BackDoor 2: Walkthrough of NET-SQUARE Hacking Warm-Up Mobile Application Challenge

Recently I got an opportunity to participate in a CTF (Capture-The-Flag) event which was organized by NET-SQUARE. They had their different set of challenges with respect to Mobile, Web, Network, Source Code, and Thick/Thin Client. So, there were few quite interesting mobile application challenges and here we will be discussing one of them.

Note: Those who want to explore and want to try the challenges on their own before reading the walkthrough can access the applications from the GitHub repository. The application can be downloaded from here. Kindly share your experience with me in the comment box.

Challenge Description: The application hides username and password inside the application and we need to find the credentials using various tools and techniques to log in.

Tools Used :

adb : command line tool that lets you communicate with device

apktool : command line tool for reverse engineering android applications

jadx-gui : tool for producing Java source code from Android Dex and APK files

Android Studio : official Integrated Development Environment (IDE) for Android app development

Device : Android Device/Android Studio Emulator/Genymotion Emulator

Connecting the device with a USB cable and entering a command for checking proper connectivity.

adb devices

The above command will list down all the connected devices/emulators.

The above exhibit shows the list of devices connected to the system

The above exhibit shows the list of devices connected to the system

Note : Make sure to connect the android phone with debugging mode enabled for initiating the application installation process.

We can see the application after downloading from the above-given link:

The above exhibit shows that the application listed named backdoor2.apk

The application can be installed in the device/emulator by a very simple command.

adb install <apk-name>

The above exhibit shows the application is successfully installed in the device

We can run the application on the device/emulator.

Welcome page!

The above exhibit shows the first page of the application

The below image explains that the application requires the user to enter credentials into the application to proceed.

The above exhibit shows that the application asks the user to enter credentials

We have jadx-gui in our bucket as an APK analyzing tool. Let’s reverse engineer the APK.

jadx-gui <apk-name>

After reverse-engineering the APK using jadx-gui, we can read the source code of the application and grab the credentials.

Now start reading the source code from TaskActivity.java

The above exhibit shows the source code for TaskActivity

So, here we can see that the application is pulling data from two files i.e secret_user.pwd and secret_pass.pwd

So, after searching into the application’s local database i.e in the /data/data/ directory we were able to find out one unique folder.

Have a look!

The above exhibit shows the application local data storage files

Note: Only in rooted devices we can see the application local data storage.

Now, moving into the files folder we saw two more files in it.

The above exhibit shows that the application stores two secret files in application local data storage

So, we pulled the entire local data of the application from the device using the command.

adb pull <device-storage-location>

The above exhibit shows that we pulled the application local data storage using adb pull command

Using an editor I opened the files and read the data from the application.

Opening secret_user.pwd file

The above exhibit shows the contents of file secret_user.pwd file

Opening secret_pass.pwd file

The above exhibit shows the contents of file secret_pass.pwd file

BINGO! We got the creds!

The above exhibit shows the credentials were stored in the application’s local data storage

Note: The application will not validate the credentials as it is not connected to the server anymore.

Takeaways!

Learned how to reverse engineer android application.

Learned how to read the application source code.

Never store sensitive data in application local data storage.

a technofreak who loves poetry