H101 Android Challenges Walkthrough

4-minute read
Android Ctfs
hackerone android ctf
I have recently completed the h101 ctf android challenges it was really fun learning and completing the challenges so here’s the writeup .

1) H1 Thermostat

The first challenge is easy category which was basically about intercepting traffic and reading source code in apk

In this case we decompile the apk and inspect it after analyzing the files you can see a java class named com.hacker101.level11.PayloadRequest

Payload Class

once we open it we can see flag 0 and flag 1 but for flag 0 there was one more way around if you had intercepted the traffic for application then you would have found header as flag too as:

X-Flag", "^FLAG^flag$FLAG$

Also in the source code we can see that flag 1 is md5 hashed and then sent to server so the only way was through reading source code.

2) Intentional Exercise

The exercise was based in moderate category where the goal of challenge was based to get a single flag by generating a correct hash for the request.

Once we open the app we can see a request going to server like

http://URL/appRoot?&hash=61f4518d844a9bd27bb971e55a23cd6cf3a9f5ef7f46285461cf6cf135918a1a

which displays a link /appRoot/flagBearer now the important clues we get are from inspection of java class we can see that

MainActivity

the url is first taken checked for ? then using the secret key a hash is generated of type sha-256, but in 1st request we can see that hash=61…. is sha256 of the key itself so that wont work.

So also we got our second request which was having a path /flagBearer

So combining the two things i tried doing sha-256 by (key/flagBearer) which gave a hash

8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e

So i made a final request which looked like

http://URL/appRoot/flagBearer?&hash=8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e and sending it to server gave me the flag.

^FLAG^flag$FLAG$

3) Oauthbreaker

This was a moderate challenge containing two flags So when we open the app we can see the request

MainActivity

containing /oauth?redirect_url=oauth%3A%2F%2Ffinal%2Flogin&response_type=token&scope=all

so inspecting mainactivity class we can see that redirect_uri is by default given the value of oauth://final/ which redirects it to app with authed request. So if we remove the redirect_uri parameter i.e sending blank values in it

http://url/oauth?redirect_url=&response_type=token&scope=all

we get our first flag in response

Flag1

For the second file we need to look at our WebAppInterface here we have a java class which is not used anywhere so i took the file and compiled it by adding few variables and executed it.

Code

this gave me 48ce----.html

Now when we add this url to our previous redirect_uri we get our second flag.

^FLAG^flag$FLAG$

4) Mobile Webdev

This was the most awesome challenge which helped me to clear some of my doubts and learn good techniques on hmac and zip files.The challenge was more a web category and some cryptography

So as we open the application we can see it as a notesaver application where we can see the notes and edit it. So as we analyse requests we can see that we have these directories are used as:

http://URL/content/ - would serve the content of notes
http://URL/edit.php?file=index.html - would be used to edit the file 
http://URL/save.php - would take argument as file=&data to save the contents
http://URL/upload.php - it was hidden in comments of edit.php,the feature was used to upload files

So among the four all the functions were working normally except the upload function as everytime i tried uploading something it gave me error of hmac missing.

Upon analysing the apk we can see that

HmacKey

we have an hmac key but no implementation visible of how to send it in request

To send any POST upload the request would normally look as:

-----------------------------2220428816716698861687125981
Content-Disposition: form-data; name="file"; filename="file.file"
Content-Type: application/html

-----------------------------2220428816716698861687125981
Content-Disposition: form-data; name="something"

value
-----------------------------2220428816716698861687125981--

So we basically have to upload a file which was signed by our hmac key also we need to find the type of key that was used so in this case it was md5. So concluding we had to send our file and signature values signed with our keys this can be done online as well as with our own script.So the final request of upload looked like

-----------------------------2220428816716698861687125981
Content-Disposition: form-data; name="file"; filename="file.file"
Content-Type: application/html

-----------------------------2220428816716698861687125981
Content-Disposition: form-data; name="hmac"

signaturevalue
-----------------------------2220428816716698861687125981--

Once we uploaded the flag we got our first flag and the message

Flag1

So this was our hint for the second level that files are uploaded in temp directory and we have to move to content folder basically it indicated a popular flaw of zip traversal:

if zip files are not properly handled in extraction and compression they may lead to directory traversal so in this case we can fetch our files and even get sensitive information.

So i created a zip nested with zips else you can use an online such case of a zip-slip file which upon viewing should look-like: ../../../../../../temp/test.zip Next i signed this zip again and uploaded it which finally gave me the flag.

Flag2

Thanks for reading if you have any doubts feel free to connect with me

Home