Pinned – Hack The Box – @lautarovculic

Pinned hackthebox

Difficult: Easy

Category: Mobile

OS: Android

Description: This app has stored my credentials and I can only login automatically. I tried to intercept the login request and restore my password, but this seems to be a secure connection. Can you help bypass this security restriction and intercept the password in plaintext?

Download the .zip file and extract with hackthebox password.

The README.txt file say that we need an Android >12 (API 29)

Let’s extract the .apk file with apktool

					apktool d pinned.apk

And install it with adb

					adb install -r pinned.apk

Umh, okey.

Let’s check the source code.

We can see that the password is 1234567890987654

					  if (mainActivity.s.getText().toString().equals("bnavarro") && mainActivity.t.getText().toString().equals("1234567890987654")) {
            StringBuilder g = outline.g("uname=bnavarro&pass=");
            StringBuilder sb = new StringBuilder();

But, the description say that we need do a SSL Pinning Bypass.

You don’t know about intercept APP Traffic with Burpsuite and Bypass SSL, I recommend read this two post

Once all setup, we need an Javasript code that bypass the SSL.

					Java.perform(function () {
    // Helper function to bypass SSL pinning by returning a custom TrustManager
    function bypassSSL() {
        var X509TrustManager = Java.use('');
        var SSLContext = Java.use('');

        var TrustManager = Java.registerClass({
            name: 'org.frida.TrustManager',
            implements: [X509TrustManager],
            methods: {
                checkClientTrusted: function (chain, authType) {},
                checkServerTrusted: function (chain, authType) {},
                getAcceptedIssuers: function () { return []; }

        var TrustManagers = [TrustManager.$new()];
        var SSLContextInit = SSLContext.init.overload('[;', '[;', '');
        SSLContextInit.implementation = function (keyManager, trustManager, secureRandom) {
  , keyManager, TrustManagers, secureRandom);

        console.log('SSL pinning bypass active');

    // Bypass okhttp3
    try {
        var OkHttpClient = Java.use('okhttp3.OkHttpClient');
        var Builder = OkHttpClient.Builder;
        Builder.sslSocketFactory.overload('', '').implementation = function (sslSocketFactory, trustManager) {
            var newTrustManager = TrustManager.$new();
            return, sslSocketFactory, newTrustManager);
        console.log('Bypassed OkHttpClient SSL pinning');
    } catch (e) {
        console.log('Failed to bypass OkHttpClient: ' + e);

    // Bypass TrustManager
    try {
    } catch (e) {
        console.log('Failed to bypass TrustManager: ' + e);

There are a generic SSL Pinning Bypass script, we can run it with Frida and Burpsuite running in background

					frida -U -f com.example.pinned -l sslPinning.js

And then, we need log in with the creds.

But, if we go to Burpsuite, let’s check that in the POST we see the flag

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *