# Tablet 2 ## Description {% hint style="info" %} Wait... there are TWO impostors?! Red must have been in contact with the other impostor. See if you can find out what they are plotting. NOTE: Both Tablet challenges use the same file, which can be downloaded from `Tablet 1`. **author**: WhiteHoodHacker {% endhint %} ## Solution While doing tablet 1, I found that the user has installed discord as well so I shall check that out. While using iLEAPP, I found that the discord directory is located at `/private/var/mobile/Containers/Data/Application/0CE5D539-F72A-4C22-BADF-A02CE5A50D2E` After exploring, I found that the Chat cache is located at `~/Library/Cache/com.hammerandchisel.discord/Cache.db`. The contents of the data are located at the table cfurl\_cache\_receiver\_data. There are 4 rows of data but the 3rd row looks the most interesting so I took a look at realised that it is a history of the chats in JSON. I took out the main points and here is the summary of the chat. ``` RedAmogus: Yo RedAmogus: White is onto me… they kept calling me out last meeting BlueAmogus: I'll deal with them, you just make sure this next sabotage goes to plan BlueAmogus: I sent you an encrypted note with all the details BlueAmogus: The password is ||su5Syb@k4|| RedAmogus: Ok ``` There are some points that I have to take note. The BlueAmongus user states that he has sent the RedAmogus an encrypted note with all the details and the password is `su5Syb@k4`. This gave us some idea on where to inspect next. With this, I decided to take a look at the apple notes directory. With the iLEAPP tool, it made it so much easier to locate the apple notes. ![](https://1580924033-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgDwQZFLcCbQbagjl_W%2F-MgErISlPV8wbqBAvEMX%2F-MgEuWljPF7AKKksidfE%2Fimage.png?alt=media\&token=e26e3a75-fb91-4633-bd31-92ce52092c1e) Yup, I was right. So let's explore that. After further research, I found that Apple stores the data in the NoteStore.sqlite file. I then used[ Apple Notes Parser](https://github.com/threeplanetssoftware/apple_cloud_notes_parser) which made things easier. After running the SQLite file through Apple Notes Parser, with the password we found earlier, su5Syb\@k4, I am able to decrypt the Apple notes and read the information. ![](https://1580924033-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgDwQZFLcCbQbagjl_W%2F-MgErISlPV8wbqBAvEMX%2F-MgEvdCc2D81-44YRYC1%2Fimage.png?alt=media\&token=d6e9b835-beee-4e5f-a2d6-09ec0d752cf6) Tada! We got the flag! **Flag: uiuctf{wh3n\_the\_imp0stors\_4re\_su5\_305da9}** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sebastian-yii-xh.gitbook.io/seabase-atlantic-space/ctf-2021/uiuctf-2021/tablet-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.