Tablet 2

Description

Wait... there are TWO impostors?! Red must have been in contact with the other impostor. See if you can find out what they are plotting.

NOTE: Both Tablet challenges use the same file, which can be downloaded from Tablet 1.

author: WhiteHoodHacker

Solution

While doing tablet 1, I found that the user has installed discord as well so I shall check that out.

While using iLEAPP, I found that the discord directory is located at

/private/var/mobile/Containers/Data/Application/0CE5D539-F72A-4C22-BADF-A02CE5A50D2E

After exploring, I found that the Chat cache is located at ~/Library/Cache/com.hammerandchisel.discord/Cache.db.

The contents of the data are located at the table cfurl_cache_receiver_data.

There are 4 rows of data but the 3rd row looks the most interesting so I took a look at realised that it is a history of the chats in JSON. I took out the main points and here is the summary of the chat.

RedAmogus: Yo
RedAmogus: White is onto me… they kept calling me out last meeting
BlueAmogus: I'll deal with them, you just make sure this next sabotage goes to plan
BlueAmogus: I sent you an encrypted note with all the details
BlueAmogus: The password is ||su5Syb@k4||
RedAmogus: Ok

There are some points that I have to take note. The BlueAmongus user states that he has sent the RedAmogus an encrypted note with all the details and the password is su5Syb@k4.

This gave us some idea on where to inspect next. With this, I decided to take a look at the apple notes directory.

With the iLEAPP tool, it made it so much easier to locate the apple notes.

Yup, I was right. So let's explore that.

After further research, I found that Apple stores the data in the NoteStore.sqlite file. I then used Apple Notes Parser which made things easier.

After running the SQLite file through Apple Notes Parser, with the password we found earlier, su5Syb@k4, I am able to decrypt the Apple notes and read the information.

Tada! We got the flag!

Flag: uiuctf{wh3n_the_imp0stors_4re_su5_305da9}