The kaizen CTF was also the first time I'd done a CTF challenge that involved Android forensics. I'd messed around the Android filesystem before with adb shell, but never gone looking for specific things.
Here's the challenge text:
A user created a backup of his Android phone and saved it on the Desktop. What is the wifi password of the network that the user connected to?
This is a good example of something that logically must be stored somewhere on the phone, but something that I would never think about being available to anyone with access to the filesystem.
After poking around a while wihtout any success, I thought that the string "ssid" or "SSID" would likely be stored near the password, wherever that would be...
Running grep -r "ssid" data/ yields a fair number of hits, but one sticks out in particular:
This looks promising... Investigating the rest of the file shows it contains the "psk" that we're looking for!