I have recently completed the h101 ctf android challenges it was really fun learning and completing the challenges so here’s the writeup .
1) H1 Thermostat
The first challenge is easy category which was basically about intercepting traffic and reading source code in apk
In this case we decompile the apk and inspect it after analyzing the files you can see a java class named
once we open it we can see flag 0 and flag 1 but for flag 0 there was one more way around if you had intercepted the traffic for application then you would have found header as flag too as:
Also in the source code we can see that flag 1 is md5 hashed and then sent to server so the only way was through reading source code.
2) Intentional Exercise
The exercise was based in moderate category where the goal of challenge was based to get a single flag by generating a correct hash for the request.
Once we open the app we can see a request going to server like
which displays a link
now the important clues we get are from inspection of java class we can see that
the url is first taken checked for
? then using the secret key a hash is generated of type sha-256, but in 1st request we can see that hash=61…. is sha256 of the key itself so that wont work.
So also we got our second request which was having a path
So combining the two things i tried doing sha-256 by
which gave a hash
So i made a final request which looked like
http://URL/appRoot/flagBearer?&hash=8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e and sending it to server gave me the flag.
This was a moderate challenge containing two flags So when we open the app we can see the request
so inspecting mainactivity class we can see that
redirect_uri is by default given the value of
oauth://final/ which redirects it to app with authed request.
So if we remove the redirect_uri parameter i.e sending blank values in it
we get our first flag in response
For the second file we need to look at our
here we have a java class which is not used anywhere so i took the file and compiled it by adding few variables and executed it.
this gave me
Now when we add this url to our previous
redirect_uri we get our second flag.
4) Mobile Webdev
This was the most awesome challenge which helped me to clear some of my doubts and learn good techniques on hmac and zip files.The challenge was more a web category and some cryptography
So as we open the application we can see it as a notesaver application where we can see the notes and edit it. So as we analyse requests we can see that we have these directories are used as:
http://URL/content/ - would serve the content of notes http://URL/edit.php?file=index.html - would be used to edit the file http://URL/save.php - would take argument as file=&data to save the contents http://URL/upload.php - it was hidden in comments of edit.php,the feature was used to upload files
So among the four all the functions were working normally except the upload function as everytime i tried uploading something it gave me error of hmac missing.
Upon analysing the apk we can see that
we have an hmac key but no implementation visible of how to send it in request
To send any POST upload the request would normally look as:
-----------------------------2220428816716698861687125981 Content-Disposition: form-data; name="file"; filename="file.file" Content-Type: application/html -----------------------------2220428816716698861687125981 Content-Disposition: form-data; name="something" value -----------------------------2220428816716698861687125981--
So we basically have to upload a file which was signed by our hmac key also we need to find the type of key that was used so in this case it was md5. So concluding we had to send our file and signature values signed with our keys this can be done online as well as with our own script.So the final request of upload looked like
-----------------------------2220428816716698861687125981 Content-Disposition: form-data; name="file"; filename="file.file" Content-Type: application/html -----------------------------2220428816716698861687125981 Content-Disposition: form-data; name="hmac" signaturevalue -----------------------------2220428816716698861687125981--
Once we uploaded the flag we got our first flag and the message
So this was our hint for the second level that files are uploaded in temp directory and we have to move to content folder basically it indicated a popular flaw of zip traversal:
if zip files are not properly handled in extraction and compression they may lead to directory traversal so in this case we can fetch our files and even get sensitive information.
So i created a zip nested with zips else you can use an online such case of a zip-slip file which upon viewing should look-like:
Next i signed this zip again and uploaded it which finally gave me the flag.
Thanks for reading if you have any doubts feel free to connect with me