TL;DR: Back on the command line horse again for Week 4 after dropping Week 3 of the #MagnetWeeklyCTF due to haste.
Check out the week 1 blog post for how to get started on the Magnet Weekly CTF.
Get the challenge
The weekly challenge for week 4 was:
Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?
Magnet gives us a great hint here for the starting place in the “organized with his busy schedule” wording. When I was poking around the image early in Week 1, I had seen that he had Evernote1 installed and that there was a very suspicious-looking note in it, which I was sincerely hoping would turn up in the CTF. I was not disappointed.
Open the target file
Evernote keeps a user’s data in the
com.evernote/databases/user[user-id]-[epoch]-Evernote.db SQLite database and the user’s notes are unsurprisingly in the
notes table of that database. In the case of Magnet’s image, the file is
user213777210-1585004951163-Evernote.db. The content of those notes are then found in the
com.evernote/files/user-[user-id]/notes folder in sub-folders organized by note GUID. For example, the note with GUID c80ab339-7bec-4b33-8537-4f5a5bd3dd25 is in
We can enumerate the potential notes and their GUID, sorted by their creation timestamp using
sqlite3, then view the note content2 using
cat as such:
If you’re like me, you then submitted “c80ab339-7bec-4b33-8537-4f5a5bd3dd25” as your answer to this question, since it is the oldest copy of the note related to phishing. Hopefully once the failure was displayed, you then re-read the question and saw the other hint Magnet gave: “Global Unique Identifiers change often”. It seems the GUID we found might not be “old enough” to be the original.
Enumerating all of the tables which have the term ‘guid’ in them via
sqlite3 is a lot, so I just opened the database in
SQLite Browser and had an eyeball. The table
guid_updates looked relevant as it had a column called
new_guid and a column called
old_guid. Querying that table for the GUID we tried before yielded a new answer to try.
Here we see the new_guid of
c80ab339-7bec-4b33-8537-4f5a5bd3dd25 has an old_guid of
7605cc68-8ef3-4274-b6c2-4a9d26acabf1. Trying that as the answer brings success!
I happen to rather enjoy Note applications3 and wanted to see what other ways we could make Evernote dance. So, what if you didn’t have the database? Or what if somehow the user had deleted the
guid_updates table? Could we have answered this without that table?
Obviously, the answer is “Yes”. If we recursively grep (
grep -r) for our target value in the
com.evernote folder, we see a LOT of hits in a log file: files/logs/log_main.txt. Evernote appears to log almost as much as Apple. Grepping for lines that explicitly have both of our target values shows that Evernote has a line in the log file every time it calls setGuid() which either has
null -> [new GUID] for new objects or
[old GUID] -> [new GUID] for renamed objects.
With that knowledge, we could find every GUID quite quickly using just
grep, making sure to only display the result (
-o) and not the filename.
Could that be a Twitter one-liner? Sure, if we
grep for our old GUID from the output of the previous command, then pipe that into
cut to get the first space-separated field (
-f 1 -d ' '), and then
uniq the output to only show each value once. In case that seems too contrived, you can easily discover the
c80ab339-7bec-4b33-8537-4f5a5bd3dd25 GUID is the oldest version of the phishing note using just
stat on the saved files, that’s how I got to it initially.
This week’s question had a slight twist in it from wanting the old GUID, but it can be answered from the command line with or without the relevant database. The one-liner uses some of the same ideas from Week 2 with
cut and adds
uniq. Those are commands well worth knowing for anyone that needs to manipulate a lot of textual data, such as this log file.
“Evernote helps people focus on what matters most to them. It’s where ideas become answers, where individuals organize their daily lives, and where teams come to create and share work together.” - Evernote’s website, note the focus on organization. ↩
I have formatted the note slightly to avoid wrapping the code block. ↩