Tablet 1

Description

Red has been acting very sus lately... so I took a backup of their tablet to see if they are hiding something!

It looks like Red has been exfiltrating sensitive data bound for Mira HQ to their own private server. We need to access that server and contain the leak.

NOTE: Both Tablet challenges use the same tablet.tar.gz file.

• Google Drive mirror

• Dropbox mirror

• MEGA mirror

MD5: f629eec128551cfd69a906e7a29dc162

author: WhiteHoodHacker

Solution

We are provided with a backup of the tablet tablet.tar.gz.

Overview of the files provided

Overview of the File Structure

In order to make things easier, I've decided to use the tool iLEAPP to give me a better overview of the system.

iLEAPP is an iOS Logs, Events, And Plists Parser.

It currently supports iOS/iPadOS 11, 12, 13 and 14.

It can parse directly from a compressed .tar/.zip file, a decompressed directory, or an iTunes/Finder backup folder.

More Details can be found here.

After running with iLEAPP, I am presented with an overview of the current snapshot of the tablet system.

iLEAPP Dashboard

While browsing the file system, the challenge description gave me some ideas on where to start.

"It looks like Red has been exfiltrating sensitive data bound for Mira HQ to their own private server. We need to access that server and contain the leak."

This gave me some inspiration. They could be using some apps to communicate with an external server so I decided to start from the mobile installation logs to see what the user has installed on the system.

Screenshot of apps installed

Bingo! The user has installed webssh which is a communication app that allows the user to connect to a server through ssh.

Now, we have to find the folder that contains the App Info.

After a few Google searches, I know that we must first find out the installed apps ID in order to find the location of the specified app.

The path /private/var/mobile/Library/FrontBoard/applicationState.db keeps track of the app bundle IDs as well as the path and long alphanumeric folder name ID where the app keeps its data.

We could have manually find it ourselves and use a DB browser to view the applicationstate.db but since we have already used iLEAPP, we shall continue using that.

Image of the path location of the apps

From this, we can see that the application is located at /private/var/mobile/Containers/Data/Application/AA7DB282-D12B-4FB1-8DD2-F5FEF3E3198B. With that information, we can explore further.

Folder of webssh

We are now presented with the app contents, we can experiment further.

After minutes of exploring the contents, only one file stood out to me which is the webssh.db.

Let's open and explore what it contains.

DB Browser with webssh.db contents

Wow! Seems very useful to us. At one glance, you can tell that the user has connected to red.chal.uiuc.tf through ssh.

With that information, I sshed to the server with the private key that was presented to me.

ssh red@red.chal.uiuc.tf -p 42069 -i /Users/sebastianyii/Desktop/private-key.txt

This service allows sftp connections only. Connection to red.chal.uiuc.tf closed.

With that issue, I used cyberduck to connect throug sftp instead.

After getting in, I was presented with an empty folder in /home/red

Empty Directory in /home/red/

I then explored but found nothing interesting so I thought, they might have hid some files but its not possible to see through cyberduck so I went to download the folder. I then ran ls -la to see whether they have really hidden some useful files.

Well, turn out they did.

Filesystem

I then went to check what do they contain.

This command seems very suspicious to me indeed. I went back to cyberduck to check out on the /srv/ folder again. Nothing is seen again so I decided to download it.

Ah ha! They have hidden the files using the hidden files trick. I then open it and found an important data!

Turns out it is indeed the flag!

Flag Image

There you go!

flag: uiuctf{upload_task_only_takes_9_seconds_0bf79b}