TL;DR: Breakdown of our answers to Tony Mederos’s questions from the Cellebrite 2020 CTF using only free, open source tools.
Cellebrite just finished up its first Capture the Flag (CTF) event, running from October 26, 2020 through October 29, 2020. The introductory information about our team’s participation in that event can be found here, specifically it links to many of the free, open-source tools we used, which is worth a read to understand the commands you may see below. This post focuses on the questions relating to Tony Mederos and is dedicated to #WrongAnswersOnly.
By this point you’ve seen very similar approaches in our answers for for Juan, Ruth, and Rene. You probably are expecting a lot of
sqlite3, and maybe
stat. This post, however, is written in a bit of jest, and represents ways you might find the answer more creatively than you did. If you’d prefer to read someone’s actual walkthrough using Cellebrite’s commercial tool and clicking the buttons, try this one. If you want to have a laugh and consider outside the box thinking, read on.
To be very explicit, this post is purely in jest, do not use these arguments for any real-world cases (other than the footnotes).
Extraction Type - 10 points
What type of extraction is this? (Acronym or Full Wording)
The right answer you find this question is actually the wrong answer. The right answer, when reading the metadata about the extraction says the type is “FileSystem”.
Clearly the answer is “FileSystem” but as you try other values you’ll find out the answer that is desired is “Full File System”, which is the name (not full wording)1.
Operating System - 10 points
What Android Version is this device running? (enter just numerical value)
Cellebrite generated the data for this event in early to mid-2020, roughly 6 months after Android 10 was released. As Cellebrite is a commercial company and image and branding matters, I would be severely saddened if they did not buy a phone that shipped with the latest OS on it. I submitted “10” as the answer, prepared to leave the question blank if it was wrong2.
Crypto - 10 points
What is the name of the Crypto Currency application?
This might be easy if I believed that ones and zeros could be money, sadly I don’t and have no crypto currency holdings. Without a starting point for what might be a crypto application, I turned to Google, literally. With just
echo, you can quite easily look up the details of any package on the Google Play store and look for keywords. This one-liner does just that, for every entry in
/data/data. Forgive me, Google.
How this works is it pipes the output of
ls data/data, which is the name of every package since that is how Google sanely stores things, into a
while statement. That
reads each line and assigns it to the variable package. Inside the
while, we first
curl the Google Play store, making sure not to display the progress bars (
--no-progress-meter) and to only show what match es (
-o). That then gets piped into
grep where we look case insensitively (
-i) for the word “crypto”, since that is what the question wants. We then use
&& to only run the next command if
grep returns successfully. Finally, if
grep did return, we
echo the package name so we know which to look at.
If I were nice, I’d add a sleep in here. I’d solidly recommend not running this without adding a sleep in here. Seriously, if you run this on large datasets without adding
sleep to it, you might end up on an IP ban list somewhere.
With 8 hits on the word
crypto and nothing else matching, I submitted “mycelium” as the answer3.
Security Patch - 20 points
What Security Patch Level does this device have? (Date Format: MM-DD-YYYY for example: 12-30-2025)
This question was too easy, so we opted instead to answer a better question: What was the original patch level of the device? Everyone knows
system/build.prop has the current patch level, but what if you wanted to know every patch level the phone had had? Might it matter that the user skipped a particular update? We thought it might, so we dug into
data/data/com.samsung.android.knox.containeragent/databases/knoxusage.db to find every patch level ever.
So, there you go, you can now tell every patch level the phone had4 and I suppose you could also answer “05-01-2020” as the answer!
Location Location Location - 20 points
Was Tony looking for any houses, if so, in what city?
The answer has to be yes, since if he wasn’t looking for houses this would be an insane wild goose chase (tip for next year, Cellebrite). In order to figure out where he might be looking for houses, we examined his media files, since the current social media trend for any such behavior would be to post copious photos. We looked at the images tracked in
/data/data/com.samsung.android.providers.media/databases/media.db and found three potential locations.
|Gatineau||195 Rue Bellehumeur, Gatineau, QC J8T 8H3, Canada|
|Gatineau||Masson-Angers, Gatineau, QC, Canada|
|Mulgrave-et-Derry||Mulgrave-et-Derry, QC J8L 0C7, Canada|
|Vancouver||Aquatic Centre Ferry Dock, Vancouver, BC, Canada|
A quick google search shows that the middle two are towns, but anyone looking in a new area would be more specific in what they take a picture of, as they attempt to be a “regular”. The top is a pub, which speaks more to a work trip than a house-hunting trip. The bottom, however, is a ferry dock! Anyone searching for a house in a new area would certainly take an excited picture of the place they arrived from. Given that, it is clear Tony was looking for a house in Vancouver, which we correctly submitted as our answer5.
