Published on

Insomni'hack teaser 2022 – AndroNotes



by Dai

Our Forensic experts dumped the mobile device of a criminal, can you identify what the thugs are up to...

This challenge can be solved offline.

mirror of dump.img

Mounting the IMG, we can see an entire Android filesystem.

Looking at the SMS database (SQLite) at /data/data/, we can find the following messages:

sqlite> select * from sms;
1|3|6505551212||1640171169759|1640171169000|0|1|-1|1|0||Hi James, I've configured the server please keep the password in a safe place mate! The website contains sensitive information about mrna-1273!

2|3|6505551212||1640171277362|0||1|-1|2|||Hi H, it is in my Safe Note app. One of the most secure with military grade encryption mechanisms. 💯💯||0|1|-1||1
3|3|6505551212||1640171303660|1640171303000|0|1|-1|1|0||Nice, Funds are Safu !||0|1|0||1

The second message is referring to the Safe Notes app which is also installed in the dumped device.

Install the app on a rooted Android device, write some notes, and observe the data folder of the app (/data/data/, it is easy to see that the notes are encrypted and stored in shared_prefs/com.protectedtext.n2.xml.

Look for the same file in the dump image, copy it over and overwrite it on your device and restart the app. The flag can be found a note in the app.