Dear readers,

Today’s post is on a mobile challenge, Cat, which was release in 21st March 2020. This challenge introduce the concept of ADB backup via analyzing .ab file so read on if you are interested. Let’s dive straight to it.

File given

There is only one file being given for the challenge which is cat.ab (you can download the file here). An .ab file is a system backup using Android Debug Bridge (adb). To see the content, we can directly extract the content using the Android Backup Extractor tool. This can be done using the following command to extract the content:

java -jar abe.jar unpack cat.ab <convertedBackup.zip>

No password is required as no password was being set by the creator this challenge. I set the output to result.zip hence all the content is in result folder. You will be able to see the original cat.ab and the result folder provided in the link later.

Flag obtained

Once you extracted the ZIP file, you will see a brunch of folders (see Fig 3a). We are only interested in shared folder as there is where the flag is.

Navigate the folders until you reached the Pictures folder using through the following path: shared > 0 > Pictures.

Inside the Pictures folder, you will see a branch of photos. Open up IMAG0004.jpg.

Zoom in to the bottom of the paper the guy is holding onto. You will see the flag there.

Flag: HTB{ThisBackupIsUnprotected}

You can download the files for the CTF as well as the extracted files here.

I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