CyberDefenders - Jailbreak CTF | Netscylla’s Blog

Magnify logo

Before we begin

This challenge was made easier with the help of Apollo a small python program for extracting and processing forensic artefacts from mobile devices, or extracted mobile device logs.

We suggest reading the webpage and downloading the tool, before commencing this challenge.

Walkthrough

1) What is the version of IOS

Hint:

/private/var/logs/AppleSupport/General

Answer:

9.3.5

2) Who is using the iPad? Include their first and last name

Hint:

strings .//private/var/mobile/Library/Calendar/Calendar.sqlitedb

Answer:

 Tim Apple

3) When was the last time this device was 100% charged? Format: 01/01/2000 01:01:01 PM

Hint:

sqlite3 ./private/var/containers/Shared/SystemGroup/*/Library/BatteryLife/CurrentPowerlog.PLSQL
./private/var/containers/Shared/SystemGroup/4212B332-3DD8-449B-81B8-DBB62BCD3423/Library/BatteryLife/Archives/

Answer:

04/15/2020 06:40:31 PM

4) What is the title of the webpage that was viewed the most? (Three words)

Hint:

use apollo *cat apollo.csv|grep -i “Safari Browsing”|grep -i “visit count”|cut -f 9-10 -d “:”|sort

Answer:

 kirby with legs

5) What is the title of the first podcast that was downloaded? Hint:

cat ./private/var/mobile/Media/Podcasts/1174163024052164360

Answer:

 WHERE ARE WE?

6) What is the name of the WiFi network this device connected to? (Two words)

Hint:

cat apollo.csv grep -i “network identifier”
[NETWORK IDENTIFIER: black lab-5a:7d:7f:3b:c7:d2]

Answer:

  blacklab

7) What is the name of the skin/color scheme used for the game emulator? This should be a filename.

Hint:

ls ./Applications/GBA4iOS.app

Answer:

 Default.gbaskin

8) How long did the News App run in the background

Hint:

/private/var/containers/Shared/SystemGroup/4212B332-3DD8-449B-81B8-DBB62BCD3423/Library/BatteryLife/CurrentPowerlog.PLSQL
PLAppTimeService_Aggregate_AppRunTime

Answer:

 197.810275

9) What was the first app download from AppStore? (Two words)

Hint:

https://github.com/abrignoni/iLEAPP Answer:
```
 Cookie Run
```

10) What app was used to jailbreak this device?

Hint:

cat apollo.csv grep -i “jailbreak”
https://nguyenthanh1995.github.io/jailbreak-tool/ (wayback machine)
./private/var/installd/Library/Logs/MobileInstallation/mobile_installation.log.0

Answer:

 phoenix

11) How many applications were installed from the app store?

Answer:

12) How many save states were made for the emulator game that was most recently obtained?

Hint:

/private/var/mobile/Documents

Answer:

13) What language is the user trying to learn?

Hint:

cat private/var/mobile/Containers/Data/Application/3DB96BE0-20EC-4460-9413-370259138580/Documents/PodcastsDB.plist
Duolingo Spanish

Answer:

  Spanish

14) The user was reading a book in real life but used their IPad to record the page that they had left off on. What number was it?

Hint:

./private/var/mobile/Media/DCIM/100APPLE/IMG_0008.MOV

Answer:

15) If you found me, what should I buy?

Hint:

./private/var/mobile/Containers/Shared/AppGroup/4466A521-8AF9-4E09-800B-C3203BB70E0E/NoteStore.sqlite

Answer:

 Crash Bandicoot Nitro-Fueled Racing

16) There was an SMS app on this device’s dock. Provide the name in bundle format: com.provider.appname

Hint:

ls ./Applications

Answer:

  com.apple.MobileSMS

17) A reminder was made to get something, what was it?

Hint:

strings .//private/var/mobile/Library/Calendar/Calendar.sqlitedb

Answer:

 milk

References

Share on: