Whats up?
its been a long time since i publish a post, have been very busy lately with all pentest project. But right now luckily i have spare time and decide to do solve CTF challenge and in this post i'm going to show some write up that i do in CTF mobile challenge.
okay, first of all you may be thinking if there is such thing as "CTF mobile challenge" (i think that's how you called it) right? Well at first i too don't know that kinda challenge exist cause in my experience indulging with CTF competition in my area i never faced CTF that require mobile pentest knowledge.
But all of that was changed when i try to do some google searching about mobile CTF challenge i found this very interesting github repository you guys can check it in the following link:
https://github.com/xtiankisutsa/awesome-mobile-CTF
(who ever make this repository i just want to say you are awesome)
as you can see if you open the link there is a lot of CTF challenge about mobile pentesting and when i try to do some quick review about all of the challenge, most of them is consider as reverse engineer category in CTF. well i agree with the point about mobile pentest is put in the reverse engineer section. My experience in doing mobile pentest project, in order to know more about attacking the application eventually you will have to reverse engineer the .apk file to know more about the functionality and detecting vulnerability.But the truth is reversing .apk file is easier than reversing c,c++ or .ipa file all you need to have is just understand little bit about java and the right tools.
before you try to solve any CTF mobile challenge i recommend you to do some practice about java and android programming little bit cause it will help you understanding the code even better.
so i try to do the first challenge which is the 0CTF challenge in 2015. There are 4 challenges:
"This is a simple apk, Could you find the flag?"
hmmmm i think this pretty straight forward clue so i think i just need to reverse the apk and i will get the flag, okay!
so i will use dex2jar tools to do the reverse engineering the apk file, but remember dex2jar is not the only tools that can reverse engineer apk file you should do some research and compare it which one is better(i talk about that later):
so it is pretty simple fire up the dex2jar scripts and specify the output directory. After that you will get the .jar file.
so in order to open the .jar file you need to have "jd-gui" tools to read the source code.(Google it and Download it)
now if you already jd-gui and open the file navigate to the EasyRe file that is the main file of the application. as you can see at the above two pic the first pic there is snipped code that the application open a file called "flag.txt" and the second pic show that the application compare the input string with the "flag.txt" file.
so all we need to do is just find the flag.txt and see the content of it, pretty simple. But how do we find the file ?
first you need to install the application to your mobile using adb utility and make sure that the device is rooted.
so go to the application directory and there is going to be three folder: cache,lib and files. before you go to the directory try to play with the application.
try to explore the directory and find the file "flag.txt"
The flag.txt is put in the files directory. try to see the content by using the cat tools and walaaa! you get the flag.
"xiaohuajiao says that he is good enough to reverse normal APKs, he want to do something interesting outside APKs. dadroid"
hmmm the truth is i dont really know what the clue means so i just straight to reverse engineer the .apk file, i assume there is some interesting code inside the source code to do some checking.
for (int k = 0; k < i; k++)
{
int m = 0xFF & (j ^ arrayOfChar2[k]);
j = (char)(j + 1);
arrayOfChar2[k] = ((char)m);
}
its been a long time since i publish a post, have been very busy lately with all pentest project. But right now luckily i have spare time and decide to do solve CTF challenge and in this post i'm going to show some write up that i do in CTF mobile challenge.
okay, first of all you may be thinking if there is such thing as "CTF mobile challenge" (i think that's how you called it) right? Well at first i too don't know that kinda challenge exist cause in my experience indulging with CTF competition in my area i never faced CTF that require mobile pentest knowledge.
But all of that was changed when i try to do some google searching about mobile CTF challenge i found this very interesting github repository you guys can check it in the following link:
https://github.com/xtiankisutsa/awesome-mobile-CTF
(who ever make this repository i just want to say you are awesome)
as you can see if you open the link there is a lot of CTF challenge about mobile pentesting and when i try to do some quick review about all of the challenge, most of them is consider as reverse engineer category in CTF. well i agree with the point about mobile pentest is put in the reverse engineer section. My experience in doing mobile pentest project, in order to know more about attacking the application eventually you will have to reverse engineer the .apk file to know more about the functionality and detecting vulnerability.But the truth is reversing .apk file is easier than reversing c,c++ or .ipa file all you need to have is just understand little bit about java and the right tools.
before you try to solve any CTF mobile challenge i recommend you to do some practice about java and android programming little bit cause it will help you understanding the code even better.
so i try to do the first challenge which is the 0CTF challenge in 2015. There are 4 challenges:
- simpleapk
- dadroid
- dataraider
- VEZEL
SIMPLEAPK:
so the clue of the challenge was:"This is a simple apk, Could you find the flag?"
