Writeup - Secr3tMgr - Forensic - Insomnihack 2017

I was at the Insomni'hack 2017 CTF onsite event in Geneva (Friday 24 March 18:00 — Saturday 25 March 04:00) with another member of our CTF team Beer4Flags, and 3 friends of berurier. We finished at the 28th place :].

I present here a writeup of the forensic Android challenge : Secr3tMgr.

Task :

...Waiting for tasks release but I have a file Secr3tMgr_680932f10ed4bb347dec46bdd8a34de487df1d13.tar.bz2 and a clue that the password is in the format INS{XXXXX}...

I start by looking at the files I have :

By doing some research I find this great pdf Live_Memory_Forensics_on_Android_with_Volatility.pdf explaining how to create a profile in volatility :

With a bit of research I succeed :

From here, I can begin to study the dump with volatility, starting by listing the available plugins :

$ volatility -f i9100-CM.bin --profile=LinuxandroidARM -h

The goal is to retrieve the lockscreen password.

Maybe it's a simple schema we can retrieve from /data/system/gesture.key with this tool : androidpatternlock

It's a fail, the hash in gesture.key represent an empty string.

The file corresponding to the Android password is in the folder /data/system/password.key

I extract all the system files using the linux_recover_filesystem plugin and I look for the file password.key :

Searching on the internet I find that the hexadecimal string of 72 bytes corresponds to the concatenation of the sha1(password + salt) and the md5(password + salt):

sha1(password+salt)                       md5(password+salt)
A66A4A34A78AEC1A7058C8FA3BB3B0F1CC537DD0  42F0F3F909F87D0706DCF139AB37F86E

So, now I have to find the salt.
In this version of Android I can find it in the sqlite database locksettings.db :

Be carreful, if you try to format the output sqlite ( "sqlite> .mode col" and "sqlite> .headers on") the salt will be truncate and no longer valid.

Before trying to bruteforce the password I find the device password policy in the device_policies.xml file :

I know now that I have to find a password of 10 chars with 5 Uppercases, 2 lowercases, 1 numeric and 2 symbols.

I understand more than One hour later that it correspond to the INS{XXXXX} in the task presentation.

The last part is to brutefoce the 5 chars with the good mask.
For this I use hashcat and for rapidity reason I choose to attack the md5 hash. I concatenate the hash and the hexadecimal value of the decimal salt and I run hashcat with a custom charset :

hashcat command explication :

hashcat -m 10 -a 3 hash -1 ?l?u?d INS{?1?1?1?1?1}  
  -m 10 : hash type 10 = md5($pass.$salt) 
  -a 3 : bruteforce attack
  hash : file whithe the md5 hash + salt
  -1 ?l?u?d : custom charset with lowercase, Uppercase and decimal
  INS{?1?1?1?1?1} : I know the password format : INS{XXXXX}

\o/ I have the password/flag INS{t1MmY}, great challenge ! great contest, thank you Insomni'Hack !