Two days ago, I helped my friends to solve CTF NahamCon2022 challenges. I was wondering about Android challenges, so I focused on them. In this blog post, I’ll explain how I solved Android challenges.

Mobilize

This one was an easy challenge for beginners. Anyone could solve this. :)) I opened the APK file in Jadx-GUI. There was nothing in MainActivity. So I just searched in strings.xml, and there it is. FLAG! :)

photo_2022-05-01_18-41-30

Click Me

I think this challenge was easy too. You just had to change a little variable in smali code. In the MainActivity, We have 3 interesting parts. It is obvious that challenges want us (in the getFlagButtonClick function [Section 2]) to click 99999999 times on something to get the flag, but also stops us being clicking after 13371337. I’m not crazy enough to click that many times. If you want to be a crazy hacker, you can just hook cookieViewClick with Frida to bypass that limit and then you are free to go by clicking 99999999 on the button. After that, the clickme native code will return the flag.

2022-05-01_17-40

But time is a matter so I’m gonna just change 99999999 to 2. :) You can do this in the smali code. So I decompiled app with the apktool and changed 0x5f5e0ff (int->99999999) to 0x2 (int->2). Then I build it and resigned it.

2022-05-01_19-49

Now you can just click on the cookie 2 times to get the flag.

photo_2022-05-01_17-52-12

Of course, you could’ve done this by reversing the “clickme” native code, but as I said, time is a matter!

OTPVault

This application was a little bit harder, at least you had to use your brain. Challenge developed with ReactNative framework. This means you have to go for reading JavaScript and again this means, opening the index.android.bundle from the /asset folder. :) I opened index.android.bundle in Developer Console (Chromium).

2022-05-01_17-59

OK, that’s a mess. Who can even read that minified code?! you know I’m right. So I used the pretty print feature. That’s far better now.

photo_2022-05-01_18-46-22

I tried to be smart and search for the flag keyword, but I just fooled myself. :)) Then I analyzed the code from the end of the script! That works a lot better. Then I found this request. There are a lot of bullshits, the real problem is those conditions (switch-case). You don’t need that n.token or even that n.s whatever it is! I used the curl command to see the result. Also, there is a /flag path.

2022-05-01_19-16

2022-05-01_18-08

So it just says give me the damn authorization header so I did. Thanks for the Flag. :)

photo_2022-05-01_18-50-25

Secure Notes

This challenge difficulty was just like the OTPVault, maybe a little more tricky. The application is sick and contains 2 Main/Launcher activities! :/

2022-05-01_18-19

BTW, the real code that we have to deal with, is in the LoginActivity.

2022-05-01_18-22

It seems we have an encrypted database. It is obvious whatever is this, It stores a flag! So let’s decrypt it. In the first red box we can see there is a function named d.k() which calls in onClick() method. Let’s see what is it!

photo_2022-05-01_18-55-07

Oooh. There you are AES encryption! But we can’t see AES Mode! ECB or CBC?! Based on the Oracle documentation, the default mode is ECB. the first parameter of this function is key (str)! In LoginActivity (previous image) you can see key is this.f1583b.getText().toString(), but it repeats 4 times! AES Key is 16-byte. So it means we have to find a key that contains 4 bytes (4 characters) that will repeat 4 times (4 * 4 = 16, Duh…).

Before writing a brute-force script for that encrypted database, I had a look at the MainActivity. It seems the decrypted data must be JSON.

2022-05-01_18-35

So I extracted db.encrypted from the /asset folder (via apktool). Then I wrote a little python script for brute force. Aaaaand Yello Flag!

photo_2022-05-01_19-12-16

2022-05-01_18-33_1