Writeups
CTF Writeups
-
Read more: Mobile Hacking Lab – Document ViewerDescription: Welcome to the Remote Code Execution (RCE) Challenge! This lab provides a real-world scenario where you’ll explore vulnerabilities in popular software. Your mission is to exploit a path traversal vulnerability combined with dynamic code loading to achieve remote code execution. Download: https://lautarovculic.com/my_files/documentViewer.apkLink: https://www.mobilehackinglab.com/path-player?courseid=lab-document-viewer-rce Install the APK with ADB adb install -r documentViewer.apk The app appear ask for storage permissions.Let’s inspect the source code with jadx (GUI…
-
Read more: Mobile Hacking Lab – Guess MeDescription: Welcome to the “Guess Me” Deep Link Exploitation Challenge! Immerse yourself in the world of cybersecurity with this hands-on lab. This challenge revolves around a fictitious “Guess Me” app, shedding light on a critical security flaw related to deep links that can lead to remote code execution within the app’s framework. Download: https://lautarovculic.com/my_files/guessMe.apkLink: https://www.mobilehackinglab.com/path-player?courseid=lab-guess-me Install the…
-
Read more: Mobile Hacking Lab – StringsDescription: Welcome to the Strings Challenge! In this lab,your goal is to find the flag. The flag’s format should be “MHL{…}“. The challenge will give you a clear idea of how intents and intent filters work on android also you will get a hands-on experience using Frida APIs. Download: https://lautarovculic.com/my_files/strings-MHL.apkLink: https://www.mobilehackinglab.com/path-player?courseid=lab-strings Install the app with ADB adb install -r strings-MHL.apk…
-
Read more: Mobile Hacking Lab – Food StoreDescription: Welcome to the Android App Security Lab: SQL Injection Challenge! Dive into the world of cybersecurity with our hands-on lab. This challenge is centered around a fictitious “Food Store” app, highlighting the critical security flaw of SQL Injection (SQLi) within the app’s framework. Download: https://lautarovculic.com/my_files/foodStore.apkLink: https://www.mobilehackinglab.com/path-player?courseid=lab-food-store Install it with ADB adb install -r foodStore.apk Then, let’s decompile with apktool…
-
Read more: Mobile Hacking Lab – Cyclic ScannerDescription: Welcome to the Cyclic Scanner Challenge! This lab is designed to mimic real-world scenarios where vulnerabilities within Android services lead to exploitable situations. Participants will have the opportunity to exploit these vulnerabilities to achieve remote code execution (RCE) on an Android device. Download: https://lautarovculic.com/my_files/cyclicScanner.apkLink: https://www.mobilehackinglab.com/path-player?courseid=lab-cyclic-scanner Install the APK with ADB adb install -r cyclicScanner.apk Decompile it with apktool and let’s inspect…
-
Read more: NahamCon 2024 – Kitty Kitty Bang BangDescription: I found a cool android app to play with a cowboy cat! There’s has to be more going on with the app I can’t see on my screen… Download: https://lautarovculic.com/my_files/kittykittybangbang.apk Install the APK with ADB adb install -r kittykittybangbang.apk Let’s decompile it with apktool apktool d kittykittybangbang.apk Also, we can inspect the source code with jadx (GUI version) We can see in the MainActivity…
-
Read more: NahamCon 2024 – GuitarDescription: Have you ever wanted to play the guitar on your phone? Here’s a free app, with all guitar strings included for free! Download: https://lautarovculic.com/my_files/guitar.apk Install the APK with ADB adb install -r guitar.apk As the description say, probably the flag are hardcoded in the strings.xml resources.To make the writeup not so short, let’s make an explanation about the strings.xml resources. Android resources are files used to store…
-
Read more: NahamCon 2024 – Fly AwayDescription: Lenny Kravitz lovers, this new app cleverly named “Fly Away!” can give you random lines from one of his most popular songs. Can you figure out how the songs are being sent to the app? Download: https://lautarovculic.com/my_files/flyaway.apk Install the APK with ADB adb install -r flyaway.apk This app was made in reFlutter. You need install it for proceed with…
-
Read more: NahamCon 2024 – Buggy JumperDescription: Buggy Jumper is a new mobile game that can be enjoyable for both gamers and hackers! There’s a lot going on, can you get some of game’s source code to see whats happening behind the scenes? Download: https://lautarovculic.com/my_files/buggyjumper.apk Install the APK with ADB adb install -r buggyjumper.apk Let’s decompile it with apktool apktool d buggyjumper.apk The app has been…
-
Read more: RaziCTF 2020 – Chasing a lockDescription: As locks are so popular many will chase them but why? maybe a flag 🙂 Download: https://lautarovculic.com/my_files/chasingALook.apk Install the APK with ADB adb install -r chasingALook.apk We can see that we need touch the icon 20.000 times.Let’s decompile it with apktool apktool d chasingALook.apk And let’s inspect the source code with jadx (GUI version).The package name is com.example.razictf_2 and there are just one activity, that is MainActivity. But there are some class like a1, a2,…