0CTF 2015 Quals CTF – Simpleapk

Description
This is a simple apk, Could you find the flag?

For this challenge, we need install some things into our Android 5.1 device with Genymotion.
For example, an ARM Translator.
https://github.com/m9rco/Genymotion_ARM_Translation

Simple APK

Install it with adb

				
					adb install -r simple.apk
				
			

We can see a text edit and an button.
Let’s decompile the apk with apktool

				
					apktool d simple.apk
				
			

The package name is easyre.sjl.gossip.easyre

Let’s inspect the source code with jadx.
There are an activity called EasyRe
This have this method init when the app is launched

				
					public void init() {  
        try {  
            InputStream fin = getResources().openRawResource(C0175R.raw.flag);  
            int length = fin.available();  
            byte[] buffer = new byte[length];  
            fin.read(buffer);  
            FileOutputStream fout = openFileOutput("flag.txt", 0);  
            fout.write(buffer);  
            fin.close();  
            fout.close();  
        } catch (IOException e) {  
            e.printStackTrace();  
        }  
    }
				
			

In the onCreate method, we can see that the init() is called.
The previous code, create a flag.txt file in our device with the flag content.

And this we can confirm because we can see the onClick method that is executed when we press the check button

				
					public void onClick(View view) {  
        String flag = "";  
        try {  
            FileInputStream fin = openFileInput("flag.txt");  
            int length = fin.available();  
            byte[] buffer = new byte[length];  
            fin.read(buffer);  
            flag = EncodingUtils.getString(buffer, "UTF-8");  
        } catch (Exception e) {  
            e.printStackTrace();  
        }  
        if (flag.equals(this.et1.getText().toString())) {  
            Toast.makeText(getApplicationContext(), "That's the flag!", 0).show();  
        } else {  
            Toast.makeText(getApplicationContext(), "0ops!That's wrong!", 0).show();  
        }  
    }
				
			

So, just run this adb command for get the flag.
The flag is stored in /data/data/<packageName>
We get the flag running

				
					adb shell "cat /data/data/easyre.sjl.gossip.easyre/files/flag.txt"
				
			

Output: 0ctf{Too_Simple_Sometimes_Naive!!!}

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *