Skip to main content

Android Challenge KGB Messenger :D (day 70)


It's been a while since I do an android challenge so I become curious and end up searching around GitHub to found if there is any challenge that caught my eyes, fortunately, I stumble upon this challenge called "KGB messenger" (link: https://github.com/tlamb96/kgb_messenger)

basically, it is a reverse engineering challenge that demands you to find a flag inside the app. According to the description the app itself have three-level that we must finish:

Alerts (Medium)

The app keeps giving us these pesky alerts when we start the app. We should investigate.

Login (Easy)

This is a recon challenge. All characters in the password are lowercase.

Social Engineering (Hard)

It looks like someone is bad at keeping secrets. They're probably susceptible to social engineering... what should I say?

The background story goes like this:

You are working for the International Secret Intelligence Service as a reverse engineer. This morning your team lead assigned you to inspect an Android application found on the phone of a misbehaving agent. It’s rumored that the misbehaving agent, Sterling Archer, has been in contact with some KGB spies. Your job is to reverse engineer the application to verify the rumor.

Preparation:

first of all, you need to compile the challenge from your android studio and then install it in the emulator or an Android device.

you may need to install some additional component from android package since in order to compile the app it needs android sdk version 26




after that you can just install and run it in your preferred device

First Obstacle (Annoying Pop Out)

so I install the app and when I open it, the app suddenly close and show the following warning


It seems the app is automatically doing some integrity checking in the device before it goes to the actual program, let's investigate this by decompiling the app.



convert the .apk file into .jar using enjarify and then the resulted .jar can be processed again with procyon decompiler to get the actual source code. This may take a couple of minutes



While waiting for the decompiler finish its task I also run apktool in different tab



Let's take a look at the skeleton of the app by opening the AndroidManifest.xml file from apktool



from the result, we can see that there is three activity class used by the application. We already know when android app is run, the first class that will be executed will be the MainActivity class. Let's go to that file



open the file and take a look at the onCreate() function in the class. We can see the app actually does some checking first is property checking that check if the device that was using the app is a Russian device or not and then the second one is just whitelist check.

So how to circumvent this check, pretty easy! we can just edit the smali file that was produced by the apktool, wrap it up and signed with different key

first, go to the MainActivity.smali class then edit the following line at the file



what we do here is basically instruct the app to whatever the comparison result from the if statement we will redirect this to the condition where there is startActivity() function reside which is cond_3 block

then to make it simple I create a bash script that automates the process of building the app and then installed it in my device



to sign the app I used the tool called appium-sign, you can check the github in: https://github.com/appium/sign



open the app again and the annoying pop up is gone :)

Second obstacle (finding username and password) 

we need to find out what is the credential used by the app to go through the authentication. If you carefully look at the AndroidManifest.xml file again there is a class again with name LoginActivity, let's take a look of it.



from the source code, we can deduce that for username check the app get it from app resources and compare it with user input (resources is basically another android application component to store an additional file for the app such as picture, string for the UI and so on ) and the same principle goes with checking the password

basically is not recommended to store sensitive information in resource file, since it can be retrieved easily by decompiling the app. The number inside the getString function basically just a referral to the variable name and you can check it in R$string.java file


you can get the value of each string listed in the above figure in res folder inside strings.xml file



open it and we can see we get the username and the password but unfortunately, the password is in MD5hash. To make this quick I'm just google the hash it turns out that this hash is produced with string "guest"


enter the credential and we will take into the group chat inside the app and along with the first flag.

Third Obstacle (Hash..Hash..Hash)

Let's move on to the last and final flag, checking at the AndroidManifest.xml again we can see that there is a last android class that we do not check yet (MessengerActivity) and from the looks of the name of the class obviously we can guess it has a connection with group messenger chat 

open the class file and take a look at the onsendMessage() function:



from quick observation from the above source code, we can see that we need to enter two inputs in the group messenger. The first message will be passed to easyHash function and compared with variable name AskBorris, then the second message which follows the first one will be passed to hardHash function and compared with variable name AskBorrisNicely.

we need to input the two message correctly since when generating the flag the class do some checking if both of the messages is entered right or not



this two compared variable can be spotted at the MessengerActivity() function




let's crack those two value, by examining the function easyHash() first



I leave it to your problem-solving skill to find out how to interpret this code, basically, the function takes a string to convert it into char of an Array and process it from both sides by XORed with 2 and A respectively.

we can get the original value by reversing the process, but before we create the script, we will go to the hardHash() function to see what we are dealing with.



the function will do two loops for processing the string, the first loop will right shift by 8 of each char and mod it with 8 and then the second loop will reverse the order of the string.

we cannot get the original value by reversing the process, but we can brute force it

from this information, let's create a python script that looks like this



reference: https://medium.com/bugbountywriteup/android-ctf-kgb-messenger-d9069f4cedf8

run the script and we got the original value:



the second value is not really complete since there is "i %8 " operation but that's not a problem because the result is pretty clear and we can just guess it.


yea we got the last flag, that's all folks !

I hope you enjoy this post

Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »