Magnet Weekly CTF Challenge Week 4 Writeup or: How I Learned to Stop Worrying and Love the Mistakes

This week's Magnet Weekly CTF Challenge is:



First things first, I did not crack this week's challenge with the given 3 attempts. Stupid decisions were made in a rush, which resulted in barking up the wrong tree. Thankfully, I came to my senses and eventually worked out the correct answer.

Let's start with the correct solution and walkthrough first.

The Correct Way

According to the mighty Google, "Animals That Never Forget" refers to Elephants🐘A well-known notes app with an Elephant logo immediately came across my mind.


Evernote app was installed the provided Android device. Chester's Phishing Expedition template could be found in the "content.enml" under the "/data/data/com.evernote/files/user-213777210/notes/c80/c80ab339-7bec-4b33-8537-4f5a5bd3dd25" directory,


At this moment, it looked like the answer should be "c80ab339-7bec-4b33-8537-4f5a5bd3dd25", right?

Do not forget the challenge specifically asked for "the original GUID for his phishing expedition". So there was still extra work to locate the original GUID value.

I noticed that there was a "log" directory under the "/data/data/com.evernote/files/" director and a "log_main.txt" plaintext file was inside the log directory. Using the known GUID value "c80ab339-7bec-4b33-8537-4f5a5bd3dd25" as a search keyword, another GUID "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" appeared.


Searching the "log_main.txt" log file with the "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" GUID value, there were 2 lines of log message indicating the existing phishing expedition template was copied from the note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1".


Do not forget there could be another note entry that spawned the note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1". To verify the validity of this claim, the initial logs of note entry "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" was checked.


Fair enough. The note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" was created from scratch.

Therefore, the correct answer to this week's challenge should be "7605cc68-8ef3-4274-b6c2-4a9d26acabf1".

Lessons Learnt

Making mistakes is bad enough. What makes it worse is not having learnt any lesson from making mistakes.

  1. When time is not a critical factor, do not rush to use all answering attempts in once. This is crucial when answering attempts are limited.
  2. Go get enough sleep before engaging in CTF challenges. 


So this marks the end of this week's Magnet Weekly CTF challenge write-up. Magnet CTF organisers have already announced a Linux image would be used in November's Weekly CTF. Things are getting exciting!




Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi
Read more