Magnet Virtual Summit 2026 CTF - Mac Questions
Salt and Pepper (5 Points)
What is the password hashing algorithm for the "alexmaurie" user?
In Axiom Examine, under the "Operating System" and "User Accounts - macOS" artifact filter, you can find the password hashing algorithm in the details section of the Alex Maurie account. This info can be found in the filesystem at:
/private/var/db/dslocal/nodes/Default/users/alexmaurie.plist
FLAG
SALTED-SHA512-PBKDF2
Hey Siri (5 Points)
At what time did the user last access a URL using Siri in UTC? (Format: YYYY-MM-DD HH:MM:SS)
In Axiom Examine, under the "Operating System" and "Siri - Biome App Intents" artifact filter, a query for "x.com" can be found. This data can be found in the filesystem at:
/Users/alexmaurie/Library/Biome/streams/restricted/App.Intent/local/785352905299642
FLAG
2025-12-10 18:53:49 OR 2025-12-10 18:53:50 (round or chop off decimals)
Running on Fumes (5 Points)
What was the lowest battery level the device reached?
In Axiom Examine, under the "Operating System" and "Powerlog Battery Level" artifact filter, sort by "Battery Level" ascending. This data can be found in the filesystem at:
/private/var/db/powerlog/Library/BatteryLife/CurrentPowerlog.PLSQL
FLAG
39.0 OR 39
Pedal to the Metadata (5 Points)
What was the name of the racing game the user installed?
In Axiom Examine, under the "Application Usage" and "Installed Applications - macOS" artifact filter, a package named "com.gameloft.asphalt9mac" can be found. This data can be found in the filesystem at:
/Library/Receipts/InstallHistory.plist
Convert this bundle ID to the real name by visiting “https://itunes.apple.com/lookup?bundleId=com.gameloft.asphalt9mac”, and ope the 1.txt file you will receive, the trackViewUrl is the app store URL.
Using that, you can get the name of the game on the App store.
FLAG
Asphalt 9 OR Asphalt Legends: Racing Game OR Asphalt Legends
Busy Day (5 Points)
How many tasks did the user have on 2025-12-10?
In Axiom Examine, parsed under the "Documents" and "Apple Notes" artifact filter is a user-written note containing a list of tasks that the user wants to do. The note is named "Tasks for today". You can view this raw data in the filesystem at:
Users/alexmaurie/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite
FLAG
4
Identity Crisis (10 Points)
What is the IMEI of the connected iPhone?
In Axiom Examine, navigate to \Users\alexmaurie\Library\Application Support\com.apple.akd\devicelist.db. Examine "additional_info" column within the "device_list" table the database.
FLAG
351906515098518
Shell Shocked (10 Points)
What is the UUID of the ZSH terminal session restored on 2025-11-20 19:31:51 (UTC)?
In the ".zsh_sessions" directory under the user’s home folder, find the ".session" file with an echo message stating that a session was restored at the time "1763667111". The UUID is contained within the filename.
FLAG
68DC219D-1135-49E2-8D1C-542BEBAC903A
Welcome to ISS (10 Points)
What date did Alex become eligible to work at ISS? (Format: YYYY-MM-DD)
Browsing through the user’s files, you may find some working papers. Open the pdf file titled "i-9_template" to find the "Today's Date" section of the document.
FLAG
2025-12-01
Ssssneaky Logs (10 Points)
What version of Python did the user have installed?
Python is installed in a specific location on Mac, the installed versions are located at: \Library\Developer\CommandLineTools\Library\Frameworks\Python3.framework\Version\, here you can find a subfolder for each version, in this case the user has Python 3.9.
You can go further to see the precise version inside this “3.9” folder, under Resources/version.plist.
FLAG
3.9.6
Blue's Clues (10 Points)
What is the Bluetooth address of Alex's iPhone?
Using an SQLite database viewer, open the "com.apple.MobileBluetooth.ledevices.paired.db" database, and under the "PairedDevices" table, retrieve the "Address" field of "Alex's iPhone". Also appears within converted unified logs.
FLAG
04:BC:6D:D2:0D:90
Leased and Found (25 Points)
What's the MAC address of the router that the user was leased on 2025-12-24 09:48:49 (UTC)?
The plist located at “private\var\db\dhcpclient\leases\en0.plist” contains information about a DHCP lease, in which a routers MAC address can be found.
FLAG
C4:04:15:8B:A5:8F
Almost Done (25 Points)
How many seconds did it take for the system to totally install a 3rd-party cloud storage app? (Format: xx.xx)
Find the 3rd-party cloud storage app, Google Drive for Mac, and then go to the install log located at “private\var\log\install.log”. It has a summary of how long an install took. Take the "-total-" number and use it as the flag.
FLAG
10.32
Back to the Backup (25 Points)
What was the logical size of the second most recent backup?
You can find the backups taken inside the \Volumes\.timemachine\3607D748-7F65-4AB0-A842-1D9C98C1D72D\
Inside the most recent one, there is a file called backup_manifest.plist that contains a history of previous backups.
We accept both the Propagated and Changed logical sizes as valid answers.
FLAG
7506837257 OR 9251250272
Cloudy with a Chance of Data (50 Points)
What was the value associated with the most recent iCloud operation?
Open the "cache.db" SQLite database located at Users\alexmaurie\Library\Caches\com.apple.CloudTelemetry\XPCService\com.apple.cloudd\eventcache\cache.db and select the "clientid" table. The "value" column associated with the only "Operation" event type is the flag.
FLAG
52733820-0C3F-4E07-934B-E31167E9490A
Checkmate (50 Points)
How many total knight moves were played?
A plist of a recorded game of chess is cached inside the user’s cloud storage, located at: \Users\alexmaurie\Library\Mobile Documents\com~apple~CloudDocs\Documents\i am terrible at chess.game
There is an entry for all the moves played.
You can play out this game on a real chess board, or paste the values into Chess.com’s analysis board to see it played out. https://www.chess.com/analysis
Count up all the times a Knight was moved.
FLAG
6
Xtra Secure (50 Points)
What is the exec_cdhash of the event that occurred at 2025-12-01 09:23:52 PM?
In the XProtect SQLite database file, there is a table of events that get triggered by the antivirus, only one of the events has a date/time stamp at the provided time.
You can find this database here: \private\var\protected\xprotect\db
FLAG
b399473d58a8d601369be898a30ada8b000248d7
Absolute-ly Caffeinated (75 Points)
At what time (UTC 24hr time, format HH:MM) did the user join the network of a cafe on the first day of the month?
You will need to look up the connected wifi names and identify which one belongs to a cafe. You can do this in a Biome located at:
\Users\alexmaurie\Library\Biome\streams\restricted\Device.Wireless.WiFi\local\785865828566727
Out of the networks connected, only two, 'PANERA', and 'uncommonqbryguest' could be considered cafes. (you can confirm for the second one by searching "uncommon qbry", separating the words.)
Open this file with Mushy or some other SEGB viewer.
We can see events on the first of December here, but to confirm that this is an actual connection event, we can put it in context with the AppInFocus Biome, located at:
\private\var\db\biome\streams\restricted\_DKEvent.App.InFocus\local
At right around that time, the CaptiveNetworkAssistant app comes in focus so that the user can accept the terms for the network.
FLAG
20:45