Skip to main content

Android crackme challenge (challenge 1 - challenge 4) (day 20)


Hey guys its been a while since i update my blog about android security. I've been busy to take care university stuff.

So because i have spare time it is time to solve some android crackme challenge from github. You can check it at: https://github.com/reoky/android-crackme-challenge

if you check inside the github you notice the owner provided us with 8 challenges. In this post, i'm going to talk about first four challenge and the next part is going to be the rest

NOTE: to solve this challenge i use androguard in docker environment

Overview of the challenge:

  • Challenge One : A file will be created within the application's sandbox boundaries. You must extract its contents.
  • Challenge Two : Builds on challenge one, data gets dumped to Logcat, and may need search engine foo.
  • Challenge Three : This app searches a webpage for a string. Go on your own network and insert the string with a man-in-the-middle attack. 
  • Challenge Four : The app unlocks only when you're in Minnesota. Either travel to Minnesota or learn about mock locations to complete the challenge.

Challenge One:

In this challenge, the application write a file inside the sandbox boundaries and we need to retrieve what is inside it.

Preview:

In android environment, each installed application is designed to have it's own container, so other application could not interfere with the process and enforce security mechanism to make sure any sensitive data inside the application cannot be probed by outside component. But, unfortunately sometimes developer forgot to administer secure coding thus lead to vulnerability that able to bypass sandbox container inside the application.

How to solve it:

  • We need to load the application to the docker environment

  •  Once its load, we called "AnalyzeAPK" object in order to de-compile the .apk file into java code. Let's try check the permissions using the get_permissions function, the result show only one permission and it's not really that important
 

  •  Dumped the class of the apk, in order to get better overview of the application. 

  • Try to dump the source code of the main activity from the application and navigate to the onCreate method. As shown in the result, we have what its called a tab listener. Each of the tab have a specific name and function (challenge,hint and about) if we try to correlate from the previous result there is a list of file from "listener" directory that contain all of the tab listener code. Let's try to open the source code of the challenge and see if there are any interesting vulnerability


  • Try to dump the "ChallengeOneFragmentOnClickListener;" and search the onClick method. From the result, it is shown that the application do a string check if the user enter a string "poorly-protected-secret" it will tell "you\'ve completed this challenge". We got the secret string but lets try to dig deep dive of the application 

  •  If you try to scroll down and read the source code you will find a switch statement that called a function of "outputstreamwriter" this function responsible to create a file in java programming and further down you notice that the content of the file is the secret string that we have found earlier. According to OWASP MSTG this is could lead to poorly configure local storage setting since the function that was used making the file is world readable.
  • Try to test it by install the application inside the emulator and browse the application file permission. It is appeared that the application have world readable setting.

Challenge Two:

Builds on challenge one, data gets dumped to Logcat, and may need search engine foo.

Preview:

Logcat is a command line tool used for debugging an android application that enable to dump all of the system message and is a great way for developer to dissect any error or detail of the application but if the debugging feature show too much information that leak to sensitive data you might need to revise your application.

How to solve it:

  • Load the application into docker environment again and if you try to dump the source code of the main activity it will mostly like the previous challenge


  • Go to the "ChallengeTwoFragmentOnClickListener;" and dumped the source code class. Move to the "onClick" method and inside it there is a switch statement that do string check. First is to check if first string is equal to "manage@corp.net" if equal it will proceed to check the password hash if not it will display a log.
 
  • Considering that we already have the first secret, lets try to crack the hash of the password. From the result, you can see that the password is "zipdrive". Well got the secret string, lets try execute the app to dig deeper.


  • For the first try, enter a wrong email and simultaneously check your logcat by enter "adb logcat". 

  • For the second try, enter a right email and wrong secret. From the result, we can conclude that this application suffer over exposures of sensitive data from debugging log.

Challenge Three:

This app searches a webpage for a string. Go on your own network and insert the string with a man-in-the-middle attack.

Preview:

MITM is a technique to alter a message or a network request before arriving to the backend server. There are many reason many pentester use MITM in android application one of the example is dissecting application transcation to find any possible loop hole on the server-side programming

How to solve it:

 

  •  In order to complete the challenge, you need to setup a http proxy like burpsuite or MITMProxy


  • Run the application so we know what we are dealing with. According to the information the application request to rit.edu application and try to find out a string called "so-much-snow" 

  • After you able to capture the request using burpsuite, right click the packet and there is option called "do intercept" >> "response to this request" it will intercept the response that make you able to alter the response before enter the application.


  • Now you change the response and put the magic string. 

Challenge Four:

The app unlocks only when you're in Minnesota. Either travel to Minnesota or learn about mock locations to complete the challenge.

Preview:

Mock location allow you to send a fake GPS location from your device.

How to solve it:

 

  •  You need to install a fake GPS application from apkpure

  • But before you able to use the fake gps you need to enable the mock location in debugging setting 

  • try to dump the "ChallengeFourFragment;" source code and as you can see the application check latitude and longtitude if the both value is 45 and -93 

  • Now try to input the location and complete challenge 
 Thats all thank you people
Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »