Tags: mail sqlite forensics android
Can you find my sensitive infomation?
Dai Lai has acquired a reputation for the land of graceful mountains and debonair water
Extracting the archive we got `passcode.apk`
Extracting the apk ad looking for some files we found a database inside the `assets` folder
the database contains two tables, `user` and `zadminz`:
`user` contains two users:
SELECT * FROM user;
`zadminz` contains the administrator email address:
SELECT * FROM zadminz;
[spamdecoy.net](http://spamdecoy.net) is a service for throw-away mails and allows you to log-in just with the username.
So we logged inside the admin account founding a bunch of mails, but one in particular got out attention:
Your new PASSCODE is: check_your_db_before_building_app
So we tried convering it in SHA1 and we got the flag: