It's been a while since I do an android challenge so I become curious and end up searching around GitHub to found if there is any challenge that caught my eyes, fortunately, I stumble upon this challenge called "KGB messenger" (link: https://github.com/tlamb96/kgb_messenger)
basically, it is a reverse engineering challenge that demands you to find a flag inside the app. According to the description the app itself have three-level that we must finish:
Alerts (Medium)
The app keeps giving us these pesky alerts when we start the app. We should investigate.
Login (Easy)
This is a recon challenge. All characters in the password are lowercase.
Social Engineering (Hard)
It looks like someone is bad at keeping secrets. They're probably susceptible to social engineering... what should I say?
The background story goes like this:
You are working for the International Secret Intelligence Service as a reverse engineer. This morning your team lead assigned you to inspect an Android application found on the phone of a misbehaving agent. It’s rumored that the misbehaving agent, Sterling Archer, has been in contact with some KGB spies. Your job is to reverse engineer the application to verify the rumor.
Preparation:
first of all, you need to compile the challenge from your android studio and then install it in the emulator or an Android device.you may need to install some additional component from android package since in order to compile the app it needs android sdk version 26
after that you can just install and run it in your preferred device
First Obstacle (Annoying Pop Out)
so I install the app and when I open it, the app suddenly close and show the following warningIt seems the app is automatically doing some integrity checking in the device before it goes to the actual program, let's investigate this by decompiling the app.
convert the .apk file into .jar using enjarify and then the resulted .jar can be processed again with procyon decompiler to get the actual source code. This may take a couple of minutes
While waiting for the decompiler finish its task I also run apktool in different tab
Let's take a look at the skeleton of the app by opening the AndroidManifest.xml file from apktool
from the result, we can see that there is three activity class used by the application. We already know when android app is run, the first class that will be executed will be the MainActivity class. Let's go to that file
open the file and take a look at the onCreate() function in the class. We can see the app actually does some checking first is property checking that check if the device that was using the app is a Russian device or not and then the second one is just whitelist check.
So how to circumvent this check, pretty easy! we can just edit the smali file that was produced by the apktool, wrap it up and signed with different key
first, go to the MainActivity.smali class then edit the following line at the file
what we do here is basically instruct the app to whatever the comparison result from the if statement we will redirect this to the condition where there is startActivity() function reside which is cond_3 block
then to make it simple I create a bash script that automates the process of building the app and then installed it in my device
to sign the app I used the tool called appium-sign, you can check the github in: https://github.com/appium/sign
open the app again and the annoying pop up is gone :)
Second obstacle (finding username and password)
we need to find out what is the credential used by the app to go through the authentication. If you carefully look at the AndroidManifest.xml file again there is a class again with name LoginActivity, let's take a look of it.
from the source code, we can deduce that for username check the app get it from app resources and compare it with user input (resources is basically another android application component to store an additional file for the app such as picture, string for the UI and so on ) and the same principle goes with checking the password
basically is not recommended to store sensitive information in resource file, since it can be retrieved easily by decompiling the app. The number inside the getString function basically just a referral to the variable name and you can check it in R$string.java file
you can get the value of each string listed in the above figure in res folder inside strings.xml file
open it and we can see we get the username and the password but unfortunately, the password is in MD5hash. To make this quick I'm just google the hash it turns out that this hash is produced with string "guest"
enter the credential and we will take into the group chat inside the app and along with the first flag.
Third Obstacle (Hash..Hash..Hash)
Let's move on to the last and final flag, checking at the AndroidManifest.xml again we can see that there is a last android class that we do not check yet (MessengerActivity) and from the looks of the name of the class obviously we can guess it has a connection with group messenger chatopen the class file and take a look at the onsendMessage() function:
from quick observation from the above source code, we can see that we need to enter two inputs in the group messenger. The first message will be passed to easyHash function and compared with variable name AskBorris, then the second message which follows the first one will be passed to hardHash function and compared with variable name AskBorrisNicely.
we need to input the two message correctly since when generating the flag the class do some checking if both of the messages is entered right or not
this two compared variable can be spotted at the MessengerActivity() function
let's crack those two value, by examining the function easyHash() first
I leave it to your problem-solving skill to find out how to interpret this code, basically, the function takes a string to convert it into char of an Array and process it from both sides by XORed with 2 and A respectively.
we can get the original value by reversing the process, but before we create the script, we will go to the hardHash() function to see what we are dealing with.
the function will do two loops for processing the string, the first loop will right shift by 8 of each char and mod it with 8 and then the second loop will reverse the order of the string.
we cannot get the original value by reversing the process, but we can brute force it
from this information, let's create a python script that looks like this
reference: https://medium.com/bugbountywriteup/android-ctf-kgb-messenger-d9069f4cedf8
run the script and we got the original value:
the second value is not really complete since there is "i %8 " operation but that's not a problem because the result is pretty clear and we can just guess it.
yea we got the last flag, that's all folks !
I hope you enjoy this post
Comments
Post a Comment