Tengu in Colosseum Writeup — Odyssey CTF

a1l4m
8 min readJul 23, 2023

Hi, this is Khaled Allam, known by a1l4m. And this is a write-up for a forensics challenge from the Odyssey CTF that was enjoyable to do.

Background Image.

Okay, we got a zip file that contains an image of an Android device of a person who joined the human trafficking thing, and we need to investigate it.

Challenge Description

This CTF is a bit odd for me, as it contains 10 questions, and after you solve all 10, you will be able to obtain the flag.

Let’s just get into the challenges :”

First, in most CTFs, if I get the time, I fire autopsy, then search for common keywords to get an idea of the scenario, like, for example, in this one, where the first question talks about someone who invited the device owner to the human trafficking thing.

First Question

We have some keywords here to search for “Takumi”, “human trafficking”, With those, I got the email of Takumi, the name of the boss of Takumi, and a conversation between them on an app called Slack. By searching with the email address, you will also get the Discord app and Google account that got created with this email.

Now that we have an idea of the scenario, Let’s see the questions one by one.

1. Who invited Takumi to join the illegal Human Trafficking community?
What’s the name of the group/community?
And what’s the name of the first app used to begin the chat conversation?

So, first one needs the app name, which is either Slack or Discord. Let’s go to Slack files to see what is going on there.

slack artifacts

Okay, so we can see two channel IDs here Checking the first T03EA50JASY , Open with any SQLite viewer, we got nothing related to this question, but we got some valuable data, like all the users on the app.

users of slack

There is also org_T03EA50JASY , you may say, how did you notice that one, and not the others, simply because it was the biggest size in there :”

Checking the messages there, we got all the juicy stuff, there is a lot of messages; I wish I could show them to you, as it’s fun to read those to be honest.

messages of slack

So, it’s clearly saying that rosse is the one who invited him, now that we've got two parts of the answer, we need to know the name of the group. Opening account_manager to see if I can find the name of channels that got their ID.

Channel name.

And yes, here it is.

So, the first answer will be like: rosse_b34stclub_slack

2. What’s Takumi's email? And what’s the boss's likely name?

We already got the email from every place we have gone to “takumi0zaw4@gmail.com” and about the boss, as we stated before, there are only 3 people on Slack, which are Takumi, Santoku, and the bot.

users of slack

So, submitting Santoku as the boss, this was the answer: takumi0zaw4@gmail.com_santokuabubasa

3. How many channels are there in the first app?Also, What’s the name of the last channel created?

Format: TotalChannels_Name

Ex: 2_this-is-home

You will find all the channels in this file org_T03EA50JASY

Slack channels

There are three public chats and three private chats.

Checking the time creation for every channel, you will notice that the first is what we are looking for.

So, the answer will be: 3_selling-muggles-for-fun-profit-not-stack

4. What’s the second application that was used to communicate?

Format: appsname (all LOWERCASE)

Ex: wechat

Well, it’s obviously going to be discord, because all we have is discord and slack, and also in the conversation earlier on slack, they talked about moving to discord.

5. When was the group/server in the second application created?

Format: DD/MM/YYYY_HH:MM:SS (In UTC Format)

This one has taken me so long to get, and I was not able to get it. I have searched everywhere in the discord artifacts for any mention of server name, and I even exported the files of my discord app to test on them and search for servers that I am already on to see how everything is handled. No luck :(

I even noticed after the long search that the server creation logs don’t get stored in the local files but in the remote sandbox.

So, I contacted the author, and he gave me a hint that this is an old version of Discord, and he said exactly, “What would you call an object collection in which Discord represents the users and channels on the current device? There’s a special terminology on this one, especially for Discord itself, as stated in the developer docs”.

I searched for object collection methods in the old discord and opened these developer documents.

developer docs.

You will notice that they call it guild but not server hmmmm.

I have seen this term in discord artifacts on this path.

discord artifacts

Opening this 1KB file, we will get the date :”””

2022-05-05 13:44:59

6. Who creates a registration system for the illegal Human Trafficking Community?

When I was going through Discord artifacts, I saw this big file of 6KB, which is named STORE_MESSAGES_CACHE_V38 , I opened it.

