Protected — HackTheBox

Description

"While examining the device, we discovered that critical evidence or artifacts may have been overlooked. We believe that your expertise in mobile forensics will enable you to uncover the missing piece."

The challenge provides a 1.25 GB ZIP file (served over TCP) containing an Android /data partition dump with ~89,800 entries. All files are encrypted with ZipCrypto.

Analysis

Initial Reconnaissance

1. ZIP analysis with 7z l -slt revealed all entries encrypted with ZipCrypto (weak encryption vulnerable to known-plaintext attacks)
2. Android /data partition structure with ~78,990 non-empty files
3. Key apps identified after extraction:
   • Gallery Vault (com.thinkyeah.galleryvault) — file-hiding app with custom encryption
   • Signal Messenger (org.thoughtcrime.securesms) — encrypted SQLCipher database
   • Magisk (com.topjohnwu.magisk) — device was rooted
   • Notepad (notes.notepad.checklist.calendar.todolist.notebook)

ZipCrypto Weakness

ZipCrypto with Store (no compression) is vulnerable to known-plaintext attacks when at least 12 bytes of plaintext are known. Android shared_prefs XML files of exactly 65 bytes always contain identical content, providing a perfect known-plaintext source.

Gallery Vault Encryption Scheme

Gallery Vault hides files by:

1. Prepending a GV icon PNG header (2803 bytes) to disguise files in file managers
2. XOR-encrypting the first N bytes of the original file (partial encryption mode)
3. Storing encrypted header + metadata in a tail section delimited by >>tyfs>> / <<tyfs<< markers
4. Using DES-ECB to encrypt the XOR key and JSON metadata in the tail

Solution

Step 1: Crack ZipCrypto with Known-Plaintext Attack

Android shared_prefs XML files of 65 bytes always contain:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map />

Used bkcrack to recover internal encryption keys:

# Create known plaintext file (65 bytes)
printf "<?xml version='1.0' encoding='utf-8' standalone='yes' ?>\n<map />\n" > known_plaintext.bin

...