2026 MSAB CTF: iOS Questions

Boss makes a dollar, I make a dime (5 Points)

What hourly rate was communicated to Blaise in USD? (Format: nonlabeled integer)

Check Blaise’s emails to find info on a pay stub. The pay rate is mentioned directly in the email.

FLAG

25 OR $25

Is that even legal? (5 Points)

What is the minimum age requirement (in years) for the new job offering?

Check Blaise’s texts to find a message from “Layla from the Glassdoor hiring team”. The end of the message says that the person must be 22 years old.

FLAG

22

Put your elbow into it (5 Points)

What baking action is the first step in making Rainbow Funnel Cakes?

Look through Blaise’s Signal messages to find a recipe he sent to Emily. After the Ingredients section, the first step involves whisking some of the ingredients together.

We accept pretty much any answer that involves “whisk”

FLAG

whisk OR whisking

Every step you take (5 Points)

During the step sample with the highest step count, what was the duration of that sample in seconds (rounded to the nearest whole second)?

Use iLEAPP to open the Health Steps report and sort by steps to get the Duration.

Round to the nearest whole number.

FLAG

582

National Geod-Graphic (10 Points)

What music entertainment location appears in the final cached map tile entry on the device?

Use iLEAPP to sift through the Map Tile Cache, and find the final one.

The one location here that could be considered “Music Entertainment” is the Boston Bel Canto Opera.

FLAG

Boston Bel Canto Opera

Attachment Artist (10 Points)

What are the pixel dimensions (format: 123x456) of the Rainbow funnel cake mock-up that was sent?

Look through Blaise’s Signal chats until you see a message with an attachment referred to as a mock-up.

Click on the attached image in related artifacts. 

Use the resolution from the metadata at the bottom.

FLAG

1170x1463 OR 1463x1170

Metadata (10 Points)

What is the chronologically first confirmation code in an email that was "read" by Blaise?

Search code and filter for emails. In Apple Mail in XAMN there is a “Status” field that shows as “Read” for read emails. 

FLAG

45792

Peer Review (10 Points)

What serial number is Blaise's Macbook?

This can be found in iLEAPP’s Trusted Peers Report. 

FLAG

P6DY23L4R0

Splash Zone (10 Points)

What is Blaise's favorite coffee shop?

This may take some searching, but the easiest place to find this is in app snapshots. Filter the file name for the pattern */SplashBoard/Snapshots/* to get only these. Scroll until you find what looks like a review for a coffee shop.

Then click on the expand image button for the entry and look at the review text.

FLAG

Blue Bottle Coffee

Coffee and dysentery (10 Points)

What historical event does the picture of the banana relate to?

The first step here is to locate the picture of the banana(s). Luckily, they show up on top  after sorting by time.

Looking at the picture itself, nothing really stands out. However, one thing you may notice is that the GPS time seems much more sensible than the other timestamps, being in 2038 or 1841. This often happens when the timestamp for photos is manipulated in the Apple Photos app. As this is a question about a historical event, the May 1841 date should stand out.

Additionally, there is an address that points to Salem, Oregon.

After doing research and connecting with the challenge name, Coffee and Dysentery, you will see that this connects to the time the Bidwell-Bartleson party left Missouri to be one of the first groups to travel the Oregon Trail.

FLAG

Oregon Trail OR The Oregon Trail

Bilingual (actually) (10 Points)

What languages does Blaise reference when he apologizes to Dorian? (Format: _ and _)

XAMN has a section for displaying identified languages in the main case window. As you search through you will find some false positives, but only one has an actual apology sent to Dorian.

Once you identify this message, you can select the text for the artifact, and if you have the language packs installed, translate inside XAMN. In this message, it references French and Spanish.

FLAG

French and Spanish OR Spanish and French

Dial-A-Song (25 Points)

What band plays as a result of Blaise's second-longest phone call?

XAMN has a category for Calls artifacts, click it and scroll through. The second longest phone call is 1:55 and is to (844) 387-6962.

