Cat
Cat is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Cat attack path
Cat is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on Mobile evidence, validation, and reusable operator lessons.
Walkthrough flow
Extract ZIP with the standard HTB archive credential.
Parse the Android Backup header and zlib-decompress...
Extract the tar and inspect shared media under...
Generate a contact sheet of the six JPEGs.
Inspect jpg, a non-cat photo of a person holding a...
Source coverage
High source coverage
Status: complete. This article is generated from 5 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Mobile/Cat/writeup.md
- htb-challenge/Mobile/Cat/notes.md
- htb-challenge/Mobile/Cat/memory-summary.md
- htb-challenge/Mobile/Cat/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Mobile__Cat__notes.md.bc7de6af75.md
Technical Walkthrough
Writeup
Challenge
- Name: Cat
- Category: Mobile
- Difficulty: Easy
- Mode: file
Summary
The ZIP contained an Android Backup rather than an APK. The backup was unencrypted and compressed, so it could be converted into a tar filesystem dump. Text/database sweeps did not reveal the flag, but the shared pictures included one photo of a person holding a document. A crop of that document exposed the HTB-format flag visually.
Artifact Inventory
files/a12c738e-651a-4123-af7d-df2c5c9ea38d.zip: original challenge ZIP.analysis/extracted/cat.ab: Android Backup, version 5, compressed, not encrypted.analysis/cat-backup.tar: decompressed backup payload.analysis/backup-tar/shared/0/Pictures/<secret redacted>jpg: image containing the visual leak.
Analysis
The archive listing in analysis/archive-listing.txt showed a single cat.ab artifact. The Android Backup header in analysis/android-backup-header.txt showed compression enabled and no encryption, so the payload was zlib-decompressed into analysis/cat-backup.tar and extracted under analysis/backup-tar/.
A broad leak sweep over extracted files, SQLite databases, and simple image metadata was recorded in analysis/leak-keyword-sweep.txt, analysis/sqlite-files.txt, and the image metadata outputs. That did not produce a direct text flag.
The contact sheet at analysis/pictures-contact-sheet.jpg showed five cat photos and one photo of a person holding a document. Focused crops under analysis/image-crops/ showed that the lower-left area of the document contains the HTB-format flag.
Solve
Run:
cd <local workspace>
python3 solve/solve.pyThe script extracts the ZIP, parses the Android Backup, decompresses the tar payload, extracts the filesystem, and regenerates analysis/reproduce/flag-proof-crop.jpg. The flag is then manually transcribed from that proof crop and captured with the harness. OCR was tested but was not reliable enough for an automatic solve because the text is angled and blurred.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
For Mobile challenges, do not assume APK-first. Android Backup artifacts can be directly parseable when unencrypted, and user media may be the actual leak source even when app databases and shared preferences are uninteresting.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Cat
- Category: Mobile
- Difficulty: Easy
- Mode: file
- Remote instance: none
- Start time: 2026-06-10T13:03:20Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c738e-651a-4123-af7d-df2c5c9ea38d.zip | 4222847 | <hash redacted> | Zip archive data, at least v2.0 to extract, compression method=deflate | zip entries: 1 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-10T13:03:20Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-10T13:03:20Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-10T13:03:20Z | hypothesis recorded | hypothesis-board.md | Static mobile artifact leakage: recover the HTB-format flag or a decode path from APK resources/assets/manifest/decompiled code. | Medium | Extract the archive, identify the app artifact, decompile/list resources, and search for flag-like or encoded leaked constants without printing raw flags to chat. |
| 2026-06-10T13:03:20Z | research skip | analysis/research/research-skip.md | Research intentionally skipped with recorded reason | Medium | Gate before exploit |
| 2026-06-10T13:04:03Z | Android Backup extraction | analysis/cat-backup.tar, analysis/backup-tar-list.txt | ZIP contained cat.ab, an unencrypted compressed Android Backup that expands to a tar filesystem dump. | High | Inspect app data and shared pictures |
| 2026-06-10T13:04:35Z | leak sweep | analysis/leak-keyword-sweep.txt, analysis/sqlite-files.txt | No direct text/database HTB-format hit; backup contains six shared JPEGs and minor stock app data. | High | Inspect image content and metadata |
| 2026-06-10T13:05:20Z | image triage | analysis/pictures-contact-sheet.jpg | One non-cat image, <secret redacted>jpg, shows a person holding a document with visible leaked text. | High | Crop and enhance the document area |
| 2026-06-10T13:06:10Z | proof crop | analysis/image-crops/imag0004-flag-bottom-enhanced.jpg | The HTB-format flag is visible on the lower-left part of the photographed document. | High | Capture transcribed flag via harness |
| 2026-06-10T13:06:28Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-10T13:08:10Z | reproducible solver | solve/solve.py, analysis/solve-run.txt | Solver extracts the Android Backup and regenerates the proof crop; manual transcription is required due blurred angled photo. | High | Run completion gate |
| 2026-06-10T13:09:23Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
cat.abis Android Backup version 5, compressed, and not encrypted; header is recorded inanalysis/android-backup-header.txt.- The backup expands into shared pictures plus stock Android app data. Direct string, SQLite, and simple metadata sweeps did not expose a text flag.
- The intended leak is visual:
shared/0/Pictures/<secret redacted>jpgcontains a photographed document with the HTB-format flag visible near the lower-left page edge. - The solved flag is stored only in
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Cat was an Easy Mobile challenge where the downloadable ZIP contained an unencrypted compressed Android Backup (cat.ab), not an APK. The Android Backup header showed version 5, compression enabled, and encryption method none; zlib-decompressing the payload produced a tar filesystem dump.
The useful path was:
- Extract ZIP with the standard HTB archive password.
- Parse the Android Backup header and zlib-decompress the payload to tar.
- Extract the tar and inspect shared media under
shared/0/Pictures/. - Generate a contact sheet of the six JPEGs.
- Inspect
<secret redacted>jpg, a non-cat photo of a person holding a document. - Crop/enhance the lower-left area of the document; the HTB-format flag is visually leaked there.
Reusable lesson: for Mobile "leak" challenges, include Android Backup parsing and shared-media visual review before going deep on APK tooling. Direct string and SQLite sweeps may be negative even when the flag is plainly visible in backed-up user photos.
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Static mobile artifact leakage: recover the HTB-format flag or a decode path from APK resources/assets/manifest/decompiled code. | Challenge is Mobile/Easy with scenario 'Easy leaks' and only one downloadable ZIP artifact. | Extract the archive, identify the app artifact, decompile/list resources, and search for flag-like or encoded leaked constants without printing raw flags to chat. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Notes
Notes
Scope
- Challenge: Cat
- Category: Mobile
- Difficulty: Easy
- Mode: file
- Remote instance: none
- Start time: 2026-06-10T13:03:20Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c738e-651a-4123-af7d-df2c5c9ea38d.zip | 4222847 | <hash redacted> | Zip archive data, at least v2.0 to extract, compression method=deflate | zip entries: 1 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-10T13:03:20Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-10T13:03:20Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-10T13: <REDACTED>, identify the app artifact, decompile/list resources, and search for flag-like or encoded leaked constants without printing raw flags to chat. | |||||
| 2026-06-10T13:03:20Z | research skip | analysis/research/research-skip.md | Research intentionally skipped with recorded reason | Medium | Gate before exploit |
| 2026-06-10T13:04:03Z | Android Backup extraction | analysis/cat-backup.tar, analysis/backup-tar-list.txt | ZIP contained cat.ab, an unencrypted compressed Android Backup that expands to a tar filesystem dump. | High | Inspect app data and shared pictures |
| 2026-06-10T13:04:35Z | leak sweep | analysis/leak-keyword-sweep.txt, analysis/sqlite-files.txt | No direct text/database HTB-format hit; backup contains six shared JPEGs and minor stock app data. | High | Inspect image content and metadata |
| 2026-06-10T13:05:20Z | image triage | analysis/pictures-contact-sheet.jpg | One non-cat image, <secret redacted>jpg, shows a person holding a document with visible leaked text. | High | Crop and enhance the document area |
| 2026-06-10T13: <REDACTED> | |||||
| 2026-06-10T13: <REDACTED> | |||||
| 2026-06-10T13:08:10Z | reproducible solver | solve/solve.py, analysis/solve-run.txt | Solver extracts the Android Backup and regenerates the proof crop; manual transcription is required due blurred angled photo. | High | Run completion gate |
| 2026-06-10T13:09:23Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
cat.abis Android Backup version 5, compressed, and not encrypted; header is recorded inanalysis/android-backup-header.txt.- The backup expands into shared pictures plus stock Android app data. Direct string, SQLite, and simple metadata sweeps did not expose a text flag.
- The intended leak is visual: <REDACTED>
- The solved flag is stored only in
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Technical analogy
How to remember this solve
Think of the app like a packed suitcase. You unpack it, inspect the labels and hidden pockets, then trace which local file or network call contains the useful clue.
For Cat, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.