In this challenge, we’re given a SQLite database file that stores a user’s browser history. We need to forensically analyze this file to find any “suspicious activity”.
Solution
If we wanted to keep things short, we can run strings on the places.sqlite file, then use grep to search for the flag format in the output. We see the flag buried in a URL:
┌──(kali㉿kali)-[~/Desktop]
└─$ strings places.sqlite | grep MetaCTF{
https://docs.google.com/document/d/MetaCTF{sqlite_1snt_4_f1gh7}Very Private Document - Google Docsmoc.elgoog.scod.b
If we were to forensically analyze this file, it’s important to know that most modern browsers, such as Google Chrome and Firefox, store data across different tables in database files. Such data can include bookmarks, downloads, form/login entries, browser history, and other session data.
To view the records and tables stored in the database, we can use the SQLite Data Browser. Upon opening the file, we see a number of tables whose names all start with the prefix “moz”, indicating that we’re dealing with a database file from Mozilla Firefox. The table that we’re looking for is named moz_places, which stores records of websites that the user has visited. If we search for the flag prefix MetaCTF{ amongst the records we’ll see the same Google Docs URL that contains the flag:
MetaCTF{sqlite_1snt_4_f1gh7}