[Hackthebox] - Cat(Mobile) Writeup(문제풀이)

AB 파일은 어떤 파일인가?

AB는 adb(Android Debug Bridge)로 도구에서 생성한 Android ADB 백업 파일입니다.

 

문제풀이

문제에서 주어진 cat.ab 파일을 Hex Editor 로 열어보면 파일 시그니처 부분에 Android Backup 이라고 써져있는 것이 보입니다.

 

실제로 adb 명령어로 backup 했을 때 위와 같은 파일 형식이 만들어지는 지 테스트해봤습니다.

C:\Users\Domdomi>adb backup -all
WARNING: adb backup is deprecated and may be removed in a future release
Now unlock your device and confirm the backup operation...

그럼 현재 경로에 backup.ab 라는 파일이 만들어지는 것을 확인할 수 있었습니다.

C:\Users\Domdomi>dir | findstr backup.ab
2021-11-29 오후 10:07 4251 backup.ab

그리고 adb restore 명령어 backup.ab 파일을 다시 복원할 수 있는데요.

C:\Users\Domdomi>adb restore backup.ab
WARNING: adb restore is deprecated and may be removed in a future release
Now unlock your device and confirm the restore operation.

모바일 단말기에서는 아래와 같이 비밀번호를 입력하라고 나옵니다.

 

 

일단 비밀번호가 없을 수도 있어서 별도로 입력하지 않고 RESTORE MY DATA 버튼을 누르기로 하였습니다.

이 때 어떤 데이터가 복원되는 지 명확히 알기 위해서 adb logcat 명령으로 모니터링해보았습니다.

 

