10/27/2023 0 Comments Db browser for sqlite password![]() I was expected the output to be plaintext, but the same tutorial I had used mentioned that a Gzip file was outputted. ![]() Much to my surprise and anger, I revisited the problem a few days later because I knew I was close and realized what my mistake was. :(ĭefeated, I started trying to debug my code, knowing I had just run out of time. After installed the aes_key_wrap library, I had 3 minutes left until UIUCTF closed and I was **STRESSED**! I ran the code, only to get an error! I wasn't sure what had happened, so I tried to the password without the pipes (`||`), and only got gibberish. I then put the code into a file called crack.rb and replaced their data with the SQL output. For each step, I used the SQL queries outlined to extract the data needed for that step. The process to decrypt Apple notes was 3 fold - deriving the password-based key, unwrapping the decryption key, and finally decrypting the data. I had never used Ruby before, but he gave us all the code, so I knew I just needed to plug-and-play. Doing some further research led me to ( ) in Ruby. I opened up NoteStore.sqlite in DB Browser and realized that one of the notes was titled "Secret Plan" - so they *DID* use Apple Notes! What a shame!Īt this point, I only had 45 minutes left until the competition closed, so I knew I needed to work fast! The last task was to take this NoteStore.sqlite file and the password and decrypt the note, giving us (hopefully) the flag. While this was intended for brute forcing the password to notes and used a commercial version of software I didn't have, I still was able to locate `NoteStore.sqlite` which held the encrypted note. Regardless, I did some Googling and came across a ( ). No one *ever* uses the default application for stuff like that! Could they really?" Idk, maybe it's just cause I have an Android \o/. My first thought was, "It can't be Apple Notes. I opened up `netusage.db` in DB Browser again, and was looking through all sorts of applications when apple.mobilenotes stood out to me. ![]() ![]() As I was scrolling through that list, `netusage.db` caught my eye - Red had to receive the note from Blue over the Internet in *SOME* form, so maybe looking at network usage logs would help me figure out how. While solving Tablet 1, I put the entire filesystem they gave us into Autopsy, and one of the results included a list of all the database files found. The last text sent was `The password is We had the password, we now needed to get the note. It also hinted the existence of an encrypted note, but nothing as to where it was or how they sent the note. One of the tables was `cfurl_cache_receiver_data_`, and it included a transcription of the conversation between Red and Blue. I went to the /mobile/Containers/Data/Application/0CE5D539-F72A-4C22-BADF-A02CE5A50D2E/Library/Caches// and opened the cache.db file using ( ). One of my teammates mentioned he found a password in Discord messages but nothing else, so I knew he was on the right track. mobile/Containers/Data/Application/AA7DB282-D12B-4FB1-8DD2-F5FEF3E3198B/Library/Application\ Support/ iname *hammerandchisel* -type d 2>/dev/nullĬd. mobile/Containers/Data/Application/įind. While doing Tablet 1, I navigated to the `/root/` directory and opened the `.bash_history` file:Ĭd. With only 2 hours left in the competition, I decided to try my luck on this challenge. NOTE: Both Tablet challenges use the same file, which can be downloaded from Tablet 1. If you can find out what they are plotting. there are TWO impostors?! Red must have been in contact with the other impostor.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |