VUCyberthon23 CTF Writeups

# VUCyberthon23 CTF Writeups **Phone model and version:** `Flag (model): VU{samsung}` `Flag (vendor): VU{SM-G530FZ}` Writeup: Found the phone details in "system/build.prop" ![](https://i.imgur.com/TKVZ6uO.png) **Whatsapp user and russian contact:** `Flag: VU{Marcus}` `Flag: VU{+3751548766197}` Writeup: Found all contact information in "Contacts". For the russian contact, I searched up the country code, that was +74, and found the phone number. ![](https://i.imgur.com/w0EBh2I.png) ![](https://i.imgur.com/kKqtv3v.png) **ICCID:** `Flag: VU{89370038009021791031}` Writeup: Exported images found on the phone, and one of then had the simcard ICCID on the back ![](https://i.imgur.com/4KjoWTL.jpg) **Bluetooth Mac:** `Flag: VU{E0:99:71:8E:05:D0}` Writeup: Found the MAC adress in efs/bluetooth/bt_addr ![](https://i.imgur.com/pBkbAsP.png) **Android email and user name:** `Flag: VU{Joohnnycash7@gmail.com}` `Flag: VU{John}` Writeup: The email was in the db at data/com.android.email, and the name was found by reading the messages (ref "Hello John, ") ![](https://i.imgur.com/4JTZsST.png) **Tanks video:** `Flag{tanks.mp4}` Writeup: The correct video was in media/downloaded ![](https://i.imgur.com/FkzuePp.png) **Meeting point GPS:** `Flag: VU{54.537718, 25.680509}` Writeup: Got GPS coordinates from finding the image below ![](https://i.imgur.com/iKOvt5i.jpg) **Telegram user:** `Flag: VU{5719323092}` Writeup: The account number was stored in system/sync/accounts.xml ![](https://i.imgur.com/7iH66aZ.png) **Firewall** `Flag: VU{cyberthon23}` Writeup: Looked through the firewall.txt file. Had to format it by removing the NULL bytes, spaces etc. The found a rule with a weird Destination: ``` vk&p{7B3B9D23-2EC9-4C09-8270-06C33618656C}@v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1579|Name=Unit|Desc=Y3liZXJ0aG9uMjM=|mhbin@v2.24|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neu ``` The destinaton name was a base64 string `Desc=Y3liZXJ0aG9uMjM=`, when decoded it gave us the flag `cyberthon23` **Mem dump** I didn't have time to go through the whole memory dump, but i found this on the machine: ![](https://i.imgur.com/FmiGPiA.png) Both the `password.txt` and `VU2023CYBER` files looked interesting. So the flag might have been there, maybe:)) **Plain sight:** `Flag: VU{993440293a8be}` Writeup: Found this image on the deans facebook account ![](https://i.imgur.com/iXAP0GT.png) This looked like the symbol fonts cipher ![](https://i.imgur.com/0JOc5ET.png) Decoded it manually and then decoded from base64 using cyberchef: ![](https://i.imgur.com/gLQaiSj.png)