Magnet Weekly CTF — Week 4
This week’s task was to find a GUID related to “phishing”. Now, because I had done the CTF put on by Magnet this summer in-lieu of their in-person Summit, I had a hunch on where to begin.
So I immediately went to the Evernote application folder “/data/com.evernote/files/” and found the n1.json file that contained the answer for this summer’s CTF question:
The content.enml file contained the phishing email body and opening up the file yielded the following text:
"title":"Phishy Phish phish",
Easy! There’s the GUID! Copy, Paste, Submit => FAIL!
Ok, well, that’s what I get for thinking the first thing I got to was correct. So I went digging, looking for Word documents, email attachments, I went into the Chess app, Snapchat, and more. Finally, the following day I came back to it and decided to re-read the question:
Title: Animals That Never Forget => OK, So I was right, Evernote was the right rabbit hole. What am I missing?
Question: Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?
Not sure how I missed that. Alright, so now how do I find the original GUID? At this point, I do what I normally do and just start digging around the files associated with the app.
This led me to the SQLite database file user213777210–1585004951163-Evernote.db
Looking at the table structure I noticed a table named “guid_updates”. Aha!
Sure enough, the GUID I submitted earlier “c80ab339–7bec-4b33–8537–4f5a5bd3dd25” had an associated old_guid of “7605cc68–8ef3–4274-b6c2–4a9d26acabf1”, which was the correct answer.
- Read the question
- Take the hint