Can you find my sensitive infomation?
Dai Lai has acquired a reputation for the land of graceful mountains and debonair water
Extracting the archive we got
Extracting the apk ad looking for some files we found a database inside the
ls assets passcode.sqlite
the database contains two tables,
sqlite> .tables user zadminz
user contains two users:
SELECT * FROM user; email@example.com|1234 firstname.lastname@example.org|3333
zadminz contains the administrator email address:
SELECT * FROM zadminz; email@example.com|7777
spamdecoy.net is a service for throw-away mails and allows you to log-in just with the username.
So we logged inside the admin account founding a bunch of mails, but one in particular got out attention:
Your new PASSCODE is: check_your_db_before_building_app
So we tried convering it in SHA1 and we got the flag: