BackDoor 3: Walkthrough of NET-SQUARE Hacking Warm-Up Mobile Application Challenge

Recently I got an opportunity to participate in a CTF (Capture-The-Flag) event which was organized by NET-SQUARE. They had their different set of challenges with respect to Mobile, Web, Network, Source Code, and Thick/Thin Client. So, there were few quite interesting mobile application challenges and here we will be discussing one of them.

Those who want to explore and want to try the challenges on their own before reading the walkthrough can access the applications from the GitHub repository. The application can be downloaded from here. Kindly share your experience with me in the comment box.

Challenge Description: The application hides username and password inside the application and we need to find the credentials using various tools and techniques to log in.

Tools Used :

adb : command line tool that lets you communicate with device

apktool : command line tool for reverse engineering android applications

jadx-gui : tool for producing Java source code from Android Dex and APK files

Android Studio : official Integrated Development Environment (IDE) for Android app development

Device : Android Device/Android Studio Emulator/Genymotion Emulator

Connecting the device with a USB cable and entering a command for checking proper connectivity.

adb devices

The above command will list down all the connected devices/emulators.

The above exhibit shows the list of devices connected to the system

Note : Make sure to connect the android phone with debugging mode enabled for initiating the application installation process.

We can see the application after downloading from the above-given link:

The application can be installed in the device/emulator by a very simple command.

adb install <apk-name>

We can run the application on the device/emulator.

Welcome page!

The below image explains that the application has three activities in it i.e Information, Task, and Validate.

Let us move ahead with the Task activity which asks to enter the credentials.

We have jadx-gui in our bucket as an APK analyzing tool. Let’s reverse engineer the APK.

jadx-gui <apk-name>

After reverse-engineering the APK using jadx-gui, we can read the source code of the application and grab the credentials.

Now start reading the source code from TaskActivity.java

Here, we can see that the application calls two functions user() and pass().

Now let us have a look at these functions.

Here, we can closely observe that the function returns the String value and the return is calling another function base16encode() with getData() inside it.

Let us closely observe them as well.

The getData() is further calling xor(), add(), m10h() and parseHexString().

Now, there are numerous function calls are there in sequence to find out the username and password using function call user() and pass().

So, for simplifying this I created an android application and replicated all the code in sequence to find out the correct credentials.

Note: You can also use Frida to hook these functions and find the value of the strings returned by user() and pass() functions.

These are the following steps for creating an android studio project.

Step 1: Click on “Start a new Android Studio Project

Step 2: Select an “Empty Activity” and click on Next

Step 3: Give the project name “infosec” and click on “Finish”.

Note: You can give any other name as your requirement/choice.

Step 4: Go to “MainActivity” and paste all the code as follows:

Paste the below-mentioned code into MainActivity.java

package com.example.infosec;
import androidx.appcompat.app.AppCompatActivity;
import android.os.Bundle;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class MainActivity extends AppCompatActivity {

String username, password;

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);

try {
username = user();
} catch (Exception e) {
e.printStackTrace();
}
try {
password = pass();
} catch (Exception e) {
e.printStackTrace();
}

System.out.println(“Username : “ + username);
System.out.println(“Password : “ + password);

}

private static String SHA1(byte[] paramArrayOfByte) throws NoSuchAlgorithmException {
return base16encode(MessageDigest.getInstance(“SHA-1”).digest(paramArrayOfByte));
}

public static String user() throws Exception {
return base16encode(getData()).substring(0, 12);
}

public static String pass() throws Exception {
return base16encode(getData()).substring(12, 24);
}

private static String base16encode(byte[] paramArrayOfByte) {
String str = “”;
int j = paramArrayOfByte.length;
for (int i = 0; i < j; i++) {
str = String.format(“%s%02x”, new Object[]{str, Byte.valueOf(paramArrayOfByte[i])});
}
return str;
}

private static byte[] getData() throws Exception {
byte[] arrayOfByte1 = parseHexString(“aa153b5d1fcb55556034df7a27765f4297f195d2”, 20);
byte[] arrayOfByte2 = parseHexString(“53edd6990376d7b77512d2b5556613ca2567f04c”, 20);
byte[] arrayOfByte3 = parseHexString(“c4495a00bf20b05edea55999211d773d805bd319”, 20);
return xor(h(add(xor(xor(h(add(arrayOfByte1, h(add(arrayOfByte2, h(arrayOfByte3))))), arrayOfByte3), arrayOfByte2), arrayOfByte1)), arrayOfByte3);
}

private static byte[] h(byte[] paramArrayOfByte) throws Exception {
return parseHexString(SHA1(paramArrayOfByte), 20);
}

private static byte[] parseHexString(String paramString, int paramInt) {
byte[] arrayOfByte = new byte[paramInt];
for (int i = 0; i < paramInt; i++) {
arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(i * 2, (i * 2) + 2), 16);
}
return arrayOfByte;
}

private static byte[] xor(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2) {
int j = paramArrayOfByte1.length;
if (j != paramArrayOfByte2.length) {
return null;
}
byte[] arrayOfByte = new byte[j];
for (int i = 0; i < j; i++) {
arrayOfByte[i] = (byte) (paramArrayOfByte1[i] ^ paramArrayOfByte2[i]);
}
return arrayOfByte;
}

private static byte[] add(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2) {
byte[] arrayOfByte = new byte[(paramArrayOfByte1.length + paramArrayOfByte2.length)];
System.arraycopy(paramArrayOfByte1, 0, arrayOfByte, 0, paramArrayOfByte1.length);
System.arraycopy(paramArrayOfByte2, 0, arrayOfByte, paramArrayOfByte1.length, paramArrayOfByte2.length);
return arrayOfByte;
}
}

Note: In case the project name while creating is not “infosec” you can modify the package name accordingly in the first line of the code.

Now click on the Run button and select any Deployment Target which is available.

Open Logcat and now observe the Log statements in android studio.

WHOOOOOOOH! You did it Buddy!

There you go! In application logs, you will be able to observe the Username and Password.

Takeaways:

Learned how to reverse engineer Android applications.

Learned how to read the application source code.

Learned breaking application logic and understand the functional flow of the application.

Never hard code data in application source code.

a technofreak who loves poetry