Tags: mobile android
Rating:
This pained me beyond end! When I finally got it the CTF was finished 8 minutes ago :(
Started off using cewl to generate a password list from the https://en.wikipedia.org/wiki/Glossary_of_Texas_A%26M_University_terms (provided hint) this was pointless as using -d (depth) takes us in to all the links in wikipedia D'oH! So next best thing was to copy the Tamu text and paste it into a text file and publish it over simplehttpserver locally and let cewl do its thing.
`cewl -d 1 -m 5 -w aggies.txt http://localhost:8080/`
This worked a treat and we get a good wordlist out of the text -m 5 means we want nothing smaller than 5 chars. Using this list resulted in nothing so time to mutate the list with our favourite password tool john and the awesome ability to use wordlist rules (found and edited under /etc/john/jphn.conf - on my system anyway), these help mutate the list by adding numbers or changing case, example : -c (?a >2 !?X c Q # Uppercase every alphanumric word etc.
`john ---wordlist=aggies.txt --rules --stdout > mutant-aggies.txt`
So now we have a full mutated and blotted list of possible passwords to chuck at the keystore, so off we go...
`java -jar android-keystore-password-recover/build/akpr.jar -m 2 -d mutant-aggies.txt -k howdyapp.keystore`
Result:
```
Number of keys in keystore: 1
Found alias: android
Creation Date: Fri Dec 21 18:04:29 CET 2018
Start dictionary attack on key!!
Current Pass: || est. 12682 Pass/Sec
Got Password in 2 seconds
Password is: Howdygigem1 for alias android
```
Flag is the password:
> Flag: gigem{Howdygigem1}
akpr can be found on github: https://github.com/MaxCamillo/android-keystore-password-recover - at least I think this is where I got it, been in my ctftoolz a long while