TL;DR: Breakdown of our answers to Tony Mederos’s questions from the Cellebrite 2020 CTF using only free, open source tools.

Background

Cellebrite just finished up its first Capture the Flag (CTF) event, running from October 26, 2020 through October 29, 2020. The introductory information about our team’s participation in that event can be found here, specifically it links to many of the free, open-source tools we used, which is worth a read to understand the commands you may see below. This post focuses on the questions relating to Tony Mederos and is dedicated to #WrongAnswersOnly.

Warning

By this point you’ve seen very similar approaches in our answers for for Juan, Ruth, and Rene. You probably are expecting a lot of grep, sqlite3, and maybe stat. This post, however, is written in a bit of jest, and represents ways you might find the answer more creatively than you did. If you’d prefer to read someone’s actual walkthrough using Cellebrite’s commercial tool and clicking the buttons, try this one. If you want to have a laugh and consider outside the box thinking, read on.

To be very explicit, this post is purely in jest, do not use these arguments for any real-world cases (other than the footnotes).

Extraction Type - 10 points

What type of extraction is this? (Acronym or Full Wording)

The right answer you find this question is actually the wrong answer. The right answer, when reading the metadata about the extraction says the type is “FileSystem”.

[notta@cuppa Samsung_Galaxy_A10e_Tony_Mederos]$ cat \
Universal_Android\ Access\ Tony\ Mederos.ufd \
| grep ExtractionType

ExtractionType=FileSystem

Clearly the answer is “FileSystem” but as you try other values you’ll find out the answer that is desired is “Full File System”, which is the name (not full wording)¹.

Operating System - 10 points

What Android Version is this device running? (enter just numerical value)

Cellebrite generated the data for this event in early to mid-2020, roughly 6 months after Android 10 was released. As Cellebrite is a commercial company and image and branding matters, I would be severely saddened if they did not buy a phone that shipped with the latest OS on it. I submitted “10” as the answer, prepared to leave the question blank if it was wrong².

Crypto - 10 points

What is the name of the Crypto Currency application?

This might be easy if I believed that ones and zeros could be money, sadly I don’t and have no crypto currency holdings. Without a starting point for what might be a crypto application, I turned to Google, literally. With just ls, curl, grep, and echo, you can quite easily look up the details of any package on the Google Play store and look for keywords. This one-liner does just that, for every entry in /data/data. Forgive me, Google.

How this works is it pipes the output of ls data/data, which is the name of every package since that is how Google sanely stores things, into a while statement. That while statement reads each line and assigns it to the variable package. Inside the while, we first curl the Google Play store, making sure not to display the progress bars (--no-progress-meter) and to only show what match es (-o). That then gets piped into grep where we look case insensitively (-i) for the word “crypto”, since that is what the question wants. We then use && to only run the next command if grep returns successfully. Finally, if grep did return, we echo the package name so we know which to look at.

If I were nice, I’d add a sleep in here. I’d solidly recommend not running this without adding a sleep in here. Seriously, if you run this on large datasets without adding sleep to it, you might end up on an IP ban list somewhere.

[notta@cuppa Dump]$ ls data/data \
| while read package; do \
curl --no-progress-meter https://play.google.com/store/apps/details?id=$package \
| grep -i crypto -o \
&& echo $package; \
done

Crypto
Crypto
Crypto
Crypto
Crypto
Crypto
Crypto
crypto
com.mycelium.wallet

With 8 hits on the word crypto and nothing else matching, I submitted “mycelium” as the answer³.

Security Patch - 20 points

What Security Patch Level does this device have? (Date Format: MM-DD-YYYY for example: 12-30-2025)

This question was too easy, so we opted instead to answer a better question: What was the original patch level of the device? Everyone knows system/build.prop has the current patch level, but what if you wanted to know every patch level the phone had had? Might it matter that the user skipped a particular update? We thought it might, so we dug into data/data/com.samsung.android.knox.containeragent/databases/knoxusage.db to find every patch level ever.

SELECT knox_version, os_version, se_patch 
FROM device_data

So, there you go, you can now tell every patch level the phone had⁴ and I suppose you could also answer “05-01-2020” as the answer!

Location Location Location - 20 points

Was Tony looking for any houses, if so, in what city?

The answer has to be yes, since if he wasn’t looking for houses this would be an insane wild goose chase (tip for next year, Cellebrite). In order to figure out where he might be looking for houses, we examined his media files, since the current social media trend for any such behavior would be to post copious photos. We looked at the images tracked in /data/data/com.samsung.android.providers.media/databases/media.db and found three potential locations.

