HackTM2020 – secret communicated

The challenge is given as a this_is_it.img file:

file this_is_it.img
this_is_it.img: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,255,63), startsector 1, 4294967295 sectors, extended partition table (last)

gparted this_is_it.img

fdisk -l this_is_it.img

Found valid GPT with protective MBR; using GPT.
Disk this_is_it.img: 15269888 sectors, 7.3 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 98101B32-BBE2-4BF2-A06E-2BB33D000C20
Partition table holds up to 44 entries
First usable sector is 34, last usable sector is 15269854
Partitions will be aligned on 2-sector boundaries
Total free space is 71611 sectors (35.0 MiB)

Number Start (sector) End (sector) Size Code Name
. . .
41 491520 524287 16.0 MiB FFFF carrier
42 524288 4227071 1.8 GiB FFFF system
43 4227072 4751359 256.0 MiB FFFF cache
44 4751360 15204095 5.0 GiB FFFF userdata

dd if=this_is_it.img of=userdata bs=512 skip=4751360 count=10452736

sudo losetup /dev/loop2 userdata
sudo mount /dev/loop2 userdata_mount/

Now we can start browsing the partition. Here’s what we found:

1. under userdata_mount/media/0/Download/ there’s a ‘hidden’ file with a blank filename (spaces for a filename):
   > file ‘          ‘
             : Zip archive data, at least v2.0 to extract
   > unzip ‘          ‘
   Archive:           
   [          ]    password:

ok, so we need to find a password. There’s a hint in the challenge’s description:
Your job is to find out what secrets are hidden in the phone and what did he send to his person of contact back home through an online chat service.

So we start to browse data on userdata_mount/data and after some digging we reach
userdata_mount/data/com.facebook.orca/databases/threads_db2

sqlitebrowser threads_db2

so the password is 8ab96434b285b34f77d805079b91a552

after unzipping the hidden file the password is given:

The hidden flag is:
HackTM{a1f6bb8b4f993e3fbea836b001339d5f2387043fe504ba290fbe9674de4a2a16}