Hi! This is Jessica Hyde and I am so excited to revisit the Magnet Summit 2022 Capture the Flag contests.
We had so much fun with both the in-person and virtual Capture the Flag events in April and we wanted to share some additional info. One of the best things about the CTFs this year was for us to get a chance to create BRAND NEW forensic images—which we can’t wait to share with the community!
Read on to get:
- Links to the Magnet Summit April 2022 Virtual CTF Android and Windows 11 CTF Images
- Questions from the April 2022 Virtual CTF for those who want to play (and learn)
- Links to write-ups from the community from the Magnet Summit April 2022 Virtual CTF
- A SAVE THE DATE for the virtual play of the in-person Nashville CTF—featuring new for 2022 forensic images, including Linux and an iOS 15 Full File System Image!
What Are the Capture the Flag Contests?
CTFs are a gamified learning opportunities to test your skills with digital forensics challenges. Forensic images of multiple pieces of evidence are made available to participants along with a variety of challenge questions based on the data sets. Participants can use any tools they like to answer a variety of questions, which range in point value depending on degree of difficulty.
These challenges are designed for all skill levels from novice to advanced and we are really looking forward to sharing new images and questions for 2022.
Magnet Summit April 2022 Virtual CTF Images
We are so excited to announce that we are working to share all the images (20 in total!) that we have created from the Magnet Summit CTFs going back to 2018. More on that to come soon, but for now, we want to first share the images from this year’s Magnet Virtual Summit in April. Feel free to use these to challenge yourself, or to look into new artifacts and research Windows 11:
- Pixel: https://storage.googleapis.com/mvs-2022/Pixel.tar – MD5:131CF2634BD6907B53D23150D4EA24EA
- HP Image: https://storage.googleapis.com/mvs-2022/HP-Final.zip – MD5: B28EE46B0CD62165D82AE41ED852D3BF
- Takeout: https://storage.googleapis.com/mvs-2022/takeout-20220222T154448Z.zip – MD5: EDF13484D65D499844074AD3315D9F87
Questions From the April 2022 Virtual CTF
We have had multiple requests for the questions since the CTF closed to assist with self-learning, so we’re happy to be able to share the questions here. The Challenge Name often contains clues, and sometimes bad puns.
|5||If you are looking for an image, it was probably deleted||How many emojis were used in the first snapchat received by the User|
|5||ooo so popular!||What snapchat account sent the User the most messages?|
|5||BurgLARProof||What Live Action Role Play armor was the user building?|
|5||Your charIoT awaits||What was the MAC address of the first IoT device connected?|
|5||ID Please||What was the ICCID for the SIM card used with this device?|
|10||Keep on Moving||When is Next Vegas Show? Format MM/DD|
|10||Starting over||What day was the device factory reset? Format YYYY/MM/DD|
|10||Water Water Everywhere||What is the zip code of the location that the image of the water was taken?|
|10||Snap Your Fingers||What is the username of the last friend added to the user’s Snapchat?|
|10||Never-ending||Podcasts can seem like they drag on forever, how long was Rafael’s longest Podcast? HH:MM:SS|
|10||Last 4||What were the last four digits of the Visa used to purchase the User’s most-used video game?|
|10||Expired Milk||What was the earliest expiration date for the user’s guest wifi account? MM-DD-YYYY HH:MM|
|25||Hash it out||What hashing algorithm was used for Bumble’s email confirmation email?|
|25||Surviving a Snake Bite||What is the name of the YouTube channel that hosts the video that was watched at 10:30 PM EST on Feb 1st?|
|25||So tasking||What was the status of the Go grocery shopping list?|
|50||A Recent Trick (59)||What is the name of Step 5: Step 4 -?|
|50||Bee Sweater (36)||What famous cartoon from the mid 1900s did the user watch a snippet of?|
|50||Seeing Through the Trees||What was the last street that Google told the user to turn on to on the way to Sugarbush Mountain?|
|75||All Trail Blazer (61)||How many miles were left until Stowe Pinnacle? Format: X.X|
|5||Never Gonna Give You Up||How many times did Patrick get rick rolled?|
|5||r/hobbies||What subreddit did Patrick frequent the most? Format: r/subredditName|
|5||Version aversion||What was the version number of ZeroTier that was installed on the system?|
