SecElf cyOS Jailbreak was a pwn challenge at Cybears CTF at BSides Canberra 2019.

The Problem:
The goal of the challenge was to develop a PoC “jailbreak” for the fictional cyOS. Given to players was a collection of files, which included the OS’s ELF loader, both source and compiled. A web service existed for players to upload their binaries, and hope for success. A sample binary was provided, which would successfully run when sent to the web service. A public key and a code signing python script was also provided.

The Auditing:
I opened the loader code and studied it for some time. From initial facts provided by the challenge description, I knew this was some kind of ELF loader. After reading the code for a bit, I discovered the…

AppleIDAuthAgent is a service that exists on iOS that appears to handle actions regarding a users Apple ID, including iCloud information linked to that account. It runs an XPC service known as com.apple.coreservices.appleid.authentication, which could be accessed by any application.

When looking around how the service was handling incoming XPC messages, I noticed that there was some log messages left behind. One of them was “DoGetMyInfo”, and was occurring when the command was 0x130. When I sent a message with that as part of the message.

What I got back was very interesting. The components that were easy to spot were the user’s name, the Apple ID itself, and verified emails and phone numbers associated with the account. All of this could be done in the background without the user knowing anything about it. …

About 4 weeks ago, Hacker1 held their h1702ctf as a qualifier for the main h1702 event in Las Vegas later this month. The theme of this CTF was mobile applications, specifically applications on iOS and Android. I managed to be the 6th person to complete all the challenges. I managed to be invited to the actual event as a finalist, but am unfortunately unable to go.

As a bit of background of my experience, I mainly specialise in iOS and have barely touched on Android before.

iOS 1, iOS 2, iOS 3, iOS 4, iOS 5, iOS 6
Android 1, Android 2, Android 3, Android 4, Android 5, Android…


George Dan

18, Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store