser history, and had seen some Call of Duty information, as well as some images that appeared to be potentially from online CoD games. However, I didn’t think this would likely be described as a “social” game.

My next step was to have a quick dive into the installed applications, and I noticed a couple of stand-out options… Clash of Clans and Roblox.

I did have a dig into these, and thought I would include the information here for reference…

Sidenote – Clash of Clans

Using Oxygen, I pulled the information about the application:

We are looking for the userID information. Typically this would be stored in the preferences for the application. Preference files for iOS apps are typically stored as plist files with the Bundle ID name (i.e. com.supercell.magic listed here). We can see a plist file with this filename in the source files listed.

If we open this up, then it opens up the file we are looking for, which is located in the Library/preferences folder in the listed Container folder for the app (The full path is /private/var/mobile/Containers/Data/Application/E6C7079A-C3E8-43F9-A7FB-99C905BE4D72/Library/Preferences/com.supercell.magic.plist).

If we open up this plist file, it is a binary plist… containing more binary plists:

We also get a SupercellIdProfileStorage entry which looks like it is in JSON format… this seems like a likely location for userID information. In Oxygen we can double click to open this in the file viewer.

Once opened, we can immediately see information about the user profile, an extract of which is below:

So we have a username, “chadgaming” and a separate “Identifier” which matches the AppleID reported by Oxygen – chadwickmr95@gmail.com/.

However, this isn’t the application that we are interested in…

Sidenote – Roblox

Roblox is also installed on the iPhone. Using the Applications list from Oxygen we can see the below information:

As before, we can see the preference file that we likely want is listed as a source file. We can open it directly from here, and can confirm its location is /private/var/mobile/Containers/Data/Application/D99F0FD2-0F15-4B11-969E-785B700FD0D2/Library/Preferences/com.roblox.robloxmobile.plist.

Opening this plist there is a huge amount of information… within it we can see information about the last logged in user… likely providing an indication of the relevant UserID.

As with Clash of Clans, this is not the social game that we are looking for…

Among Us!

Because of course, talking about suspicious “crewmates” is a reference to Among Us!

Looking at the application information from the Oxygen Applications section, we can see the below information.

Here we see the link to the plist file, which is located at /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2/Library/Preferences/com.innersloth.amongus.plist

If we open this plist, we see the below:

We can pull out the userID value here “001381.5ced44f175f640fb9264ce19cc43683f.2043” which is indeed the flag that we are looking for.

Karma’s a relaxing thought (Android)

Karma and upvoting are common (and related) terms used in Reddit, which I had already noted was installed. This therefore seemed a likely place to start.

Looking again at the Applications information provided in Oxygen, we get some information:

Note that the account details refer to the email account, not necessarily the username utilised in the application. Oxygen also parses out some of the user data for Reddit, so I wanted to take a quick look at this. The high level view is shown below:

Helpfully this identifies the username which is in use – not just the account name.

Well, we have the username, we could look up the user’s details online. Doing this I found the below from https://www.reddit.com/search/?q=narrowecho136&type=link&cId=e765afc2-006d-422e-9f67-eb96ac859ab7&iId=f9f10dfa-8243-47e7-ac0c-66d05a003d6f:

So we have a user with 1 karma – which suggests that they have a single upvote, which would match with the phrasing of the question. I note that rerunning the search, it appears that the user has been deleted from the Reddit system:

Looking into the details for the user we can find out their score:

So it looks like the user was upvoted on 26 December 2023… but we need a time for the flag. It also looks like it relates to a post that was made, so let’s take a look at the user posts…

So unfortunately it appears that isn’t an avenue available to us.

If a user has chosen to make their upvotes public, these can be easily analysed online. The information is publically available at www.reddit.com/user/username/upvoted.

Therefore, let’s take a look at www.reddit.com/user/NarrowEcho136/upvoted.

Unfortunately, it appears that the user did not set their upvoting information to be public, and so we cannot access it. This means that an OSINT approach is unlikely to work, and, as may have been expected, we will need to get this information from the phone data itself! Thankfully, in this case, this is not particularly complex.

Looking at the information reported in the Applications section of Oxygen (displayed further above), we can see that the Container location (where much of the application data is stored) is /data/data/com.reddit.frontpage. Within this location is a databases folder – applications love to store information in databases, so this may well be a useful place to look.

Opening up the databases folder, a database with the username for our user is shown – reddit_db_NarrowEcho136. If we open up this database, there are a large number of different tables… but there is one that relates specifically to karma – the “karma_statistics” table.

Opening that, there is only a single entry (you may recall that from our OSINT work, we say that there was only one karma point for this user). The single entry is:

So we can see that we have a single karma point and a timestamp. This looks like it is likely a Unix epoch timestamp, so quickly using epochconverter.com we can convert this to a human readable date:

This matches the 26 December date that we say from the online statistics, so this certainly fits with what we know, and indeed 2023-12-26 21:54:13 is the flag that we are seeking.

Ending so soon?

Sadly this was all I had time for during week one. I’m hoping to do better in the coming weeks, and will post updates on my findings.

If you want to come and join in the fun, you can find the main page with links to the required downloads and the question board here – https://www.hexordia.com/spring2024-weekly-ctf-challenge.

For the challenges that I missed on week one, tkh4ck who is also taking part in the CTF, has written up their answers from week one, covering all of the challenges! You can follow their excellent write-ups here – https://tkh4ck.github.io/ctf/2024/hexordia-weekly-ctf/.