I have never tried anything related to iOS hacking so this was a completely new territory for me. Since I have had some spare hours on a Friday evening I decided to download the zip file and see where Google-fu would take me.
The very first problem was to find the right tool. The backup is password protected but the password was 'password'. There are many tools that are able to handle encrypted backups but almost all of them allow only view access without paying for the full version.
For example Reincubate iPhone Backup Extractor is able to show the contents but lets the user extract only 4 files without paying. Fair enough, we get started with that.
I used DB Browser for SQLite to open these files. Endomondo.db has an interesting trackpoints table.
Earlier we saw reference to the https://gpspointplotter.com/. Let's see what happens if we place these locations on the map. A simple SQL query and then an export to CSV will do the trick.
select lat, lng from trackpoints where lat is not null and lng is not null;
Plotting these values on the map creates some promising results.
Clearly we are on the right track, ha. This is the end of the flag. Let's see what else we are able to pull out from this backup.
There are seven databases for WhatsApp. But this tool allows max 4. By switching to the expert mode you can choose ChatStorage.sqlite.
Again, this is SQLite 3.x database. From ZWAMEDIAITEM table we find ZLATITUDE and ZLONGITUTE. Let's extract those and add them on the map.
Alright, we have the beginning and the end of the flag. But clearly we aren't there yet, a good amount of plots are missing. They must come from the images but with this tool we cannot extract files or their exif data.
Accidentally, I found a way to decrypt the backup file without any purchase. I was checking some other iOS back up tools and tried another alternative. iMyFone D-Back looks somewhat sketchy and asks permissions (I didn't give any). Also, it should not be able to recover any data based on the feature list.
Anyways, let's try "Recover from iTunes Backup". Enter password, select all and hit scan. We see all the photos but we cannot recover them.
Too bad but not really. Because at this point I noticed the iPhone Backup Extractor tool started to show two backups instead of one. And the new one doesn't show the lock icon...
When I started this flag hunt I took a look at the files inside the backup. Basically bunch of folders with two character names like e9 etc and then the file names inside the folder start with those two characters. Basically a single level file nesting. After starting the scan on iMyFone D-Back it created an 'imyfone' folder with the same files inside it. Except decrypted.
Well, that was kind. But how to find all those image files. Time to forget GUI and write some script.
First I flattened the file tree:
Then copied the image files to a separate folder with a little bash script:
Extracted geolocation from the image exif using Python:
The Python script provides a list of latitude and longitude values. Let's add those to the map as well.
The very first problem was to find the right tool. The backup is password protected but the password was 'password'. There are many tools that are able to handle encrypted backups but almost all of them allow only view access without paying for the full version.
For example Reincubate iPhone Backup Extractor is able to show the contents but lets the user extract only 4 files without paying. Fair enough, we get started with that.
So, we can see there is all kinds of data available. Photos, WhatsApp messages and Location data. With this tool we can see the WhatsApp chat log.
There is a reference to https://gpspointplotter.com/ tool, we come back to that later. Scrolling through the chat we are able to see Sports Tracker and Endomondo as well. At this point I had a hunch that the goal is to figure out something based on geolocations. The chat is full of images and locations. Unfortunately, with this tool I cannot extract photos. But I can extract two database files from Endomondo.
$ file endomondo.db
endomondo.db: SQLite 3.x database, last written using SQLite version 3028000
Earlier we saw reference to the https://gpspointplotter.com/. Let's see what happens if we place these locations on the map. A simple SQL query and then an export to CSV will do the trick.
select lat, lng from trackpoints where lat is not null and lng is not null;
Plotting these values on the map creates some promising results.
Clearly we are on the right track, ha. This is the end of the flag. Let's see what else we are able to pull out from this backup.
There are seven databases for WhatsApp. But this tool allows max 4. By switching to the expert mode you can choose ChatStorage.sqlite.
Again, this is SQLite 3.x database. From ZWAMEDIAITEM table we find ZLATITUDE and ZLONGITUTE. Let's extract those and add them on the map.
Alright, we have the beginning and the end of the flag. But clearly we aren't there yet, a good amount of plots are missing. They must come from the images but with this tool we cannot extract files or their exif data.
Accidentally, I found a way to decrypt the backup file without any purchase. I was checking some other iOS back up tools and tried another alternative. iMyFone D-Back looks somewhat sketchy and asks permissions (I didn't give any). Also, it should not be able to recover any data based on the feature list.
Anyways, let's try "Recover from iTunes Backup". Enter password, select all and hit scan. We see all the photos but we cannot recover them.
Too bad but not really. Because at this point I noticed the iPhone Backup Extractor tool started to show two backups instead of one. And the new one doesn't show the lock icon...
When I started this flag hunt I took a look at the files inside the backup. Basically bunch of folders with two character names like e9 etc and then the file names inside the folder start with those two characters. Basically a single level file nesting. After starting the scan on iMyFone D-Back it created an 'imyfone' folder with the same files inside it. Except decrypted.
$ file 0a/0ae68f47be7465c95f6ccd9cb0f66346a30db0f1
0a/0ae68f47be7465c95f6ccd9cb0f66346a30db0f1: data
$ file imyfone/0a/0ae68f47be7465c95f6ccd9cb0f66346a30db0f1
imyfone/0a/0ae68f47be7465c95f6ccd9cb0f66346a30db0f1: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 100x100, frames 3
Well, that was kind. But how to find all those image files. Time to forget GUI and write some script.
First I flattened the file tree:
$ find */** > flatfiles.txt
#!/bin/bash
cat flatfiles.txt | while read line
cat flatfiles.txt | while read line
do
if file $line | grep -q 'image'; then
cp $line /junkyard/images/
fi
done
Extracted geolocation from the image exif using Python:
import sys
import os
from GPSPhoto import gpsphoto
def main():
# This function was taken from EXIF.py to directly handle
# command line arguments.
for filename in os.listdir('/junkyard/images'):
try:
data = gpsphoto.getGPSData('/junkyard/images'+filename)
print(str(data['Latitude'])+","+str(data['Longitude']))
except:
pass
if __name__ == '__main__':
main()
Damn, still missing a bit. Hmm, there must be still some location data somewhere in the database. This com.luongbeta.CompassMap has database.
But instead of using the tool to extract maybe we could do it the hard way. Let's try to find the file ourselves. The manifest.db contains mapping between the fileid and the relative file path. By filtering with the domain we are able to see all the files of the com.luongbeta.CompassMap.
Opening aca1907744109ed0d7776ee4a28ea487e3dfba0c in the DB browser reveals some nice looking locations. Dump and add on the map.
Finally the flag is complete. N1XU{Y0U_F0UND_M3_5H3RL0CK}