Magnet Weekly CTF Challenge Week #4

Challenge 4 (10/26–11/2) Animals That Never Forget

Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?

So I had already spent a bit of time getting to know the image and had observed a few suspicious things.

A Twitter conversation between @AlanBrunswick and @Chester57890766 divulged the plan to phish Warren Hamilton.

In the conversation, there were GUID-like strings in the exchange of the users. I’m still not sure what they mean but I put this lead on ice and moved forward.

Back to reviewing the conversation:

Chester mentions creating a phishing draft. If you look at the activity between the two messages, an Evernote note was created called “Phishy Phish phish”.

We learnt about the recent tasks artefacts in week 2, and this week it comes back again. We can see that Evernote has a recent task that saved the screen with as the user selected their draft to copy into Gmail:

I decided to look at the Evernote database for the user a bit more: data\com.evernote\databases\user213777210–1585004951163-Evernote.db.

Below we can see the note that Chester created to draft their phishing email has the GUID of c80ab339–7bec-4b33–8537–4f5a5bd3dd25. BUT, in the question, it says “What was the original GUID”. I thought this might hint to an extra part of the question to trick people!

By chance, I had noticed a table called guid_updates which seemed pretty relevant. I saw that there was an entry for the GUID we had found for the phishing note.

Here you can see that the original GUID was 7605cc68–8ef3–4274-b6c2–4a9d26acabf1.

Answer: 7605cc68–8ef3–4274-b6c2–4a9d26acabf1

Wait a second. I just got it. The challenge was called “Animals That Never Forget”… Elephants have good memory… Evernote logo is an elephant…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store