Job Search - 20 points
What possible new job was Tony looking at?
To be honest, I struggled to find a way to answer this wrongly. Browser searches are such an integral and important part of any case that there’s really no way to even accidentally solve this the wrong way6. Just submit “Ship Captain” and be done with it.
Wallet ID - 20 points
Whats the Crypto Wallet ID?
Never, ever, ignore a device’s clipboard, it contains rich information. Don’t believe me? Open a new tweet and paste whatever is in your clipboard right now. Uncomfortable, right?
So how does one make use of the Android clipboard? The easiest method I’d found7 is to use adb to copy the files to my forensic Android and do a “long press” on any text input to see what was on their clipboard.
Once you’ve used
push the data, open any app that has text input and “long press” on the text input field. Click on the ‘Clipboard’ text that pops up and you will see not just your clipboard entries, but also the entries from Tony’s phone. You will see he had a clipboard screenshot of the Mycelium screen, and two clipboard entries containing the wallet ID. At this point, you can paste the wallet ID (33wnUqRbPT49Z6c7Mkc3PojBHAJEZuacao) into an email and email it to yourself for entry into the CTF8.
Name - 20 points
What is Scurvy’s real name? (Given name only)
Seriously? Anyone that is participating in this CTF who didn’t immediately try
Paul did not check out the Twitter announcements enough 9.
Auto Join WiFi - 50 points
Was Auto Join enabled on CSIS? (Please note you only get one attempt)
Who connects to a network and disables Android’s hope of automatically connecting? No one. Therefore, we guessed the answer was “yes” and were correct10.
WiFi Password - 100 points
What was the password for the Network of CSIS Mesh?
Again, I will heavily caution this answer is in jest. You will face rate limiting or simple flag maximum wrong answers if you try to brute force this answer. My answer is fairly intentionally not quite complete to prevent anyone from accidentally doing it.
The easiest way to answer this question is using the ctfd API. When you log into the CTFd control panel, click on “Settings” in the upper right and then “Access Tokens”. This lets you generate an API token, set the time to something way in the future and generate the code. With that access key, we can use
curl to identify the challenge ID of the question and then
curl again to try a “few” submissions.
While the above answer didn’t work, it is now incredibly scriptable, so we just find our favorite WiFi password list, use the same
while loop as before, and let it rip!
Clearly, “abcdef1234” is the answer11!
Seriously, I cannot stress enough that the above is a fictious methodology, do not do this
This post is just meant for a little fun, but it was an interesting thought process to find ways to answer the questions which are outside of the norms. For some answers, it was way too hard to do, showing how important specific artifacts, especially browser behavior, can be. For others, looking at more files in the extraction gave us clues we would have otherwise ignored, such as the Ferry Dock picture. As a final reminder, everything above this block was bad methodology, although the answers are all correct. If you want to see the actual methodology, see the footnotes below.
Universal_Android\ Access\ Tony\ Mederos.ufd | grep Extractionand guess at the right value. ↩
cat vendor/build.prop | grep -i ro.vendor.build.version.release↩
The application has “wallet” in the name, this should be obvious when looking at
ls /data/data. ↩
cat system/build.prop | grep -r ro.build.version.security_patch↩
sqlite3 data/data/com.sec.android.app.sbrowser/app_sbrowser/Default/History 'SELECT * FROM android_urls'. ↩
See above. ↩
This is a complete fib, do not do this. ↩
Maybe look at
data/data/com.android.providers.telephony/databases/mmssms.dband see if anything jumps out. ↩
Alternately, check out
cat data/misc/wifi_share_profile/backup.conf | grep autojoin. ↩
You could try
cat data/misc/wifi_share_profile/backup.conf | grep psk↩