CTF

Magnet CTF Week 4: Back on the Horse Again

 · 6 mins read

TL;DR: Back on the command line horse again for Week 4 after dropping Week 3 of the #MagnetWeeklyCTF due to haste.

Review

Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.

Get the challenge

The weekly challenge for week 4 was:

Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?

Magnet gives us a great hint here for the starting place in the “organized with his busy schedule” wording. When I was poking around the image early in Week 1, I had seen that he had Evernote1 installed and that there was a very suspicious-looking note in it, which I was sincerely hoping would turn up in the CTF. I was not disappointed.

Open the target file

Evernote keeps a user’s data in the com.evernote/databases/user[user-id]-[epoch]-Evernote.db SQLite database and the user’s notes are unsurprisingly in the notes table of that database. In the case of Magnet’s image, the file is user213777210-1585004951163-Evernote.db. The content of those notes are then found in the com.evernote/files/user-[user-id]/notes folder in sub-folders organized by note GUID. For example, the note with GUID c80ab339-7bec-4b33-8537-4f5a5bd3dd25 is in com.evernote/files/user-213777210/notes/c80/c80ab339-7bec-4b33-8537-4f5a5bd3dd25/content.enml.

We can enumerate the potential notes and their GUID, sorted by their creation timestamp using sqlite3, then view the note content2 using cat as such:

[notta@cuppa com.evernote]$ sqlite3 -header -column \
databases/user213777210-1585004951163-Evernote.db \
'SELECT guid, title FROM notes ORDER BY created ASC'

guid                                  title                
------------------------------------  ---------------------
0a826c39-ba5c-4772-944d-a96dd0e90eeb  The Power of the Note
1ba87657-f1d5-402b-bc95-16a0ebfcdace  Hacking skills       
c80ab339-7bec-4b33-8537-4f5a5bd3dd25  Phishy Phish phish 

[notta@cuppa com.evernote]$ cat \
files/user-213777210/notes/c80/c80ab339-7bec-4b33-8537-4f5a5bd3dd25/content.enml 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE en-note SYSTEM "http://xml.evernote.com/pub/enml2.dtd">
<en-note>
  <div>Esteemed entrenepeur,</div>
  <div><br /></div>
  <div>My name is Chestnut Russman and I am indeed interested in a sourie with 
        you to discuss potential investment opportunities to your fine establishment.</div>
  <div><br /></div>
  <div>A little more about me:</div>
  <ul>
    <li>
      <div>Im worked on Wall Street for 10 years and have made my money and 
           retired at age 30. </div>
    </li>
    <li>
      <div>I have large investments in Disney, Uber, Tesla, Microsoft, and 
          many others.</div>
    </li>
    <li>
      <div>I am an inventory with over 25 worldwide patents</div>
    </li>
    <li>
      <div>And I own several very "legal" establishments that make me 
          a plethora of money every day.</div>
    </li>
  </ul>
  <div><br /></div>
  <div>I believe that together, we can make even more money.</div>
  <div><br /></div>
  <div>Attached is my CV.</div>
  <div><br /></div>
  <div>Graciously</div>
  <div><br /></div>
  <div>Chestnut Russman</div>
  <div><br /></div>
  <div>[Insert malware here]</div>
  <div><br /></div>
</en-note>

“Original GUID”

If you’re like me, you then submitted “c80ab339-7bec-4b33-8537-4f5a5bd3dd25” as your answer to this question, since it is the oldest copy of the note related to phishing. Hopefully once the failure was displayed, you then re-read the question and saw the other hint Magnet gave: “Global Unique Identifiers change often”. It seems the GUID we found might not be “old enough” to be the original.

Enumerating all of the tables which have the term ‘guid’ in them via sqlite3 is a lot, so I just opened the database in SQLite Browser and had an eyeball. The table guid_updates looked relevant as it had a column called new_guid and a column called old_guid. Querying that table for the GUID we tried before yielded a new answer to try.

[notta@cuppa com.evernote]$ sqlite3 -header -column \
databases/user213777210-1585004951163-Evernote.db \
'SELECT old_guid, new_guid FROM guid_updates'

old_guid                              new_guid                            
------------------------------------  ------------------------------------
d3ba6079-68a2-412c-a366-39521fcc4c9f  1ba87657-f1d5-402b-bc95-16a0ebfcdace
7605cc68-8ef3-4274-b6c2-4a9d26acabf1  c80ab339-7bec-4b33-8537-4f5a5bd3dd25

Here we see the new_guid of c80ab339-7bec-4b33-8537-4f5a5bd3dd25 has an old_guid of 7605cc68-8ef3-4274-b6c2-4a9d26acabf1. Trying that as the answer brings success!

Alternatives

I happen to rather enjoy Note applications3 and wanted to see what other ways we could make Evernote dance. So, what if you didn’t have the database? Or what if somehow the user had deleted the guid_updates table? Could we have answered this without that table?

Obviously, the answer is “Yes”. If we recursively grep (grep -r) for our target value in the com.evernote folder, we see a LOT of hits in a log file: files/logs/log_main.txt. Evernote appears to log almost as much as Apple. Grepping for lines that explicitly have both of our target values shows that Evernote has a line in the log file every time it calls setGuid() which either has null -> [new GUID] for new objects or [old GUID] -> [new GUID] for renamed objects.

With that knowledge, we could find every GUID quite quickly using just grep, making sure to only display the result (-o) and not the filename.

[notta@cuppa com.evernote]$ grep -o "setGuid() [0-9a-f\-]\{36\} -> [0-9a-f\-]\{36\}" \
files/logs/log_main.txt

setGuid() d3ba6079-68a2-412c-a366-39521fcc4c9f -> 1ba87657-f1d5-402b-bc95-16a0ebfcdace
setGuid() 7605cc68-8ef3-4274-b6c2-4a9d26acabf1 -> c80ab339-7bec-4b33-8537-4f5a5bd3dd25

Could that be a Twitter one-liner? Sure, if we grep for our old GUID from the output of the previous command, then pipe that into cut to get the first space-separated field (-f 1 -d ' '), and then uniq the output to only show each value once. In case that seems too contrived, you can easily discover the c80ab339-7bec-4b33-8537-4f5a5bd3dd25 GUID is the oldest version of the phishing note using just stat on the saved files, that’s how I got to it initially.

[notta@cuppa com.evernote]$ grep -o \
"[0-9a-f\-]\{36\} -> [0-9a-f\-]\{36\}" \
files/logs/log_main.txt \
| grep c80ab339-7bec-4b33-8537-4f5a5bd3dd25 \
| cut -f 1 -d ' ' \
| uniq

7605cc68-8ef3-4274-b6c2-4a9d26acabf1

Conclusion

This week’s question had a slight twist in it from wanting the old GUID, but it can be answered from the command line with or without the relevant database. The one-liner uses some of the same ideas from Week 2 with cut and adds uniq. Those are commands well worth knowing for anyone that needs to manipulate a lot of textual data, such as this log file.

Footnotes

  1. “Evernote helps people focus on what matters most to them. It’s where ideas become answers, where individuals organize their daily lives, and where teams come to create and share work together.” - Evernote’s website, note the focus on organization. 

  2. I have formatted the note slightly to avoid wrapping the code block. 

  3. Don’t believe me, check my Apple Notes work.