CyberDefenders - Jailbreak CTF
Before we begin
This challenge was made easier with the help of Apollo a small python program for extracting and processing forensic artefacts from mobile devices, or extracted mobile device logs.
We suggest reading the webpage and downloading the tool, before commencing this challenge.
Walkthrough
1) What is the version of IOS
Hint:
- /private/var/logs/AppleSupport/General
Answer:
9.3.5
2) Who is using the iPad? Include their first and last name
Hint:
- strings .//private/var/mobile/Library/Calendar/Calendar.sqlitedb
Answer:
Tim Apple
3) When was the last time this device was 100% charged? Format: 01/01/2000 01:01:01 PM
Hint:
- sqlite3 ./private/var/containers/Shared/SystemGroup/*/Library/BatteryLife/CurrentPowerlog.PLSQL
- ./private/var/containers/Shared/SystemGroup/4212B332-3DD8-449B-81B8-DBB62BCD3423/Library/BatteryLife/Archives/
Answer:
04/15/2020 06:40:31 PM
4) What is the title of the webpage that was viewed the most? (Three words)
Hint:
- use apollo *cat apollo.csv|grep -i “Safari Browsing”|grep -i “visit count”|cut -f 9-10 -d “:”|sort
Answer:
kirby with legs
5) What is the title of the first podcast that was downloaded? Hint:
- cat ./private/var/mobile/Media/Podcasts/1174163024052164360
Answer:
WHERE ARE WE?
6) What is the name of the WiFi network this device connected to? (Two words)
Hint:
-
cat apollo.csv grep -i “network identifier” - [NETWORK IDENTIFIER: black lab-5a:7d:7f:3b:c7:d2]
Answer:
blacklab
7) What is the name of the skin/color scheme used for the game emulator? This should be a filename.
Hint:
- ls ./Applications/GBA4iOS.app
Answer:
Default.gbaskin
8) How long did the News App run in the background
Hint:
- /private/var/containers/Shared/SystemGroup/4212B332-3DD8-449B-81B8-DBB62BCD3423/Library/BatteryLife/CurrentPowerlog.PLSQL
- PLAppTimeService_Aggregate_AppRunTime
Answer:
197.810275
9) What was the first app download from AppStore? (Two words)
Hint:
- https://github.com/abrignoni/iLEAPP
Answer:
Cookie Run
10) What app was used to jailbreak this device?
Hint:
-
cat apollo.csv grep -i “jailbreak” - https://nguyenthanh1995.github.io/jailbreak-tool/ (wayback machine)
- ./private/var/installd/Library/Logs/MobileInstallation/mobile_installation.log.0
Answer:
phoenix
11) How many applications were installed from the app store?
Answer:
2
12) How many save states were made for the emulator game that was most recently obtained?
Hint:
- /private/var/mobile/Documents
Answer:
1
13) What language is the user trying to learn?
Hint:
- cat private/var/mobile/Containers/Data/Application/3DB96BE0-20EC-4460-9413-370259138580/Documents/PodcastsDB.plist
- Duolingo Spanish
Answer:
Spanish
14) The user was reading a book in real life but used their IPad to record the page that they had left off on. What number was it?
Hint:
- ./private/var/mobile/Media/DCIM/100APPLE/IMG_0008.MOV
Answer:
85
15) If you found me, what should I buy?
Hint:
- ./private/var/mobile/Containers/Shared/AppGroup/4466A521-8AF9-4E09-800B-C3203BB70E0E/NoteStore.sqlite
Answer:
Crash Bandicoot Nitro-Fueled Racing
16) There was an SMS app on this device’s dock. Provide the name in bundle format: com.provider.appname
Hint:
- ls ./Applications
Answer:
com.apple.MobileSMS
17) A reminder was made to get something, what was it?
Hint:
- strings .//private/var/mobile/Library/Calendar/Calendar.sqlitedb
Answer:
milk
References
Share on: