Investigator – Hack The Box – @lautarovculic

Difficult: Medium

Category: Mobile

OS: Android

Description: In one of the mobile forensics investigations we encountered, our agent gave us these files and told us that their owner using one password for almost everything. Can you extract the flag from the secret messages?

Download the .zip file and extract the content with the hackthebox password.

Inside, there are a folder and an .ab file

				
					drwx------ lautaro lautaro 4.0 KB Wed Sep 14 22:37:00 2022  system
.rw-r--r-- lautaro lautaro 6.5 MB Wed Sep 14 22:23:36 2022  backup.ab
				
			

An .ab file is a backup for Android.

We can use adb for restore it

				
					adb restore backup.ab
				
			

But we need a password

Note: You need android 5.0

Let’s check the system folder.

We have some interesting files:

				
					.rw-r--r-- lautaro lautaro  20 B  Wed Sep 14 22:33:47 2022 󰌆 gesture.key
.rw-r--r-- lautaro lautaro  20 KB Wed Sep 14 22:34:34 2022  locksettings.db
.rw-r--r-- lautaro lautaro  72 B  Wed Sep 14 22:33:47 2022 󰌆 password.key
.rw-r--r-- lautaro lautaro 228 B  Wed Sep 14 22:33:47 2022  device_policies.xml
				
			

The password.key have this content

				
					E135432C47718760B2FD7AF5CFF7A7608A926ED6B5515B7D0DB34FF62F5C388A88B1665C
				
			

And in locksettings.db we can found

				
					6|lockscreen.password_salt|0|6675990079707233028
				
			

Where 6675990079707233028 is a salt.

In devices_policies.xml

				
					<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<policies setup-complete="true">
<active-password quality="262144" length="5" uppercase="0" lowercase="5" letters="5" numeric="0" symbols="0" nonletter="0" />
</policies>
				
			

We can conclude that the password for restore the backup file is 5 lowercase letters of 5 digits.

The gesture.key is a file for set/get the gesture patron, but we don’t need that in this escenario.

Normally, in the backup files on Android 5.0, the password.key file are a combination of SHA1 and MD5 uppercased.

The first segment is an SHA1 and the rest is MD5.

SHA1

				
					e135432c47718760b2fd7af5cff7a7608a926ed6
				
			

MD5

				
					b5515b7d0db34ff62f5c388a88b1665c
				
			

Then, now for get the real salt we need convert the decimal value (6675990079707233028) to hex.

				
					def decimal_to_hex(decimal):
    hex_value = hex(decimal)[2:]
    return hex_value

salt_decimal = 6675990079707233028

salt_hex = decimal_to_hex(salt_decimal)

print("Salt (hex):", salt_hex)
				
			

Output:

				
					5ca5e19b48fb3b04
				
			

Then we can crack with hashcat this sha1:salt hash

				
					e135432c47718760b2fd7af5cff7a7608a926ed6:5ca5e19b48fb3b04
				
			
				
					hashcat -m 110 hash.txt -a3 "?l?l?l?l?l"
				
			

-m 110 = sha1($pass.$salt)

-a3 = bruteforce

“?l?l?l?l?l” = 5 chars lowercase.

Hash cracked:

				
					e135432c47718760b2fd7af5cff7a7608a926ed6:5ca5e19b48fb3b04:dycpr
				
			

Then, the password for extract the backup.ab file is dycpr

We can use this tool

For extract the backup content to our directory and work in our desktop environmet.

				
					java -jar abp.jar unpack backup.ab backupOutput.tar dycpr
				
			

The abp.jar file is in

				
					/android-backup-processor/executable
				
			

Now let’s work with the .tar file

We get two folders, shared and apps.

We can see that WhatsApp is in the folder shared

				
					/shared/0/WhatsApp/Databases
				
			

And there are an file: msgstore.db.crypt14

This is the WhatsApp database cypher in crypt14.

We need a key, that is stored in

				
					/apps/com.whatsapp/f/key
				
			

I found this tool

You can install it with pip

				
					pip install git+https://github.com/ElDavoo/wa-crypt-tools
				
			

And then

				
					wadecrypt key msgstore.db.crypt14 msgstore.db
				
			

With sqlite3 we can dump the tables.

				
					sqlite> .tables
				
			

We can see message table

				
					sqlite> select * from message;
1|-1|0|-1||||||||||-1||||||0
15|2|1|CEB7EDD170A2A49DDD78622E8C0F1EA7|0|6|0|0||0|0|1663204120140|0|-1|7||0|0|0|15
16|2|1|4ED16892285DD5E9B810E2FAF0257660|0|13|0|0||0|0|1663204155269|0|1663204155000|0|Hi|0|0|0|16
17|2|0|6B88D4F12763BBA948C75EB675606226|0|0|0|0||0|0|1663204161000|1663204162013|-1|0|Error(403):
Incorrect identifier, try again...|0|0|0|17
18|2|1|7E9ADD9D0376ACE6A4D59D149EB1038E|0|13|0|0||0|0|1663204210685|0|1663204210000|0|Hi0o0|0|0|0|18
19|2|0|1D9BE5BB583B2D3B147056F1B41BFD11|0|0|0|0||0|0|1663204216000|1663204216493|-1|0|OK:
Enter your password|0|0|0|19
20|2|1|10097BEF5E4BA51A9BE64A47DC1B6ABE|0|13|0|0||0|0|1663204577005|0|1663204577000|0|dycpr|0|0|0|20
21|2|0|C7947CD8CA0646E40A7B24CFB50B4C8F|0|0|0|0||0|0|1663204586000|1663204586692|-1|0|OK:
Here is your secret
HTB{M0b1l3_*************_<3}|0|0|0|21
sqlite>
				
			

And we get the flag

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *