Hello , I am Chan. Today I want to write an article about android ctf challenge from Infosec Mobile CTF 2018. I know that there is a few resources about android pentesting while I was learning android pentest and so I want to make more articles about android pentest and want to share my knowledge to community.
Being said that , this article aims to briefly document some techniques and tools involved in the vulnerability assessment of android applications. For this purpose , we will solve the 1st challenge of Infosec mobile CTF and learn the mobile pentest through CTF Challenges. Please get the apk from here.
I am going to use blue stack emulator to solve this challenge. So I already seted up the emulator and just going to click on the app and it will install automatically.
App CTF Challenge 1: The goal behind this challenge is to figure out the username and password that would let the challenger login successfully. The flag should be “password:username”. (ends 4/6)
1. Decompile The Apk
I will use apktool to decompile the apk.
apktool d App1.apk
2. Launch the apk in emulator
3. Decompile the apk file to jar file to analyze the source code
I used dex2jar to decompile the apk to jar file
4. Get the following files
5. Use jd-gui to view the source codes of jar file
We can see that com.ctf.app1 is the package of the apk file and there is no interesting things on the Buildconfig.class
It is pretty obivious that this is md5 decrypt function.
As we saw the md5 function in above picture and now we can see that there is a md5 string. There is a function called OnClick.
What this function does is , it takes the username and password from user, combine them into one string and hash it using md5 and comparing the hash to 263c7fa932b26a56ec0ad76b94aff98b.
6. Getting the decrypted text for MD5 Hash
I used this website https://hashes.com/en/decrypt/hash to decrypt md5 hash.
As they mentioned in Challenge Description the flag is the username and password.
Username - admin Password - [email protected]
8. POC(Proof Of Concept)
After submitting the username and password, we got the smile face:)
This is my first article about android pentest. If you would like to learn more about android pentest challenge, please keep reading in my blog. I will upload more about the android pentest challenges and solution. Also this is gonna be a series of learning android pentest through CTF challenges.
If you like this article, please share on your social media and share to your friends.