Tags: ios logs forensics 

Rating:

**Description**

> Have fun digging through that one. No device needed.
>
> Note: the flag is not in flag{} format
>
> HINT: the flag is literally a hex string. Put the hex string in the flag submission box
>
> Update (09/15 11:45 AM EST) - Point of the challenge has been raised to 300
>
> Update Sun 9:09 AM: its a hex string guys

**Files provided**

- [`com.yourcompany.whyos_4.2.0-28debug_iphoneos-arm.deb`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/whyos-app.deb)
- [`console.log`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/whyos-log.zip)

**Solution**

We are given an iOS app (or part of it perhaps), and a console log from an iOS device where the flag can presumably be located. The app itself seems pretty lacking, but we can see that it adds itself into the Preferences / Settings application. Our task is then to somehow find the flag in the console log.

The flag for this challenge is not in the `flag{...}` format, so a simple `grep` would not work. We do know that it is a hexadecimal string, but this is not extremely useful, given that the log file contains thousands of hexadecimal strings.

After searching the log manually for some time without much success, I decided to make the job a bit easier by separating the log entries into different files based on which application produced them. Each message has a simple format:

...
default 19:11:39.936008 -0400 sharingd TTF: Problem flags changed: 0x0 < >, AirPlay no
default 19:11:39.944252 -0400 SpringBoard WIFI PICKER [com.apple.Preferences]: isProcessLaunch: 0, isForegroundActivation: 1, isForegroundDeactivation: 0
default 19:11:39.944405 -0400 symptomsd 36246 com.apple.Preferences: ForegroundRunning (most elevated: ForegroundRunning)
default 19:11:39.945559 -0400 SpringBoard SBLockScreenManager - Removing a wallet pre-arm disable assertion for reason: Setup
default 19:11:39.945609 -0400 SpringBoard SBLockScreenManager - Removing a wallet pre-arm disable assertion for reason: Device blocked
...

The format being `<severity level> <timestamp> <source application> <message>`.

([Full separator script here](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/scripts/WhyOS.hx))

The individual program logs were much easier to parse, since individually they contained a lot of repeating messages that would presumably not show the flag. Eventually I got to the Preferences app and found the flag among these lines:

...
default 19:11:45.660046 -0400 Preferences feedback engine <_UIFeedbackSystemSoundEngine: 0x1d42a0ea0: state=4, numberOfClients=0, prewarmCount=0, _isSuspended=0> state changed: Running -> Inactive
default 19:11:46.580029 -0400 Preferences viewDidLoad "<private>"
default 19:12:18.884704 -0400 Preferences ca3412b55940568c5b10a616fa7b855e
default 19:12:49.086306 -0400 Preferences Received device state note {uniqueID: <private>, weakSelf: 0x1d02af780}
default 19:12:49.087343 -0400 Preferences Device note {isNearby: 1, isConnected: 0, isCloudConnected: 0, _nearby: 0, _connected: 0, _cloudConnected: 0}
...

It might not be obvious why this should be the flag, but all the other messages produced by the Preferences app made sense, i.e. they had some descriptive text. This hexadecimal string did not have any indication of what it meant, so it was "clearly" the flag.

`ca3412b55940568c5b10a616fa7b855e`

Original writeup (https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/README.md#300-forensics--whyos).