hmmmm i think this pretty straight forward clue so i think i just need to reverse the apk and i will get the flag, okay!
so i will use dex2jar tools to do the reverse engineering the apk file, but remember dex2jar is not the only tools that can reverse engineer apk file you should do some research and compare it which one is better(i talk about that later):
so it is pretty simple fire up the dex2jar scripts and specify the output directory. After that you will get the .jar file.
so in order to open the .jar file you need to have "jd-gui" tools to read the source code.(Google it and Download it)
now if you already jd-gui and open the file navigate to the EasyRe file that is the main file of the application. as you can see at the above two pic the first pic there is snipped code that the application open a file called "flag.txt" and the second pic show that the application compare the input string with the "flag.txt" file.
so all we need to do is just find the flag.txt and see the content of it, pretty simple. But how do we find the file ?
first you need to install the application to your mobile using adb utility and make sure that the device is rooted.
so go to the application directory and there is going to be three folder: cache,lib and files. before you go to the directory try to play with the application.
try to explore the directory and find the file "flag.txt"
The flag.txt is put in the files directory. try to see the content by using the cat tools and walaaa! you get the flag.
dadroid:
Okay so that's a good warm up lets go to the second challenge dadroid. The clue about the challenge is:"xiaohuajiao says that he is good enough to reverse normal APKs, he want to do something interesting outside APKs. dadroid"
hmmm the truth is i dont really know what the clue means so i just straight to reverse engineer the .apk file, i assume there is some interesting code inside the source code to do some checking.
OMG! i was right there is something interesting inside the source code. If you do some checking with the source code, the application is compare the input with the arrayOfChar1 variable.
char[] arrayOfChar2 = paramString.toCharArray();
int i = arrayOfChar2.length;
int j = arrayOfChar2[(i - 1)];for (int k = 0; k < i; k++)
{
int m = 0xFF & (j ^ arrayOfChar2[k]);
j = (char)(j + 1);
arrayOfChar2[k] = ((char)m);
}
if you see the rest of the code in the function crack, it takes one parameter which is the input from the user if its right it will show yes otherwise it will show no.
OKAY! so if you see in the following snipped code the user input will be convert to array of ASCII value (you can check the ascii value by typing "man ASCII" in your terminal) and get calculated with exponent and bitwise operator
int m = 0xFF & (j ^ arrayOfChar2[k]);
so every component inside the array will get "0xFF &" operation after get the calculation of "j ^ arrayOfChar2[k]". i recommend you to check the link: https://www.mkyong.com/java/java-and-0xff-example/
so in the simple manner:
1.We need to find j and arrayOfChar2[k] value (x^y) and the least the significant byte of the calculation need to be the same for every value in the arrayOfChar1 2.After get the result the variable j will be incremented.
3.And the value of the calculation (int m = 0xFF & (j ^ arrayOfChar2[k])) will be converted to array of character and compare it with the arrayOfChar1 until the end of the array.
(i suggest you study the code again and do some testing cause its kinda hard to understand if you just read from this blog)
so for conclusion we need to find 51 long array character that is same with the arrayOfChar1 value after get converted.
how do we do this? cause brute forcing is not going to be the answer but we can actually predict what could be the flag.
As you know from the previous challenge we got the flag with a format of 0ctf{..} or it could be 0CTF{....}right?
so we could actually just try to input the ascii value of this character and fill out the random number between the "{" and "}" as long the length of the sum is 51 character long and see what happen.
[48, 67, 84, 70, 123, 60, 96, 123, 100, 100, 102, 94, 96, 103, 116, 38, 115, 80, 110, 111, 116, 95, 116, 104, 101, 95, 114, 101, 97, 108, 95, 102, 108, 97, 1890, 95, 104, 97, 104, 97, 104, 97, 104, 97, 104, 97, 104, 97, 104, 97, 125]
ok so this is my crafted input data:
48 = 0
67 = C
84 = T
70 = F
123 = {
and
125 = }
okay to test the crafted input i test it with simple script of python:
assign two variable with type of list
create equivalent code of the java source code
yes! so right we do know that the first five character is 0CTF{ and the last character is }. but unfortunately we still get to guess the rest of 45 characters. well it is not really difficult cause we already the j variable we could actually just have to loop and find the arrayOfChar2[k]) until it same with the arrayOfChar1. you can do it we simple python scripts, you could take a look the source code at my repository github:
https://github.com/acaciaworld80/python-mobile/blob/master/ctf_scripts_dadroid.py #feel free to download it
so when i try to run the scripts o got this:
yeaaa we got the flag. so in the next post i will post the last two challenge of 0CTF challenge
peace out
Comments
Post a Comment