Protected
Protected is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Protected attack path
Protected is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on Mobile evidence, validation, and reusable operator lessons.
Walkthrough flow
Artifact review
Hypothesis
Validated solve path
Proof captured
Source coverage
High source coverage
Status: complete. This article is generated from 6 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Mobile/Protected/writeup.md
- htb-challenge/Mobile/Protected/notes.md
- htb-challenge/Mobile/Protected/memory-summary.md
- htb-challenge/Mobile/Protected/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Mobile__Protected__memory-summary.md.fc007a5419.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Mobile__Protected__notes.md.07849f7f84.md
Technical Walkthrough
Writeup
Challenge
- Name: Protected
- Category: Mobile
- Difficulty: Medium
- Mode: remote
Summary
The remote service served an Android /data dump. The useful artifact was
GalleryVault app data for com.thinkyeah.galleryvault, not a normal photo
path. Its database recorded one hidden file named flag.png; the real content
was stored in the app's hidden .galleryvault_DoNotDelete_* folder under a
UUID filename. Reversing the GalleryVault APK showed that this object used the
app's v1 tail format with a DES-wrapped per-file XOR key. Reconstructing the
object produced a valid PNG containing the challenge flag.
Artifact Inventory
Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.
files/mobile_protected.zip: downloaded from the Werkzeug HTTP challenge
service and extracted with the standard HTB archive password.
analysis/extracted/galleryvault-data/.../galleryvault.db: SQLite database
containing the file_v1 row for flag.png.
analysis/extracted/vault-folder/.../b238f4cd-f79f-4e19-be3b-068b7add4d85:
UUID-named GalleryVault object for the hidden file.
analysis/jadx-galleryvault/: decompiled APK output used to verify the
file-tail and crypto routines.
loot/recovered-flag.png: reconstructed original image. Raw flag text is
kept separately in loot/flag.txt.
Analysis
Initial fixed-string searches did not find an HTB-format marker in the
extracted files, and the visible UUID object opened as a GalleryVault placeholder
image. The app preferences identified the hidden GalleryVault storage folder,
while galleryvault.db showed a single file_v1 entry for flag.png, including
its UUID, original path, MIME type, and expected original size.
The GalleryVault APK was decompiled with JADX. The relevant classes showed:
Mc/c.java: DES helper using Java's defaultDES/ECB/PKCS5Paddingbehavior
and a base key string of good_gv.
Hf/k.java: app-level wrapped key material.Oc/d.javaandOc/e.java: the v1 file-tail writer/reader using
>>tyfs>> and <<tyfs<< markers.
Mc/b.java: XOR stream transform using byte position and a per-file key.
Parsing the tail of the UUID object recovered the original length, encrypted
prefix length, full-file encryption flag, encrypted per-file key, and metadata.
The metadata matched the database record for flag.png. Decrypting the
per-file key and reversing the XOR transform rebuilt a valid 564x568 PNG.
Solve
Run the solver from the repository root:
cd <local workspace>
python3 Mobile/Protected/solve/solve.py --output Mobile/Protected/loot/recovered-flag.pngThe script locates galleryvault.db, reads the flag.png UUID, finds the
matching vault object, derives the GalleryVault app key, parses the v1 tail, and
reconstructs the original PNG under loot/. The visible flag was then captured
through the harness from a loot-only candidate file:
python3 scripts/challenge_harness.py capture-flag Mobile/Protected --from loot/flag-candidate.txtFlag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
For mobile forensic dumps, app-private metadata can be more important than
public media paths. GalleryVault did not simply store a plaintext image: it
kept a placeholder at the main UUID path and appended the encrypted original
prefix plus tail metadata. Reconstructing the application-specific storage
format was more reliable than broad string searches or emulator work.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Protected
- Category: Mobile
- Difficulty: Medium
- Mode: remote
- Remote instance: <TARGET>:31499
- Start time: 2026-06-11T07:32:11Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/mobile_protected.zip | 1314575553 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 200 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-11T07:32:11Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-11T07:32:11Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-11T07:32:11Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-06-11T07:32:11Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-06-11T07:32:11Z | research task | analysis/research/task-20260611T073211338858Z-898eb428.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-11T07:32:51Z | RAG query | analysis/rag/rag-query-20260611T073243046078Z-519acd9b.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-11T07:32:51Z | instrumentation plan | analysis/instrumentation-plan.md | Identify what service is exposed on <TARGET>:31499 and whether it provides a downloadable mobile artifact, emulator/ADB-like surface, HTTP API, or forensic evidence source. | High | Stop before credential guessing, brute force, exploit payloads, emulator mutation, or repeated probes after two timeouts without new facts; record failure/checkpoint and refresh research. |
| 2026-06-11T07:32:51Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T073251706176Z-dd3d2939.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:33:26Z | RAG record | analysis/rag-records.md | Retrieved memory tagged GENERIC | Medium | Validate or reject with live evidence |
