Investigator – Hack The Box – @lautarovculic

investigator writeup

Difficult: Medium

Category: Mobile

OS: Android

Description: In one of the mobile forensics investigations we encountered, our agent gave us these files and told us that their owner using one password for almost everything. Can you extract the flag from the secret messages?

Download the .zip file and extract the content with the hackthebox password.

Inside, there are a folder and an .ab file

					drwx------ lautaro lautaro 4.0 KB Wed Sep 14 22:37:00 2022  system
.rw-r--r-- lautaro lautaro 6.5 MB Wed Sep 14 22:23:36 2022  backup.ab

An .ab file is a backup for Android.

We can use adb for restore it

					adb restore backup.ab

But we need a password

Note: You need android 5.0

Let’s check the system folder.

We have some interesting files:

					.rw-r--r-- lautaro lautaro  20 B  Wed Sep 14 22:33:47 2022 󰌆 gesture.key
.rw-r--r-- lautaro lautaro  20 KB Wed Sep 14 22:34:34 2022  locksettings.db
.rw-r--r-- lautaro lautaro  72 B  Wed Sep 14 22:33:47 2022 󰌆 password.key
.rw-r--r-- lautaro lautaro 228 B  Wed Sep 14 22:33:47 2022  device_policies.xml

The password.key have this content


And in locksettings.db we can found


Where 6675990079707233028 is a salt.

In devices_policies.xml

					<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<policies setup-complete="true">
<active-password quality="262144" length="5" uppercase="0" lowercase="5" letters="5" numeric="0" symbols="0" nonletter="0" />

We can conclude that the password for restore the backup file is 5 lowercase letters of 5 digits.

The gesture.key is a file for set/get the gesture patron, but we don’t need that in this escenario.

Normally, in the backup files on Android 5.0, the password.key file are a combination of SHA1 and MD5 uppercased.

The first segment is an SHA1 and the rest is MD5.





Then, now for get the real salt we need convert the decimal value (6675990079707233028) to hex.

					def decimal_to_hex(decimal):
    hex_value = hex(decimal)[2:]
    return hex_value

salt_decimal = 6675990079707233028

salt_hex = decimal_to_hex(salt_decimal)

print("Salt (hex):", salt_hex)



Then we can crack with hashcat this sha1:salt hash

					hashcat -m 110 hash.txt -a3 "?l?l?l?l?l"

-m 110 = sha1($pass.$salt)

-a3 = bruteforce

“?l?l?l?l?l” = 5 chars lowercase.

Hash cracked:


Then, the password for extract the backup.ab file is dycpr

We can use this tool

For extract the backup content to our directory and work in our desktop environmet.

					java -jar abp.jar unpack backup.ab backupOutput.tar dycpr

The abp.jar file is in


Now let’s work with the .tar file

We get two folders, shared and apps.

We can see that WhatsApp is in the folder shared


And there are an file: msgstore.db.crypt14

This is the WhatsApp database cypher in crypt14.

We need a key, that is stored in


I found this tool

You can install it with pip

					pip install git+

And then

					wadecrypt key msgstore.db.crypt14 msgstore.db

With sqlite3 we can dump the tables.

					sqlite> .tables

We can see message table

					sqlite> select * from message;
Incorrect identifier, try again...|0|0|0|17
Enter your password|0|0|0|19
Here is your secret

And we get the flag

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *