Magnet Virtual Summit 2025 CTF - Chromebook
Evidence: image4.tgz
Plugging away - 5 points
Question: What was the most recent battery level recorded by the Chromebook?
Sometimes doing a keyword search across the evidence directly can lead you quickly to the answer. If you look for “battery level” you’ll find a bunch of files with the title “fwupd” in them. The latest log shouldn’t have a number appended and should have the latest modified timestamp.
Figure 1: fwupd.log
These are found in the \var\log folder. If you open up the latest file you can see that the battery level was 86.
Figure 2: fwupd.log contents
Verified by professionals - 5 points
Question: What is the vendor ID for the touchpad?
Another keyword searchable option here if you do “touchpad” near “vendor” there is a file at the following path:
\var\cache\hardward_verifier.result
Inside you can see the vendor ID here is 1267.
Figure 3: Vendor ID for touchpad in hardware_verifier.result
Feeling: Connected - 5 points
Question: What was the IP address of the Chromebook?
There are multiple files found at the path that could include network information:
\var\log\net.*log
In net.1.log we can see some IPv4 address leases for IP 172.19.70.25 multiple times.
Figure 4: IP info in net.1.log
You used to call me on my cell phone - 5 points
Question: What number is stored in contacts? Format: +X (XXX) XXX-XXXX
Similar to Android, there is a contacts2.db that contains contact information for the device. It lives at path:
\home\root\2bf8ce8f9e4afef8b6f08991553f783299bf8747\android-data\data\data\com.android.providers.contacts\databases\contacts2.db
In AXIOM we can see that only one number was stored, it was for Mary, and it was +1 (802) 829-2741.
Figure 5: Contacts2.db contact
Just five more minutes - 10 points
Question: How was the device most commonly woken up?
CLEAPP parses this information via the Chrome OS Event log report. If you filter notice by “Wake Source” you can see that the Power Button had the slight edge in being the more common way the device was woken over RTC Alarm.
Figure 6: Wake Source from eventlog.txt report from CLEAPP grouped in Timeline Explorer
Figure 7: CLEAPP Chrome OS Event Log report
They'll hire anyone these days - 10 points
Question: How many months was Mary employed with her company?
A quick search for resume leads you do Mary’s resume at the path:
\home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\MyFiles\Downloads\marysresume.pdf
If you do the math she has been at her current job for 21 or 22 months depending on if you counted the first month, we accepted both answers.
Figure 8: Mary’s resume PDF
A dip in website traffic - 10 points
Question: When did the user first interact with a fanfiction website? (UTC) Format: YYYY-MM-DD HH:MM:SS
The hint here was “dip” which is for DIPS (Detect Incidental Party State), a database file part of the Chrome folder. We can find the file at path:
\home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\DIPS
If we open it with DB Browser for SQLite and go the the “bounces” table we see an entry for fanfiction.net.
Figure 9: fanfiction.net entry in DIPS
I got logged out - 10 points
Question: What string was autofilled the most?
Just like Android, this also has autofill information in the Web Data file located at:
\home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\Web Data
Opening in DB Browser for SQLite we can see that “ruthonthego98@gmail.com” was used the most.
Figure 10: Web Data autofill table in DB Browser for SQLite
I definitely need new shoes - 10 points
Question: What is the size of Ruth's advertisement in bytes?
If you do a keyword search for “advertisement” there is a hit on Ruth’s download folder for an image of a comfort shoe.
Figure 11: Flopper ad in downloads
The image was 373,228 bytes. The source path was:
\home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\MyFiles\Downloads\New Marketing Folder\Flopper Advertisement.jpeg
A for Anonymous - 10 points
Question: What TV show does Ruth have an interest in?
Web history can be found in the History file at:
\home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\History
There were multiple entries of URL visits looking for Pretty Little Liars related things.
Figure 12: History file URLs in DB Browser for SQLite
How'd your mic get so crispy? - 10 points
Question: What is the version of the noise suppression software?
If you do a Google search for “noise suppression software” you see a top hit for Krisp.
Figure 13: Google search for “noise suppression software”
Nestled deep in the folder structure is an asset pack folder for Krisp which has some more subfolders leading you to a properties.dat file at path:
\home\root\2bf8ce8f9e4afef8b6f08991553f783299bf8747\android-data\data\data\com.discord\files\assetpacks\krisp\253018\253018\_metadata\properties.dat
Here we can see that the version was tagged as 253018.
Figure 14: properties.dat for Krisp
The start of an addiction - 25 points
Question: What date was the game installed on the system? YYYY-MM-DD
There was only one game app installed on the device and that was Clash Royale. Using CLEAPP on the ARC App List report we can see it was installed on 2024-11-16.
Figure 15: ARC App List report via CLEAPP
This is pulled from:
home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\Preferences
You're so predictable - 25 points
Question: What is the ID of the URL with the most number of hits?
Chrome has a database that tracks and tries to predict what you are searching for by character, collecting info on hits and misses. I wrote a blog about it some time ago.
The file can be found at:
\home\user\2bf8ce8f9e4afef8b6f08991553f783299bf8747\Network Action Predictor
Opening in DB Browser for SQLite and navigating to the “network_action_predictor” table, we can sort the “number_of_hits” column. There was only one entry that had 2 hits, takeout.google.com, and it’s ID was 472a3434-8989-4133-b94a-5151333e6743.
Figure 16: Network Action Predictor in DB Browser for SQLite
IOC approved - 50 points
Question: What is the name of the current champion of the sport Ruth was trying to learn?
Back to Chrome history, we see some activity on URLs related to speed walking.
Figure 17: Speed walking related URLs from Chrome History
If you do a Google search for “speed walking champion” we can see that Jiayu Yang is currently the women’s champion.
Figure 18: Women’s champion in speed walking
The Devils are pretty good this year - 50 points
Question: What region had the lowest latency for Discord?
Inside the Discord app folder if you do a keyword search for “latency” you will hit on a handful of files. The one of interest is called “discord-webrtc_0” found at path:
\home\root\2bf8ce8f9e4afef8b6f08991553f783299bf8747\android-data\data\data\com.discord\files\discord-webrtc_0
If you scroll to the bottom of the file we get latency speeds for different regions with Newark having the lowest. The clue being Devils as the New Jersey Devils are in Newark.
Figure 19: discord-webrtc_0 file
All of my work is gone! - 75 points
Question: How many shirts are in the ad?
Can we get any more vague for a high point question? Probably not but here we are. We know previously that there was an image advertisement in the Downloads folder but also there was an encrypted 7zip folder called “Marketing Advertisements”. Viewing metadata we see there are two files inside, one called “TypeShirt_Ad.jpeg”, guess that’s our file.
Figure 20: Inside of Marketing Advertisements.7z
The password actually came from the “DAdataTA” question from Windows, if you solved the steghide you had to reuse the answer as the password here, which was “marywuzhere”. After doing so you could view the image and see there were 8 shirts in this wonderful AI advertisement.
Figure 21: TypeShirt_Ad.jpeg