| 2026-06-11T07:33:44Z | local memory search | analysis/research/local-memory-search-20260611T073344586056Z-5dc4b9bb.md | Found 8 safe prior-note result(s) | Medium | Record useful result or skip |
| 2026-06-11T07:34:45Z | research record | analysis/research/research-records.md | Research tagged GENERIC | Medium | Validate against current evidence |
| 2026-06-11T07:35:18Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-11T07:35:28Z | evaluator | analysis/evaluator-20260611T073528046904Z-ceec64fd.md | Proceed | High | Use challenge_exec for read-only nmap/curl/nc/Python probes; save outputs under analysis/. |
| 2026-06-11T07:41:49Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-11T07:42:41Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T074241494754Z-2df98a2b.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:46:07Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T074607309983Z-e9af7d20.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:56:54Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-11T07:57:33Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T075733043640Z-1365608c.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:58:34Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Scenario
While examining the device, we discovered that critical evidence or artifacts may have been overlooked. We believe that your expertise in mobile forensics will enable you to uncover the missing piece.
Operator Question
HTB Mobile Medium Protected remote-only mobile forensics overlooked artifacts missing piece challenge patterns, tools, and safest first validations
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Mobile
- Challenge: Protected
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | initial triage from supplied challenge metadata | challenge name, category, difficulty, scenario, and remote target were provided by operator | inventory files / inspect app surface / map routes depending on category | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Memory Summary
approval_required: true
Sanitized Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Mobile
- Challenge: Protected
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Notes
Notes
Scope
- Challenge: Protected
- Category: Mobile
- Difficulty: Medium
- Mode: remote
- Remote instance: <TARGET>:31499
- Start time: 2026-06-11T07:32:11Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/mobile_protected.zip | 1314575553 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 200 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-11T07:32:11Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-11T07:32:11Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-11T07:32:11Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-06-11T07:32:11Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-06-11T07:32:11Z | research task | analysis/research/task-20260611T073211338858Z-898eb428.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-11T07:32:51Z | RAG query | analysis/rag/rag-query-20260611T073243046078Z-519acd9b.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-11T07: <REDACTED>, emulator/ADB-like surface, HTTP API, or forensic evidence source. | High | Stop before credential guessing, brute force, exploit payloads, emulator mutation, or repeated probes after two timeouts without new facts; record failure/checkpoint and refresh research. | |||
| 2026-06-11T07:32:51Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T073251706176Z-dd3d2939.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:33:26Z | RAG record | analysis/rag-records.md | Retrieved memory tagged GENERIC | Medium | Validate or reject with live evidence |
| 2026-06-11T07:33:44Z | local memory search | analysis/research/local-memory-search-20260611T073344586056Z-5dc4b9bb.md | Found 8 safe prior-note result(s) | Medium | Record useful result or skip |
| 2026-06-11T07:34:45Z | research record | analysis/research/research-records.md | Research tagged GENERIC | Medium | Validate against current evidence |
| 2026-06-11T07:35:18Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-11T07:35:28Z | evaluator | analysis/evaluator-20260611T073528046904Z-ceec64fd.md | Proceed | High | Use challenge_exec for read-only nmap/curl/nc/Python probes; save outputs under analysis/. |
| 2026-06-11T07:41:49Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-11T07:42:41Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T074241494754Z-2df98a2b.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:46:07Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T074607309983Z-e9af7d20.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07: <REDACTED> | |||||
| 2026-06-11T07:57:33Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T075733043640Z-1365608c.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T07:58:34Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Scenario
While examining the device, we discovered that critical evidence or artifacts may have been overlooked. We believe that your expertise in mobile forensics will enable you to uncover the missing piece.
Operator Question
HTB Mobile Medium Protected remote-only mobile forensics overlooked artifacts missing piece challenge patterns, tools, and safest first validations
Technical analogy
How to remember this solve
Think of the app like a packed suitcase. You unpack it, inspect the labels and hidden pockets, then trace which local file or network call contains the useful clue.
For Protected, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.