SELECT locality, address_text 
FROM location

A quick google search shows that the middle two are towns, but anyone looking in a new area would be more specific in what they take a picture of, as they attempt to be a “regular”. The top is a pub, which speaks more to a work trip than a house-hunting trip. The bottom, however, is a ferry dock! Anyone searching for a house in a new area would certainly take an excited picture of the place they arrived from. Given that, it is clear Tony was looking for a house in Vancouver, which we correctly submitted as our answer⁵.

Job Search - 20 points

What possible new job was Tony looking at?

To be honest, I struggled to find a way to answer this wrongly. Browser searches are such an integral and important part of any case that there’s really no way to even accidentally solve this the wrong way⁶. Just submit “Ship Captain” and be done with it.

Wallet ID - 20 points

Whats the Crypto Wallet ID?

Never, ever, ignore a device’s clipboard, it contains rich information. Don’t believe me? Open a new tweet and paste whatever is in your clipboard right now. Uncomfortable, right?

So how does one make use of the Android clipboard? The easiest method I’d found⁷ is to use adb to copy the files to my forensic Android and do a “long press” on any text input to see what was on their clipboard.

[notta@cuppa Dump]$ adb push data/clipboard/ /data/clipboard/

Once you’ve used adb to push the data, open any app that has text input and “long press” on the text input field. Click on the ‘Clipboard’ text that pops up and you will see not just your clipboard entries, but also the entries from Tony’s phone. You will see he had a clipboard screenshot of the Mycelium screen, and two clipboard entries containing the wallet ID. At this point, you can paste the wallet ID (33wnUqRbPT49Z6c7Mkc3PojBHAJEZuacao) into an email and email it to yourself for entry into the CTF⁸.

Name - 20 points

What is Scurvy’s real name? (Given name only)

Seriously? Anyone that is participating in this CTF who didn’t immediately try Paul did not check out the Twitter announcements enough ⁹.

Auto Join WiFi - 50 points

Was Auto Join enabled on CSIS? (Please note you only get one attempt)

Who connects to a network and disables Android’s hope of automatically connecting? No one. Therefore, we guessed the answer was “yes” and were correct¹⁰.

WiFi Password - 100 points

What was the password for the Network of CSIS Mesh?

Again, I will heavily caution this answer is in jest. You will face rate limiting or simple flag maximum wrong answers if you try to brute force this answer. My answer is fairly intentionally not quite complete to prevent anyone from accidentally doing it.

The easiest way to answer this question is using the ctfd API. When you log into the CTFd control panel, click on “Settings” in the upper right and then “Access Tokens”. This lets you generate an API token, set the time to something way in the future and generate the code. With that access key, we can use curl to identify the challenge ID of the question and then curl again to try a “few” submissions.

[notta@cuppa Dump]$ curl -X GET https://cellebrite.ctfd.io/api/v1/challenges

{
  "success": true,
  "data": [
    ... [snip]
    {
      "id": 11,
      "type": "standard",
      "name": "WiFi Password",
      "value": 100,
      "category": "Tony Mederos",
      "tags": [],
      "template": "/plugins/challenges/assets/view.html",
      "script": "/plugins/challenges/assets/view.js"
    }
  ]
}

[notta@cuppa Dump]$ curl -X POST https://cellebrite.ctfd.io/api/v1/challenges/attempt \
--data "{'challenge_id': 11, 'submission': 'P@ssword'}" -H "accept: application/json"

404 Error

While the above answer didn’t work, it is now incredibly scriptable, so we just find our favorite WiFi password list, use the same while loop as before, and let it rip!

[notta@cuppa Dump]$ cat /usr/share/wordlists/rockyou.txt \
| while read password; do \
curl -X POST https://cellebrite.ctfd.io/api/v1/challenges/attempt \
--data "{'challenge_id': 11, 'submission': '$password'}" -H "accept: application/json" \
&& echo $password; \
done

abcdef1234

Clearly, “abcdef1234” is the answer¹¹!

Seriously, I cannot stress enough that the above is a fictious methodology, do not do this

Conclusion

This post is just meant for a little fun, but it was an interesting thought process to find ways to answer the questions which are outside of the norms. For some answers, it was way too hard to do, showing how important specific artifacts, especially browser behavior, can be. For others, looking at more files in the extraction gave us clues we would have otherwise ignored, such as the Ferry Dock picture. As a final reminder, everything above this block was bad methodology, although the answers are all correct. If you want to see the actual methodology, see the footnotes below.

Footnotes