Rating:
For a better view check our [githubpage](https://bsempir0x65.github.io/CTF_Writeups/VU_Cyberthon_2023/#what-is-a-name-of-device-user) or [github](https://github.com/bsempir0x65/CTF_Writeups/tree/main/VU_Cyberthon_2023#what-is-a-name-of-device-user) out
So by now our time for the event kind of run out and our 2 to 3 hours we had were kind of close to an end. So we decided to do the once we know quickly and for sure so we catch some more points ( ͡❛ ‿‿͡❛ ).
Up until now i did not understood what a device user is. I thought it is the user presented when you set up your android device. So like with the multiple accounts. But it seems the linux representations of your current account to be ????? Whatever. This one was a long one for us cause we did not had really a clue other than what we found before.
So after some searching around in the net, there should be something called accounts.db which contains the local configure accounts and could have the account. It was not there but we found the mail address [email protected]. When we used that to search further, we found the Accountdata.pb in /data/com.google.android.googlequicksearchbox/files/AccountData.pb which had the display name for that account (i think it is the display name). "John Silver" was the next used to search further. That lead us to /data/com.google.android.apps.dynamite/databases/user_accounts/[email protected]/dynamite.db containing interesting names again.
![https://raw.githubusercontent.com/bsempir0x65/CTF_Writeups/main/VU_Cyberthon_2023/img/phone_john.png](https://raw.githubusercontent.com/bsempir0x65/CTF_Writeups/main/VU_Cyberthon_2023/img/phone_john.png)
So we found **John** which was wrong. But we remembered and tried **john** which then was correct (ー ー;) ![https://github.githubassets.com/images/icons/emoji/rage1.png](https://github.githubassets.com/images/icons/emoji/rage1.png). So that was definitely not the right way to find that account. We were only able to pull that off cause it were only 5 accounts existing on that device and the whats app acc and the signal acc were for sure wrong. So not to many traces to search for which made it possible.
Once we had john we searched with that and which lead us to /userdata/system/users/0.xml which contained the local device user again with uppercase John but that would probably the right place to search instead our weird journey with some luck that the dynamite app stores that information's.