Open in app

Sign in

Write

Sign in

Magnet Weekly CTF — Week 3

JR
3 min readOct 28, 2020

Trying my hand at this blogging thing. I’ve enjoyed the weekly CTFs that Magnet has been putting on. I found this week pretty interesting and I don’t think I would have figured it out had it not been for the hint dropped in the weekly webcast.

Cargo Hold

The question asked “Which exit did the device user pass by that could have been taken for Cargo?”

I originally spent a bit of time looking around the Google Maps application databases with little luck.

Eventually, and based on the webinar hint, I was led to look for images that were named MVIMG###.jpg. So I found a few in the /data/media/0/DCIM/Camera folder:

So in the webinar, it was mentioned that these image files have embedded MP4 videos in them. So I busted out my typical carving program Foremost. Nothing. Photorec? Neither. Did some online searching and found “Karver”, still no luck. Ok, time to break out xxd + dd.

OK, so it’s definitely there. Why aren’t my carving tools working?

I tried the below process on a few of the images, but ended up getting the answer using the following image:

MVIMG_20200307_130326.jpg

I hate doing manual calculations, so I used grep to give me the answer I needed:

> grep --byte-offset -a -o ftyp MVIMG_20200307_130326.jpg
1427339:ftyp

The MP4 header is 4 bytes before the “ftyp” string, so I used that to just carve until the end of the file:

dd if=MVIMG_20200307_130326.jpg bs=1427335 skip=1 of=326.mp4

At this point, the video should have played, but for some reason it was giving me issues on my local machine. So I ended up having to convert it using ffmpeg:

ffmpeg -i 326.mp4 326_fixed.mp4

This gave a less than 2 second video in which you could capture the following frame:

Question Ambiguity

I felt the question in this case was a little ambiguous because from the frame above the answer could be:

  • Sor-Gardemoen
  • Gardemoen Vest
  • Kulturpark
  • E16

After talking with one of the admins, they said they were looking for the exit number. However, E16 is a highway name, near the Oslo airport. Exif data confirmed this as the coordinates pointed to the airport terminal. So I tried the string E16 anyways, and that was the accepted answer.

Next Level

This was slightly manual, so I automated a bit of it:

for f in `ls MVIMG*`; 
   do offset=$(grep --byte-offset -a -o ftyp $f | cut -d':' -f1 ); 
   of=$(($offset-4)); base=$(basename $f);
   dd if=$f bs=$of skip=1 of=/tmp/$base.mp4;
done
Forensics
Android

--

--

JR

Written by JR

1 Follower

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams