Magnet Weekly CTF (Week 4) - Phishing for GUIDs

Previous: Week 1 | Week 2 | Week 3

As we proceed onward with Week 4 and the last week of Android, we get to deep dive into databases and logs.

Challenge 4 (10/26-11/2) Animals That Never Forget (25)

Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?

Look closely at the hints here in the title and question. What animal never forgets? ELEPHANTS! Why is that relevant you ask? Well, let's take a look at the installed applications via ALEAPP.

We can see below that Evernote was installed.

If you don't know what Evernote's logo looks like, a quick Google search shows you the results:

Let's take a look and see what we have in the application folder:


The best starting point is the "databases" folder which has a file named "user213777210-1585004951163-Evernote.db". Exporting out to DB Browser For SQLite, we can see it has a lot of tables inside it.

"notes" seems like an obvious choice and when we view it we do get information on GUIDs, especially for a note titled "Phishy Phish phish".

These would be the current GUID's though, so this is just another step forward in finding the answer. A content search for GUID "c80ab339-7bec-4b33-8537-4f5a5bd3dd25" in the Evernote brings back 4 hits, one of which seems the like a good place to hunt in:


Opening in Notepad++ and searching for the current GUID results in the following line:

2020-03-23 20:08:58.178 D/SyncService: {SyncServiceWorker-2} - GUIDSWAP: Uploaded new note (7605cc68-8ef3-4274-b6c2-4a9d26acabf1 -> c80ab339-7bec-4b33-8537-4f5a5bd3dd25)

We can see that the GUID had changed to what it is currently from "7605cc68-8ef3-4274-b6c2-4a9d26acabf1", which is the flag we are looking for.

And that's it for the month of October and for Android questions, next week starts Linux!