기본 설명

• 2022년 Magnet에서 출제한 CTF
• iOS 15 이미지에 대한 분석 문제
• 제공 이미지: GrayShift 도구를 이용한 추출 이미지
• 문제 리스트
  • How many items were on Patrick’s shopping list?
  • What was the last position of the phone? Format: XX.XXXX, -XX.XXXX
  • When was the last reboot performed? Format: YYYY-MM-DD hh:mm:ss (KST)
  • Which application was uninstalled?
  • What was the content of the message in the last notification received from Reddit?
  • What is the hex code of the color assigned to work events?
  • How many promotion emails were left unread?
  • What is the name of the GIF which was sent to Patrick in a message on Bumble? Answer is three words
  • Which application had the most amount of screentime?
  • What time did Patrick first search for a website that would reveal his IP address? YYYY-MM-DD hh:mm:ss (KST)

초기 설정

iLEAPP

• requirements.txt

  # Before
  python-magic==0.4.24; platform_system == "Linux"
  python-magic-bin==0.4.14; platform_system == "Windows"
  python-magic-bin==0.4.14; platform_system == "Darwin"
  
  # After
  python-magic==0.4.24;

• Python version: pyenv→ Python 3.9
• GUI not work
• Command
  • python3 [ileapp.py](http://ileapp.py/) -t zip -o /Users/hunjison/Downloads/iLEAPP_output -i /Users/hunjison/Downloads/Jess_CTF_iPhone8/fb028ddefa8af7df5b12d3e729f075d150637a31_files_full.zip
• Output
  • 잘 출력됨.. (아래는 index.html 파일)

문제 풀이

1. How many items were on Patrick’s shopping list?

   • 쇼핑을 했으니 브라우저나 어떤 앱을 사용했을 것으로 가정함
     • safari browser history에서 shopping cart list 등 키워드로 검색했으나 나오지 않음
     • 앱 식별해보자
       • com.alltrails.AllTrails AllTrails: Hike, Bike & Run(X)
       • 앱 스냅샷에도 없음
     • safari 에서 뭔가 덜 식별했나
       • plant shops?
       • Bed Bath & Beyond: https://www.bedbathandbeyond.com/
       • Total Wireless
       • 여기에도 마땅히 없음
     • Notes 에서 발견
       • Energy drinks, Bread, Hand soup, Birthday card → 4개

2. What was the last position of the phone? Format: XX.XXXX, -XX.XXXX

• fb02...a31.pdf → 2022-02-14 18:21:48(UTC) BFU 방식으로 분석 시작함
• 이정도면 last position일듯
• AP.db
  • com.apple.Maps.GeneralMapsWidget 뒤져보았으나 별다른 흔적 찾지 못함
• SANS poster 검색
  • /private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite
    
  • 시간: 2022-02-14 18:26:03
    정답: 38.84412765, -77.28686523
    

3. When was the last reboot performed? Format: YYYY-MM-DD hh:mm:ss (KST)

• 우연히 지나가다가 발견(Mobile Installation Logs, Apps - Historical report)
  • 마지막 reboot 시간은 2022-02-14 11:44:13(UTC) → 2022-02-14 20:44:13(UTC+9)
    

4. Which application was uninstalled?

• 메뉴 보다가 발견(Mobile Installation Logs, Apps - Uninstalled)
  • 5가지 package 명이 식별되는데, Google 검색 결과 WeChat 관련 패키지명임을 알 수 있음

5. What was the content of the message in the last notification received from Reddit?

• iOS Notifications, Notifications Duet
  • Kornbread and Jorgeous are still Making Fun of Cynthia's Car Crash…

6. What is the hex code of the color assigned to work events?

• Calender, List
  • #CC73E1FF

7. How many promotion emails were left unread?

• DB 파일 경로 찾음
• label_counts 폴더에서 smartlabel_promo 라벨에서 unread_count 23개
  • 정답: 23개

8. What is the name of the GIF which was sent to Patrick in a message on Bumble? Answer is three words

• Bumble - Messages report
  • Thirsty Steve Martin

9. Which application had the most amount of screentime?

• Keyboard Application Usage
  • com.apple.springboard, com.hammerandchisel.discord

10. What time did Patrick first search for a website that would reveal his IP address? YYYY-MM-DD hh:mm:ss (KST)

• website 검색으로부터 IP addr이 드러나야 함
  • Safari Browser - History 위주로 살펴봄
• [whatismyip.com](http://myip.com) 검색 기록 발견
  • 최초 검색 시간은 2022-01-21 20:42:23(UTC) → 2022-01-22 05:42:23(UTC+9)
    이라고 생각했으나,,,
• 해당 URL을 unfurl 로 검색하면 또다른 결과가 나옴
  • 최종 시간은 2022-01-16 23:01:22(UTC+9)