/ctfs/p'hack ctf - 2021/forensic/android cloud


We need to crack the pattern, Luckily, I found found a backup.php endpoint wich leaks lot of informations:

Apparently, we can access a backup file, we just need to brute force the name since it's base on date.
#!/usr/bin/env python3

import requests as rq
import sys

HEADERS = {"Content-Type": "application/x-www-form-urlencoded"}
#http://android-cloud.phack.fr/dev-backups/backup@29-02-2021.zip

def send_path(m,j):
    URL="http://android-cloud.phack.fr/dev-backups/backup@%s-%s-2020.zip" % (m,j)
    print("Testign:", URL)
    resp = rq.get(url=URL,headers=HEADERS)
    if (resp.status_code != 404):
        print("FOUND !")
        exit(1)


def brute_force():
    for i in range(1,10):
        m = str(i)
        if (len(m) < 2):
            m = "0" + m
        for jr in range(1,31):
            jr = str(jr)
            if (len(jr) < 2):
                jr = "0" + jr
            send_path(m,jr)

if __name__ == "__main__":
    brute_force()


Great we can dowload the archive of the device'dump. Once it is done, we can crack the android lock pattern.


┌──[fey ☣️ ️ kali] ⚔ [master] 
└[~/CHALLS/CTF/PHACK/FORENSIC/android/android/data/system/androidpatternlock] = = = >  ./aplc.py ../gesture.key

################################
# Android Pattern Lock Cracker #
#             v0.2             #
# ---------------------------- #
#  Written by Chema Garcia     #
#     http://safetybits.net    #
#     chema@safetybits.net     #
#          @sch3m4             #
################################

[i] Taken from: http://forensics.spreitzenbarth.de/2012/02/28/cracking-the-pattern-lock-on-android/

[:D] The pattern has been FOUND!!! => 04137658

[+] Gesture:

  -----  -----  -----
  | 1 |  | 3 |  |   |  
  -----  -----  -----
  -----  -----  -----
  | 4 |  | 2 |  | 7 |  
  -----  -----  -----
  -----  -----  -----
  | 6 |  | 5 |  | 8 |  
  -----  -----  -----

Let's try it online !

Nice ! This was a funny challenge !!!