Mobile Infosec Challenge Walkthrough

-

This article aims to briefly document some techniques and tools involved in the vulnerability assessment process of android applications. For such purpose, we will solve the 2nd CTF challenge of Infosec institute (please, get the apk from here).

" The goal of this challenge is to extract encrypted data plus its secret from a database embedded inside the application. Successfully decrypting the data reveals the flag."


First of all, we simply launch the app in the android emulator.


Here are the standard steps we will perform to understand the inner working of the application:
1.         Decompiling the apk
2.         Retrieving the source code
3.         Crafting the solution with a PoC

1) Decompiling the apk

We use apktool to decompile the resources and the bytecode.

Apktool output
Decompiled folders and files

We have a look at the android manifest, to have an overview of the components exported by the application.
AndroidManifest.xml content

Nothing interesting for now, only one activity is exported in this app. Obviously, this activity is the main activity itself.

2) Retrieving the source code

Note that we have not retrieved the source code with Apktool, but just the smali code (that is the assembler of the bytecode). For obtaining something similar to the source code, we will use jadx, as shown in the image below.

Jadx window with MainActivity code displayed

Ok, now we focus on the code reviewing step, looking at the implementation of class 'b' and 'c'.

Implementation of 'checkSerial' method in class 'b'
Signature of 'encrypt' method in class 'b'
class 'c' public constructor


We now have a clear picture of the inner working of the app: the flag is the "Serial" value we input in the app.
We also see that all the necessary information we need to solve the challenge are listed in the method 'checkSerial'.
In fact, the flag is used as the plaintext in the symmetric encryption, the key and IV are stored in cleartext in a database, the ciphertext is the string "6f4e8fff1523407fabf1e6ba7abcc585129e3802f785a75f28b0e63482449f5347501f6b38f014ae4f51e37ffb9b323b".
Therefore, all we have to do is to extract key and IV values from the database and to correctly craft the decrypting function.
Firstly, we need to identify the location of the database. This task is achievable in multiple ways.
For example, we can set the 'android:debuggable' attribute in the AndroidManifest, recompile, sign, zipalign the apk and then debugging the smali code via Android Studio(below image).
Debugging the smali in Android Studio

However, the shortest path is to look carefully at the 'c' class constructor and to execute in a new Android Project the instruction:
getBaseContext().getApplicationInfo().dataDir + "/databases"
Lastly, we dump the database with adb and read its content with sqlite3.


We now have the value of the key and the IV. We already have the ciphertext... we just need to use this data to get the plaintext (the flag) back.

3) Crafting the solution with a PoC

To code the few lines of the decrypting function, we have to consider the implementation of the 'encrypt' method in use by class 'b'.
Implementation of the 'encrypt' method

Here is our Proof of Concept, that is a simple application that just performs the decrypting process and displays the flag.

PoC

Eureka!

Conclusion

Android vulnerability assessment requires specific tools and techniques.
If you would like to start testing mobile apps, a good methodology has been recently created by OWASP and is available for free here.
This article only scratched the surface of testing mobile apps. In fact, due to the CTF app peculiarities, we did not cover tools like Drozer and Frida, that are the defacto standard for a professional assessment on Android applications.
Keep on studying!

Comments

Post a Comment

Popular posts from this blog

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

-
Image
Novel Accessibility Feature Abuse technique While investigating Ease of Access options in Windows 10 for new persistence techniques, I have actually found an undocumented one via 'Provide Narrator feedback' functionality. Behind the scenes the Narrator feedback consists in launching the custom handler via URI scheme ‘feedback-hub’. However, in a post exploitation scenario is possible to trivially backdoor this component with fileless payloads hosted in the registry. Even if there is no security boundary between windows logon screen and the default user desktop (indeed both part of the same window station WinSta0) the possibility of the interaction between the Narrator instance running in the environment of the locked out users and the Windows logon screen opens the chance to trigger the malicious command defined in the registry as soon as the 'Provide Narrator feedback' combination keys are pressed in the latter context. The novel technique presented in this arti
Read more

WPA2-PSK vs WPA2-Enterprise: hacking and hardening

-
Image
This post has the aim to summarise the security aspects of WPA2, with a focus on WPA2-Enterprise hacking. At the end, EAP-TLS is presented as a pretty secure implementation. WPA2 in brief The Wi-Fi Protected Access is a wireless technology designed to secure the communiciations between stations and the Access Point from eavesdropping and tampering attacks. It is defined in 802.11i standard and has been adopted in home, small business (WPA2-Personal) and enterprises (WPA2-Enterprise) since 2004.  The WPA2 implementation is based on the 4-way handshake. The PMK (pairwise master key) is the value that both station and AP know and from which the PTK (pairwise transient key) is calculated and valid for the session. The station MAC, the AP MAC and two nonces (A-Nonce, S-Nonce) that are exchanged during the 4-way handshake are also part of the PTK generation process. From an offensive point of view, capturing the messages of the 4-way handshake that are transm
Read more

Management Frame Protection and its limitations

-
Image
In this article we talk about management frames, their exposure to Denial of Service (DoS) via de-authentication attack, how Management Frames Protection can prevent this and its limitations against other DoS attacks discovered during the years by security researchers. A brief overview of Management Frames Management frames are at the centre of the WLAN operability and also have an important role in the negotiation activity between an access point and its stations. Code Field (Wireshark filter) Subtype 0x00 Association Request 0x01 Association Response 0x02 Re-Association Request 0x03 Re-Association Response 0x04 Probe Request 0x05 Probe Response 0x06 Reserved 0x07 Reserved 0x08 Beacon 0x09 ATIM 0x0a Disassociation 0x0b Authentication 0x0c Deauthentication 0x0d Actio
Read more