You can either call this number yourself and use a service like Shazam to identify the song, or look up the number itself, where the info about it can be found

FLAG

They Might Be Giants

Sneaky, sneaky (25 Points)

What is the address of the fashion event Blaise researched? (Format: local address, city, state, zip)

Use XAMN to filter for Safari and History, and scroll through the results. You should see one that talks about a sneaker convention.

Take a look at the website to find the address:

FLAG

29 Trefoil Drive, Trumbull, Connecticut, 06611

Memory of a Goldfish (25 Points)

On what date was Blaise's version of Fishbrain released? (Format: YYYY-MM-DD)

Look up Fishbrain in the text filter, and filter for only Application Install artifacts. This should yield a result that states the version of Fishbrain.

If you visit the app store on a computer, you can find the release date of a specific version if you click on “What’s new”.

FLAG

2025-11-24

Don't record me (25 Points)

Validate a user's recorded complaint about grocery prices by identifying the per-item cost mentioned in the relevant artifact (in USD)

Text

Searching around with normal tools for this question can really throw you for a loop as the event that is referred to in the question is not written down anywhere. The hint for this in the question name is “recorded”, pointing that there is some sort of audio or video recording of the complaint. Searching through Apple Voice Memos, XAMN displays the transcription of each one.

There is one that mentions that bananas are $8.21 each where they are. 

FLAG

$8.21 OR 8.21

Paint a Scene (25 Points)

Which composer is shown in "Doc 1"?

Doc 1 can be quickly pinned down by searching for “Doc 1” and selecting the documents category. Save this document and open it in an external program.

Save the image as a picture and reverse image search to identify the person.

FLAG

Claude Debussy

Toasty phone (50 Points)

What was the next battery temperature reading after the end of Blaise's first call to Dorian in degrees Fahrenheit? (round to nearest whole number)

Looking at the calls, we can see three go through Apple’s default dialer app and two go through the Wire app. 

Find the timestamp for the first call:

Now, find the log that tracks battery temperature. The one for this timespan is /private/var/db/Battery/BDC/BDC_SBC_version2.9_2025-12-01_16:47:01.csv. From here, it’s easiest to open in a tool like DB Browser for SQLite and import the CSV.

Make sure to check “Column names in first line”

Then, change the table so that Temperature is of “REAL” type so decimals can be preserved in the next step.

Then, in the browse data section, edit the display format for Temperature to convert it to Fahrenheit.

Then, scroll to the closest timestamp after the call.

FLAG

73

Hear no evil, see no evil (50 Points)

At what time UTC did Blaise first provide an alternative communication app from the one that was denied both visual and audio input? (Format YYYY-MM-DD HH:MM:SS)

There is a database at \private\var\mobile\Library\TCC\TCC.db that holds the permission states for each service. It can be viewed in iLEAPP:

As Instagram is the app with Camera and Microphone permissions set to “Not Allowed”, we can refine our search in XAMN to look for the instance where an alternative app is suggested, filtering for artifacts only in that app.

You can see that there is a message to Emily with the link to the Signal app on the Play Store.

The DB containing these messages can be found at: /private/var/mobile/Containers/Data/Application/93DFCB37-23A8-46FE-96CB-51C169040E4C/Library/Application Support/DirectSQLiteDatabase/78563694174.db

FLAG

2025-12-01 19:36:12

Moving on! (50 Points)

How much time elapsed between the creation of the user’s first Notion note and the first recorded use of Obsidian? (Format: HH:MM:SS)

Identify the timestamp of the user’s first Notion note by locating and examining the Notion database.

Navigate to /private/var/mobile/Containers/Data/Application/BAF8790C-04BB-4B01-A8B9-2FB63401D9E2/Library/LocalDatabase/notion.db 

Open notion.db and identify the earliest user-created note creation timestamp as 2025-12-20 22:20:47 (UTC). The “block” table contains all the relevant info.

Next, locate Apple Activities Biome data to determine when Obsidian was first used.

