BSidesSF 2018 CTF — Android Reversing / Forensic Challenge

Anto Joseph
3 min readApr 17, 2018

--

Download the required files for this challenge from the GitHub page below.

Step 1: Identify the file type of : “Password Vault disk image”

file file_name

Step 2 : File type is identified as XZ compressed data, use the following command to decompress

xz -d filename.xz

running ‘file’ command again , we find that we have a fat filesystem image .

Step 4 : I used fatcat to explore the filesystem:

https://github.com/Gregwar/fatcat

using fatcat to explore the filesystem

We can use the -d switch to look at deleted files , -l switch to list files, and -r to read them. You will locate the .git folder containing git artifacts.

Using ‘-d’ switch, we have managed to list a deleted file.
We have the password!

If you look at the git log, you will find an interesting commit.

Let us checkout the “Temp test file” commit…

As expected, we discovered a vault.db file, we now have the encrypted version of FLAG.

Now, let us take a look at the android app. Decompiling the app, we can now see some encryption/decryption routines. I used jadx-gui to decompile and understand the inner workings of the app.

At this point, you can either hook this method using frida to get the FLAG or write 5 lines of code to do so. I used the password we found earlier as the key to decrypt the FLAG.

Android Source code for this project is available in my GitHub repo here.

Hurray! The flag is: CashInTheSafeIDontFeelThePressure

--

--