I got a conversation between people about human trafficking.

convo in discord.

From the first message, you will notice that Gopher is the one who handled the registration.

7. What’s the URL for the registration form website that was created by the one who creates the registration system?

The URL also got sent in the conversation, but when submitting it, it says it’s wrong http://e2d4-2001-448a-2082-27c2-99ee-296d-aa07-9aa2.ngrok.i , after looking at the URL again, there is an o missing at the end of the URL.

8. How many user’s trusted domain cache key(s) in the second application?

I was not getting what he meant by user’s trusted domain cache, So i have tried some numbers, and one of them was correct and it was three, but later I have found this file com.discord_preferences.xml in shared_prefs folder which it does contains what we need.

user trusted domains

9. Takumi downloaded an illegal APK that was given by the Boss. The Boss said that apk was zipped and protected with his password that was used before in the registration form website. Our DFIR acquintance said that the source code of that form was revealed in the second application and the ‘secret code’ refers to the ‘sc’ parameter. What’s the password of the zipped APK file?

Okay, we can understand that he wants the password for the APK file, which is the same as the registration page. NP

In the second application, which is Discord, beside the convo that we got earlier, we also got this source code.

<?php 

function generateRandomString($length = 2) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[mt_rand(0, $charactersLength - 1)];
}
return $randomString;
}

if(isset($_POST['submit'])){
if($_POST['username'] != ""){
$username = $_POST['username'];
}
if($_POST['password'] != ""){
$password = $_POST['password'];
}
if($_POST['sc'] != ""){
$sc = $_POST['sc'];
}
$enc = openssl_encrypt($password, "rc4", $sc . generateRandomString());
setcookie('username',$username,time() + (86400 * 30), "/");
setcookie('guid_usr',$enc, time() + (86400 * 30), "/");
header("Location: ./success.php");

}
?>

The last three lines tell us how the password is stored:

the password gets encrypted with rc4 encryption using key that has two random characters which are easy to brute force, and then the encryption is stored in a cookie named guid_usr

We need two things now: the scparameter and the cookie. sc parameter is in the messages in Discord.

secret code.

and the cookie is located in the web artifacts or the cookies file in the browser artifacts, or you can just search in autopsy, with guid_usr you will find the cookie in multiple places not just in the web artifacts.

Parameter sc=h4y4bus40123

Cookie : guid_usr= gtxW8xfAR8Z104vQMReszigljkiKlZ5IXUr0I%2Bbd7LoT2g%3D%3D

So, all we need now is to brute force the 2 random characters, my teammate Ossama Yasser created this script.

function isAsciiString($string) {
for ($i = 0; $i < strlen($string); $i++) {
$asciiValue = ord($string[$i]);
if ($asciiValue > 127) {
return false; // Non-ASCII character found
}
}
return true; // All characters are ASCII
}
function bruteForceTwoCharacters($characters) {
foreach ($characters as $char1) {
foreach ($characters as $char2) {
$combination = $char1 . $char2;
// The encrypted text
$text = "gtxW8xfAR8Z104vQMReszigljkiKlZ5IXUr0I+bd7LoT2g==";
$enc = openssl_decrypt($text, "rc4", "h4y4bus40123" . $combination);
if (isAsciiString($enc)){
echo "$enc";
}
}
}
}
// Define the characters you want to try for brute force
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

bruteForceTwoCharacters(str_split($characters));

which gave us this output: th!s_1z_a_v3ry_Unc3nZureD_p4$$w0rd

10. The boss gave Takumi a website link containing a text-based information regarding a cash-flow spending of the community and the potential next volunteers who are willing to be sold. Luckily he already read the content and ARCHIVED it. How many volunteers that come from United States (US) ?

We have seen earlier in this file T03EA50JASY

volunteers.

The answer will be two.

After submitting all of the answers you will get this flag “flag{y0u_defeated_th3_ten9u_droid}”

Hope you like it, and if you have questions, you can contact me on LinkedIn.

--

--