Navigate to /private/var/mobile/Library/Biome/streams/restricted/App.InFocus/

Then, filter application activity events for bundle ID md.obsidian and identify the earliest App.InFocus event associated with Obsidian.

Record the first Obsidian interaction time as 2025-12-20 22:27:14 (UTC).

Calculate the time difference between the Notion note creation and the first Obsidian interaction.

FLAG

00:06:27

Mr. Worldwide (75 Points)

While looking for outdoor activities on their phone, what city was the user's Public IP based out of?

This question requires quite a few artifacts to cross reference to be sure of the answer.

First, determine what searches to outdoor activities were made (these were all related to camping)

Some searches were made on 12/11 for winter camping and ice fishing.

On 12/20 there were searches for campsites.

The second step is to separate the synced ones from the ones on the phone (some searches were made from the Mac at an earlier data and synced over safari)

Shown above is the iLEAPP Safari Report, in the raw TSV format for clarity. It shows that the ice fishing and winter camping searches were synced from another device. From the question “Peer Review”, it’s hinted that these searches were coming from his MacBook. 

However, the searches on 12/20 were made from the Local Device, meaning that they came from the Phone. So we should look for artifacts generally around 12/20 at 18:00.

The third step is to pin down the city for the public IP. The user has a VPN app installed, ProtonVPN, so look through its files for any logs.

You will eventually find a WireGuard.log and a plist of recent connections under the app’s shared container folder, located at: /private/var/mobile/Containers/Shared/AppGroup/4878D959-D11A-496C-BBAC-95AD1D29C044/

In the WireGuard.log located at: /private/var/mobile/Containers/Shared/AppGroup/4878D959-D11A-496C-BBAC-95AD1D29C044/WireGuard.log, we can’t see the connection initializing, it’s mostly just keepalive packets until the end of the file, where the connection gets closed. 

Above we can see the tunnel closing around 12/20 at 22:32:52. There also seems to be a peer ID in a shortened form.

Next, open the plist file at: /private/var/mobile/Containers/Shared/AppGroup/4878D959-D11A-496C-BBAC-95AD1D29C044/Library/Preferences/group.ch.protonmail.vpn.plist, you can use any Plist Editor, I just use Xplist to auto-convert any raw data into ASCII automatically.

There is a key called “LastWireGuardConnection”, and when translated to ASCII reveals that same peer ID as seen in the log, just in its expanded form.

Copy this into a text editor to pretty-print the value. 

Here we can see it’s all JSON data describing the connection and the server. The city is labeled “Mexico City”. 

FLAG

Mexico City

NO Docxing. Docxing Suxx (75 Points)

A minion is hiding something...what is it? (Format: string)

There are a lot of minion pictures on the phone, so this task may seem very cumbersome at first. The question text hints at being a steganography question, so the most important thing is to weed out junk data using this knowledge. If we sort the pictures by time, we can see that they all have a timestamp of around 2025-12-20 at 22:00 UTC, with most of them being slightly before:

Looking at safari history from around that time, we can see that there were visits to an online clipboard, so the origin of these Minions is probably from somewhere else, and there isn’t much information that would point to a steganography tool accessed via the phone.

Steganography often adds to the file size if it is encoding a lot of information within the image. We can sort all the images by size to see if any of them stand out.

Most of the images are about 43 KB, but notably one shows up as 450 KB, over 10x larger. This discrepancy signals to focus on this one.

Looking again at the challenge name, we see references to “Suxx” and “Docx”. If we take the URL of the online clipboard link found earlier, and paste into Unfurl, we see a reference to “Doc4.docx”.

If we search for this, we can find that document, and an image of a minion inside. 

Using the “Suxx” hint, we can look up “suxx steganography” and find that there is a tool online to do this.

If we pass this image into the tool though, the flag we get does not work.

The question title is “No Docxing”  though, so this is not the right file. But we’re on the right track!

Going back to that 450 KB picture, it appears to be slightly different in size to this one. Uploading it to the tool results in this:

This is the flag!

FLAG

PQWHT2347342883NFWSNSF