11-29 13:19:37.347  1667  5444 D BackupManagerService: Starting restore confirmation UI, token=1087353425
11-29 13:19:37.355  1667  5444 D BackupManagerService: Waiting for restore completion...
11-29 13:19:39.397  1667  8002 I BackupManagerService: --- Performing full-dataset restore ---
11-29 13:19:39.413  1667  8002 I BackupManagerService: Cannot restore package com.android.basicsmsreceiver without the matching .apk
11-29 13:19:39.413  1667  8002 I BackupManagerService: Cannot restore package com.android.bips without the matching .apk
11-29 13:19:39.414  1667  8002 I BackupManagerService: Cannot restore package com.android.bluetoothmidiservice without the matching .apk
11-29 13:19:39.415  1667  8002 I BackupManagerService: Cannot restore package com.android.bookmarkprovider without the matching .apk
11-29 13:19:39.418  1667  8002 D BackupManagerService: Clearing app data preparatory to full restore
11-29 13:19:39.549  1667  8002 D BackupManagerService: Invoking agent to restore file com.android.camera2_preferences.xml
11-29 13:19:39.558  1667  8002 I BackupManagerService: Cannot restore package com.android.captiveportallogin without the matching .apk
11-29 13:19:39.559  1667  8002 I BackupManagerService: Cannot restore package com.android.carrierdefaultapp without the matching .apk
11-29 13:19:39.559  1667  8002 I BackupManagerService: Cannot restore package com.android.contacts without the matching .apk
11-29 13:19:39.563  1667  8002 I BackupManagerService: Cannot restore package com.android.dialer without the matching .apk
11-29 13:19:39.563  1667  8002 I BackupManagerService: Cannot restore package com.android.dreams.basic without the matching .apk
11-29 13:19:39.565  1667  8002 I BackupManagerService: Cannot restore package com.android.emergency without the matching .apk
11-29 13:19:39.566  1667  8002 I BackupManagerService: Cannot restore package com.android.externalstorage without the matching .apk
11-29 13:19:39.566  1667  8002 I BackupManagerService: Cannot restore package com.android.gallery3d without the matching .apk
11-29 13:19:39.571  1667  8002 I BackupManagerService: Cannot restore package com.android.htmlviewer without the matching .apk
11-29 13:19:39.572  1667  8002 I BackupManagerService: Cannot restore package com.android.inputmethod.latin without the matching .apk
11-29 13:19:39.575  1667  8002 I chatty  : uid=1000(system) adb-restore identical 4 lines
11-29 13:19:39.576  1667  8002 I BackupManagerService: Cannot restore package com.android.internal.display.cutout.emulation.corner without the matching .apk
11-29 13:19:39.577  1667  8002 I BackupManagerService: Cannot restore package com.android.internal.display.cutout.emulation.double without the matching .apk
11-29 13:19:39.579  1667  8002 I BackupManagerService: Cannot restore package com.android.internal.display.cutout.emulation.tall without the matching .apk
11-29 13:19:39.583  1667  8002 I BackupManagerService: Cannot restore package com.android.launcher3 without the matching .apk
11-29 13:19:39.586  1667  8002 I BackupManagerService: Cannot restore package com.android.managedprovisioning without the matching .apk
11-29 13:19:39.587  1667  8002 I BackupManagerService: Cannot restore package com.android.mtp without the matching .apk
11-29 13:19:39.588  1667  8002 I chatty  : uid=1000(system) adb-restore identical 1 line
11-29 13:19:39.590  1667  8002 I BackupManagerService: Cannot restore package com.android.pacprocessor without the matching .apk
11-29 13:19:39.591  1667  8002 I BackupManagerService: Cannot restore package com.android.providers.downloads.ui without the matching .apk
11-29 13:19:39.592  1667  8002 I BackupManagerService: Cannot restore package com.android.providers.partnerbookmarks without the matching .apk
11-29 13:19:39.593  1667  8002 I BackupManagerService: Package has restoreAnyVersion; taking data
11-29 13:19:39.594  1667  8002 I BackupManagerService: Cannot restore package com.android.proxyhandler without the matching .apk
11-29 13:19:39.594  1667  8002 I BackupManagerService: Cannot restore package com.android.settings.intelligence without the matching .apk
11-29 13:19:39.600  1667  8002 I BackupManagerService: Cannot restore package com.android.simappdialog without the matching .apk
11-29 13:19:39.602  1667  8002 I BackupManagerService: Cannot restore package com.android.traceur without the matching .apk
11-29 13:19:39.604  1667  8002 I BackupManagerService: Cannot restore package com.android.wallpaper.livepicker without the matching .apk
11-29 13:19:39.605  1667  8002 I BackupManagerService: Cannot restore package com.android.wallpaperbackup without the matching .apk
11-29 13:19:39.606  1667  8002 I BackupManagerService: Cannot restore package com.android.wallpapercropper without the matching .apk
11-29 13:19:39.606  1667  8002 I BackupManagerService: Cannot restore package com.android.wallpaperpicker without the matching .apk
11-29 13:19:39.606  1667  8002 I BackupManagerService: Cannot restore package com.example.android.notepad without the matching .apk
11-29 13:19:39.607  1667  8002 I BackupManagerService: Cannot restore package com.example.android.rssreader without the matching .apk
11-29 13:19:39.607  1667  8002 I BackupManagerService: Cannot restore package com.farmerbb.taskbar.androidx86 without the matching .apk
11-29 13:19:39.608  1667  8002 I BackupManagerService: Cannot restore package com.google.android.backuptransport without the matching .apk
11-29 13:19:39.610  1667  8002 I BackupManagerService: Cannot restore package com.google.android.feedback without the matching .apk
11-29 13:19:39.611  1667  8002 I BackupManagerService: Cannot restore package com.google.android.gms.setup without the matching .apk
11-29 13:19:39.612  1667  8002 I BackupManagerService: Cannot restore package com.google.android.gsf.login without the matching .apk
11-29 13:19:39.614  1667  8002 I BackupManagerService: Cannot restore package com.google.android.onetimeinitializer without the matching .apk
11-29 13:19:39.619  1667  8002 I BackupManagerService: Cannot restore package org.android_x86.analytics without the matching .apk
11-29 13:19:39.620  1667  8002 I chatty  : uid=1000(system) adb-restore identical 1 line
11-29 13:19:39.620  1667  8002 I BackupManagerService: Cannot restore package org.lineageos.eleven without the matching .apk
11-29 13:19:39.621  1667  8002 I chatty  : uid=1000(system) adb-restore identical 1 line
11-29 13:19:39.627  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Alarms
11-29 13:19:39.627  8003  8019 D SharedStorageAgent: Shared restore: [ shared : 0/Alarms]
11-29 13:19:39.629  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Download
11-29 13:19:39.629  8003  8019 D SharedStorageAgent: Shared restore: [ shared : 0/Download]
11-29 13:19:39.630  1667  8002 D BackupManagerService: Invoking agent to restore file 0/DCIM
11-29 13:19:39.630  8003  8019 D SharedStorageAgent: Shared restore: [ shared : 0/DCIM]
11-29 13:19:39.636  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures
11-29 13:19:39.637  8003  8019 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures]
11-29 13:19:39.641  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures/IMAG0001.jpg
11-29 13:19:39.641  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures/IMAG0001.jpg]
11-29 13:19:39.712  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures/IMAG0006.jpg
11-29 13:19:39.712  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures/IMAG0006.jpg]
11-29 13:19:39.801  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures/IMAG0002.jpg
11-29 13:19:39.801  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures/IMAG0002.jpg]
11-29 13:19:39.877  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures/IMAG0003.jpg
11-29 13:19:39.877  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures/IMAG0003.jpg]
11-29 13:19:39.935  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures/IMAG0005.jpg
11-29 13:19:39.936  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures/IMAG0005.jpg]
11-29 13:19:39.977  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Pictures/IMAG0004.jpg
11-29 13:19:39.977  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Pictures/IMAG0004.jpg]
11-29 13:19:40.219  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Podcasts
11-29 13:19:40.219  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Podcasts]
11-29 13:19:40.222  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Movies
11-29 13:19:40.223  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Movies]
11-29 13:19:40.224  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Notifications
11-29 13:19:40.224  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Notifications]
11-29 13:19:40.225  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Music
11-29 13:19:40.226  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Music]
11-29 13:19:40.228  1667  8002 D BackupManagerService: Invoking agent to restore file 0/Ringtones
11-29 13:19:40.228  8003  8016 D SharedStorageAgent: Shared restore: [ shared : 0/Ringtones]
11-29 13:19:40.235  1667  5444 I BackupManagerService: adb restore processing complete.
11-29 13:19:40.241  1667  8002 D BackupManagerService: Full restore pass complete.

 

그럼 위와 같이 로그가 쭉 뽑히는데요. 보니깐 공유 폴더로부터 /sdcard/Picture경로에 이미지들이 저장되는 것을 볼 수 있습니다.

해당 이미지를 확인해보았습니다.

 

 

일단 확인하기 위해서 모바일 단말기에서 PC로 이미지들을 가져와보았습니다.

 

 

그 중 가운데 이미지 중 고양이가 아닌 이미지를 확인해봤더니 아래와 같이 플래그를 발견할 수 있었습니다.

 

 

- 끝 -