# Hack.lu 2013: Robot Plans

We have captured a robot from behind, while he dropped some cooling liquid into the bushes. We tried to interrogate the robot, but he still refuses to speak. Luckily we could extract files from the android’s communication module. Hopefully we get some information about the robots’ motives, before every information is swiped away… Here is the challenge: http://link.to.image.tar.gz

The description isn’t that helpful, but it still hints to Android and some kind of forensic task.

The first thing to do is always having a brief look at the file itself but it looked unsuspicios like a simple compressed tar file.

Surprise! It seems to be a complete android rootfs.

On a fist glance it becomes clear that we have a Cyanogenmod image, so let’s have a look which CM it is.

So it is some Huawei phone. Another thing to check is the phonenumber and some logs (if they exist). Sadly the image is too old and we cannot get a 1:1 copy of the original. But nice enough, the image was expanded Sept 12 and changes were done Sept 13, so we can get a list of all changed files.

90% of those are default files, but some are “different” and suspicious, as /data/backup/\*, /data/system/\* and /system/etc/wifi/wpa_supplicant.conf One could also sqlitebrowse all those DBs but we are still at the beginning so let us have a look at those plain files.

1. /data/backup/ seems to contain random named files with sha1 hashes inside
2. /data/system/gesture.key contains h.a.h.a.c.a.n.t.g.e.t.m.e.i.m.a.d.e.b.a.c.k.u.p.z.z.
3. /system/etc/wifi/wpa_supplicant.conf contains some random WiFi credentials

There was one odd thing about those hashes in /data/backup/ because they where duplicates.

Since I had no idea what those hashes might be good for, Google was my friend and even gave me the needed hint. 23a6e7c835cd75c3f17ecc4d1cd7d840b74095251 led me to Lock Pattern et Android.. and assuming that the other hashes where also gestures (hence the hint in the gesture.key file) I setup oclHashcat to brute the other hashes.

The resulting patterns could be visually mapped to numbers:

3 2 1
4 9 8 => 6
5 6 7

3 4 5
2 1 6 => 9
9 8 7

3 2 1
4 5 6 => 5
9 8 7

2 3 4
1 6 5 => 2
7 8 9

1 2 3
x 4 x => 7
5 x x

7 1 2
x 3 x => 8
4 5 6

1 2 3
x 4 5 => 3
8 7 6


We first ordered them by filename which resulted in \d67\d87\d87\d76\d78\d57\d76\d63\d79\d35\d95\d52\d75\d56\d67 which already looked like ASCII but made no sense (CWWLN9L?O#_4K8C), but when ordered by creation date the ASCII begins to make sense and results in the flag: kill_all_humans