Magnet Weekly CTF Challenge Week 4 Writeup or: How I Learned to Stop Worrying and Love the Mistakes
This week's Magnet Weekly CTF Challenge is:
First things first, I did not crack this week's challenge with the given 3 attempts. Stupid decisions were made in a rush, which resulted in barking up the wrong tree. Thankfully, I came to my senses and eventually worked out the correct answer.
Let's start with the correct solution and walkthrough first.
The Correct Way
According to the mighty Google, "Animals That Never Forget" refers to Elephants🐘. A well-known notes app with an Elephant logo immediately came across my mind.
Evernote app was installed the provided Android device. Chester's Phishing Expedition template could be found in the "content.enml" under the "/data/data/com.evernote/files/user-213777210/notes/c80/c80ab339-7bec-4b33-8537-4f5a5bd3dd25" directory,
Do not forget the challenge specifically asked for "the original GUID for his phishing expedition". So there was still extra work to locate the original GUID value.
I noticed that there was a "log" directory under the "/data/data/com.evernote/files/" director and a "log_main.txt" plaintext file was inside the log directory. Using the known GUID value "c80ab339-7bec-4b33-8537-4f5a5bd3dd25" as a search keyword, another GUID "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" appeared.
Searching the "log_main.txt" log file with the "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" GUID value, there were 2 lines of log message indicating the existing phishing expedition template was copied from the note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1".
Fair enough. The note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" was created from scratch.
Searching the "log_main.txt" log file with the "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" GUID value, there were 2 lines of log message indicating the existing phishing expedition template was copied from the note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1".
Do not forget there could be another note entry that spawned the note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1". To verify the validity of this claim, the initial logs of note entry "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" was checked.
Fair enough. The note entry of "7605cc68-8ef3-4274-b6c2-4a9d26acabf1" was created from scratch.
Therefore, the correct answer to this week's challenge should be "7605cc68-8ef3-4274-b6c2-4a9d26acabf1".
Lessons Learnt
Making mistakes is bad enough. What makes it worse is not having learnt any lesson from making mistakes.
- When time is not a critical factor, do not rush to use all answering attempts in once. This is crucial when answering attempts are limited.
- Go get enough sleep before engaging in CTF challenges.
So this marks the end of this week's Magnet Weekly CTF challenge write-up. Magnet CTF organisers have already announced a Linux image would be used in November's Weekly CTF. Things are getting exciting!
Comments
Post a Comment