forensicsfreeeasy

Cat

HackTheBox

Forensics challenge involving an Android backup file. The challenge name "Cat Easy leaks" hints at cat photos and data leakage from unprotected mobile backups.

$ ls tags/ techniques/

image_analysis android_backup mobile_forensics data_leak

android_backup_extractionzlib_decompressmetadata_analysis

Cat - HackTheBox

Description

Forensics challenge involving an Android backup file. The challenge name "Cat Easy leaks" hints at cat photos and data leakage from unprotected mobile backups.

Analysis

Initial File Analysis

Downloaded challenge.zip from HackTheBox
Extracted with password "hackthebox" to get cat.ab file
Identified file as Android Backup:
- Version: 5
- Compression: Yes
- Encryption: No

Android Backup Format

Android backup files (.ab) have a simple header followed by zlib-compressed tar data:

ANDROID BACKUP
5
1
none
<zlib compressed tar data>

Solution

Step 1: Extract Android Backup

# Skip 24-byte header and decompress zlib data
dd if=cat.ab bs=1 skip=24 | python3 -c "import zlib,sys; sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))" > cat.tar

Step 2: Extract Tar Archive

tar -xvf cat.tar

Contents found:

Multiple Android app data directories
shared/0/Pictures/ with 6 cat photos (IMAG0001-IMAG0006.jpg)

Step 3: Analyze Extracted Data

Key findings:

Email [email protected] in contacts XML
6 JPEG images of cats in Pictures folder
IMAG0004.jpg was notably larger (2MB, 2736x3648 resolution)

Step 4: Image Analysis

#!/usr/bin/env python3
from PIL import Image
import os

# Check image sizes
for i in range(1, 7):
    img_path = f"shared/0/Pictures/IMAG000{i}.jpg"
    if os.path.exists(img_path):
        img = Image.open(img_path)
        size = os.path.getsize(img_path)
        print(f"IMAG000{i}.jpg: {img.size}, {size} bytes")

IMAG0004.jpg stood out as the largest file - upon visual inspection, it showed a person holding documents marked "TOP SECRET".

Step 5: Flag Discovery

The flag was visible at the bottom of the "TOP SECRET" document in IMAG0004.jpg:

HTB{ThisBackupIsUnprotected}

Lessons Learned

Android Backup Security: Unencrypted Android backups can leak sensitive data
Image Analysis: Always check image metadata and visually inspect large/unusual files
Challenge Naming: CTF challenge names often contain hints ("Cat" = cat photos, "Easy leaks" = data leakage)

References

Android Backup format: https://android.googlesource.com/platform/frameworks/base/+/master/services/backup/
ADB backup extraction tools: android-backup-extractor, abe.jar

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups

[mobile][free]Protected— HackTheBox
[forensics][Pro]Withered Flower 1 (Q1)— caplag
[forensics][Pro]exFill— grodno_new_year_2026
[mobile][free]APKey— HackTheBox
[reverse][free]SAW— hackthebox