|10||Insider Preview||What is the Build Number of the Windows Install|
|10||Nil Layer||What was the ZeroTier Network name?|
|10||Crater of Diamonds||When did n30forever “Mine” diamonds? YYYY-MM-DD HH:MM UTC|
|10||Punching Wood||How many wood blocks has n30forever mined?|
|kin||Default Skin||What is the SID of the account that was used to create the extra user?|
|25||Groundhog Day||Where did n30forever spawn on the most recent logon? Format: x,y,z|
|50||Real 2020 Moment||Patrick reports seeing a couple of notifications saying malicious files were found and quarentined. What was the file name of the malicious file that was spawned with the process name starting with the letter S?|
|50||1T5 H4CK1N6 T1M3||Patrick reports a suspicious consle open on his screen. Can you find the full path to the script that caused this?|
|50||Philatelists Club||Patrick put a sign outside of his house in his offline survial minecraft world. What did it say? (Combine all lines of sign into 1 flag)|
|75||Time 2 Block 0.0.0.0/0||What is the full address that the backdoor was downloaded into the system from? xxx.xxx.xxx.xxx:xxx/directory/backdoor.extension|
|75||Obfuscation Occasion||Locate and extract the file identified in the above question. What is the first function name in the malware? **Caution sample is REAL MALWARE**|
|100||Oh Boy Its Time to DCode||It looks like the vba file contains another encoded file. Decode this and provide the time/date stamp located inside the COFF header in UTC. yyyy/mm/dd:HH:MM:SS **Caution sample is REAL MALWARE**|
Egg Hunt (No image necessary!)
|25||Skip to My Lou||What is the flag found in the message below:|
|25||Boxed Crazy Bread||What is the flag found in the message below:|
|25||More bits please!||Using the keyword MAGNETVUS, what is the flag found in the message below:|
|25||Look in the mirror neo||.y1f07318438d1u0h5338474h7y4w0n51323h7n0c4851941f3h7n01741v4f05w41nw0nk114079n1d20cc4|
|25||OMG They Killed Me||What is the flag found in the image|
One of my favorite parts of the CTF each year is learning how others have solved the challenges. And this year is no exception.
I wanted to share some of the write-ups from the Magnet April 2022 Virtual CTF that we have seen so far. If you are playing these challenges and have write-ups, please share them with us! We can’t wait to see how you solved these and it helps others learn as well.
- Kevin Pagano: https://www.stark4n6.com/2022/05/magnet-virtual-summit-2022-ctf-android.html
- Variable Bytes: https://variablebytes.blogspot.com/2022/05/magnet-summit-2022-virtual-ctf-android.html
- Variable Bytes: https://variablebytes.blogspot.com/2022/05/magnet-summit-2022-virtual-ctf-windows.html
- Blue Monkey 4n6: https://youtu.be/iukmP4PwmJI
- Kevin Pagano: https://www.stark4n6.com/2022/05/magnet-virtual-summit-2022-ctf-egg-hunt.html
- Variable Bytes: https://variablebytes.blogspot.com/2022/05/magnet-summit-2022-virtual-ctf-egg-hunt.html
Winners Of the Magnet Summit CTFs
- The CTF competitions were definitely an exciting display of talent! In case you missed the results, here’s who won the in-person competition in Nashville:
- First: Kevin Pagano, @stark4n6, US
- Second: Holly Kennedy, @hollykennedy4n6, US
- Third: Kathryn Hedley, @4enzikat0r, UK
And here’s who won the virtual component:
- First: Mohamad Ridzuan (HTX) from Singapore
- Second: Nikolaos Papadoudis (nickos.pap) from Greece
- Third: Kenny Eu (unstoppable) from Singapore
- First to Finish: Yestine Goh (foundmissing) from Singapore
Save the Date for a Newly Available CTF
And now for the big announcement! We wanted to give EVERYONE the opportunity to play the CTF that was played in Nashville, so we are opening the Nashville CTF for a virtual contest on June 15 from 3:00-6:00PM ET!
This is open to anyone who did not play live in Nashville. And yes, this does mean another round of prizes along with two new images: an iOS 15 Full File System image and a Linux image. I promise this CTF is super fun, so please register here to join in!
I wanted to take a moment to give a great big shout out to the incredible folks from the Champlain Digital Forensics Association: Jordan Kimball, Dylan Navarro, Hayley Froio, and Alayna Cash who I had the distinct privilege to spend time working with to build these CTFs. It was a blast, and they are absolutely incredible folks. Congrats Jordan and Hayley on graduating as part of the Class of 2022!
Good luck, everyone!