HACK.LU CTF – ROBOT PLANS – WRITEUP

The “Robot Plans” challenge was as follows:

The link yields a file containing an Android backup. Extracting the files and looking at the files listed in order of recent modification yields these “interesting files.”

Looking at the seemingly randomly named files located in the /data/backup folder gave what appeared to be SHA1 hashes. I tired to run some of these through CUDA Hashcat with no love. There were 30 of them total, all modified within a few minutes of each other. I did not see how they were pertinent yet. The wifi pre-shared keys and SSIDs in wpa_supplicant.conf were entertaining, but none of them were particularly useful.

More interesting was the gesture.key file which is located in /data/system. Normally, this file contains the pattern-based unlock sequence used to secure the phone’s lock screen. Typically the lock sequence is stored as a SHA1 hash of the bytes 01, 02, 03, 04, 05, 06, 07, 08 where each “digit” maps to a dot in the lock screen. So for instance the dots are numbered as follows. Also, a normal pattern like below would be the hashed bytes 00 03 06 07 08.

lock

However, in this challenge, the gesture.key only contained: “h.a.h.a.c.a.n.t.g.e.t.m.e.i.m.a.d.e.b.a.c.k.u.p.z.z.” Hmm.. backupzz? This brought me back to those SHA1 hashes in the backup folder. I pulled them all out and put them in order from oldest to newest. There were 30 hashes, of which 7 were unique. Believing that these were gesture hashes, I tailored Hashcat to run against the hashes. Specifically running Hashcat against a keyspace of hex 00 through 08.

./<hashcat> -m 100 -a 3 -o key hash –hex-charset -1 000102030405060708

This broke all 7 hashes in just a few seconds.

From there I took each sequence and drew them over top of the android lock-dots as above. Hoping this would yield some kind of message. What I found were numbers. The results are pictured below:

Below is how each sequence looked: