Ctfx [Forensics] - iTrash 100 points

I got locked out of my iTrash :(

1 2 3
4 5 6
7 8 9

Flag format: ctf(n-n-…-n)

link: https://mega.nz/#!6BEFAbpT!osYCbKNxHcwlqtJnhMuBe4tiG2CFAcx9sZCXD9eDjSg

The description of the problem is clear we need to find out what is the android pattern lock key combination:

After unzipping the file we find a bunch of .img files, so the next step is to mount the android file system:

kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo mkdir /mnt/0
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo mkdir /mnt/1
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo mkdir /mnt/2
kinyabitch@Debian ~/h/c/c/f/i/iTrash> ls
cache.img  config.ini  emulator-user.ini  hardware-qemu.ini  userdata.img  userdata-qemu.img
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo fdisk -l userdata.img
Disk userdata.img: 550 MiB, 576716800 bytes, 1126400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo fdisk -l userdata-qemu.img 
Disk userdata-qemu.img: 550 MiB, 576716800 bytes, 1126400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo mount -o loop userdata-qemu.img /mnt/0/
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo fdisk -l userdata.img 
Disk userdata.img: 550 MiB, 576716800 bytes, 1126400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo mount -o loop userdata.img /mnt/1/
kinyabitch@Debian ~/h/c/c/f/i/iTrash> sudo mount -o loop cache.img /mnt/2/

After mounting the system we need to find a file named “gesture.key

kinyabitch@Debian /mnt> sudo find . -name 'gesture.key'
[sudo] password for kinyabitch: 
./0/system/gesture.key

So out file is located at system/ folder :

kinyabitch@Debian /m/0/system> cat gesture.key | xxd -p 
c4bca3d13ba42982f6ee402262e2059c082bfce3

I found a hash which according to the documentation is SHA-1 due to fact that we have very finite possible pattern combinations and the other fact that Android OS does not use a salted hash, it does not take a lot to generate a dictionary containing all possible hashes of sequences from 0123 to 876543210. I found one dictionary online you can download it here (http://www.mediafire.com/download/qs0sq5h8e2ly8jg/SHA1-android-pattern.rar)

kinyabitch@Debian ~/h/c/c/f/itrash> unrar e SHA1-android-pattern.rar 

UNRAR 5.30 beta 2 freeware      Copyright (c) 1993-2015 Alexander Roshal


Extracting from SHA1-android-pattern.rar

password: www.marw0rm.com

Enter password (will not be echoed) for GestureRainbowTable.db: 

Extracting  GestureRainbowTable.db                                    OK 
All OK

kinyabitch@Debian ~/h/c/c/f/itrash> sqlite3 GestureRainbowTable.db 
SQLite version 3.14.1 2016-08-11 18:53:32
Enter '.help' for usage hints.
sqlite> .tables
RainbowTable
sqlite> select * from RainBowTable where hash = 'c4bca3d13ba42982f6ee402262e2059c082bfce3'
   ...> ;
c4bca3d13ba42982f6ee402262e2059c082bfce3|[6, 4, 7, 3, 8, 5, 0, 1, 2]

Swapping your fingers from that order you would get in the android device!

Finally the flag is ctf(6, 4, 7, 3, 8, 5, 0, 1, 2).

For a more detailed info for this subject you can read this article http://resources.infosecinstitute.com/android-forensics-cracking-the-pattern-lock-protection/