Difficult: Medium
Category: Mobile
OS: iOS
Description: Secure coding is the keystone of the application security!
After downloading the compressed file and decompressing it, we will have a folder where inside we find the files we need:
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb2-1024x268.png)
The hackthebox file, is the main file of the program that contains the binary files.
The .plist file is a list that contains details about the app and author.
This is for gather information when you search an App in the App Store.
The challenge.plist have some interesting:
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb3-1024x226.png)
This must be an base64 encrypted text.
Tq+CWzQS0wYzs2rJ+GNrPLP6qekDbwze6fIeRRwBK2WXHOhba7WR2OGNUFKoAvyW7njTCMlQzlwIRdJvaP2iYQ==
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb4-1024x997.png)
We load the hackthebox program to our IDA and let’s inspect that.
Here we have a insteresting function: _CCCrypt
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb5.png)
Following to CCCrypt_ptr we can see that jmp. So, navigate to CCCrypt_ptr and:
We can see between __cfstring some interesting things:
__cfstring:0000000100003128 dq offset aFlag ; "flag”
__cfstring:0000000100003108 dq offset aPlist ; "plist”
__cfstring:00000001000030E8 dq offset aChallenge ; "challenge”
__cfstring:00000001000030C8 dq offset aQftjwnzq4t7wZC ; "QfTjWnZq4t7w!z%C”
__cfstring:00000001000030A8 dq offset aADGKapdsgvky ; "!A%D*G-KaPdSgVkY”
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb6.png)
Following, for example: aADGKapdsgvky
We are redirect to:
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb7.png)
And may be this is the key and IV of an AES encryption. Let’s check:
!A%D*G-KaPdSgVkY
Tq+CWzQS0wYzs2rJ+GNrPLP6qekDbwze6fIeRRwBK2WXHOhba7WR2OGNUFKoAvyW7njTCMlQzlwIRdJvaP2iYQ==
So with these values, we can go to this online tool for decrypt:
https://www.devglan.com/online-tools/aes-encryption-decryption
And here is, the flag:
![](https://lautarovculic.com/wp-content/uploads/2024/01/cryptomb8.png)
Decode to Plain Text and you will get the flag.
I hope you found it useful (:
Leave a Reply