H1 Thermostat – @lautarovculic

Flags: 2

Difficulty: Easy

Category: Mobile

First, I recommend that you read the following post I wrote for Intercepting Android app traffic using Burpsuite.

At the end of the post, there is the second flag πŸ˜‰

But first, I want to clarify something.

In this Writeups it is possible to get both flags with two commands, which seems to me a bad practice.

Because there is an intentional way, which I will explain to get the second flag.

Let’s go

Flag 1/2

when we start the challenge on the platform, it will take us to a URL.

A sign will appear saying that the application is being built.

We wait a few seconds and then we will see that we can download the APK file.

Once downloaded, we move it to a separate directory to be able to work in peace.

					mv /home/user/Downloads/thermostat.apk .

With apktool we are going to unzip the APK file.

					apktool d thermostat.apk

Now, we get the folder with the APK content inside.

Considering the format of the ^FLAG^ in Hacker101, we can try to execute a command that will bring us all the strings that match those characters.

					grep -ir '\^FLAG\^' thermostat \
  | awk -F':' '{print $2}' \
  | sed 's/^[[:space:]]*//' \
  | sed 's/const-string v0, //'


And we get both flags. But!!

This method is just for the first flag.

Now, we will found the second flag in the intended way.

Flag 2/2

So, the intended way is intercepting the traffic that the App send to the Hacker101 URL (Where we download the App).

Remember read the post that I wrote about how to intercept the Android app traffic with Burpsuite.

We need send the app to our Genymotion Android device, we can do that with

					python3 -m http.server 8050

And, with the firefox browser, download the .apk

Download the .apk and install it.

With burpsuite running, and the proxy (explained in the blog post) setup, we can intercept the traffic (run the App with the interceptor listening):

And in the header (X-Flag) we found the intended flag.

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *