mobile
-
Read more: AHE16: Android Hacking Events 2017 (Strange Calculator)
For this challenge, we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APKhttps://team-sik.org/wp-content/uploads/2016/06/strangecalculator.apk_.zip We install the apk with adb install -r strangecalculator.apk And then, decompile this with apktool apktool d strangecalculator.apk Let’s inspect the source code with jadx (GUI Version)We have 2 activities, MainActivity and Parser activity. Let’s talk about MainActivity (Code can be shorted for the writeup) package…
-
Read more: AHE17: Android Hacking Events 2017 (Why Should I Pay?)
For this challenge, probably we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APKhttps://team-sik.org/wp-content/uploads/2017/06/WhyShouldIPay.apk_.zip Install the apk with adb adb install -r WhyShouldIPay.apk And decompile the apk with apktool Load the apk to jadx-gui for see the source codeWe can see in the first activity that we have the VERIFY button, that give us an error.And the PREMIUM CONTENT button, that show us…
-
Read more: AHE17: Android Hacking Events 2017 (You Can Hide – But You Cannot Run)
For this challenge, probably we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APKhttps://team-sik.org/wp-content/uploads/2017/06/YouCanHideButYouCannotRun.apk_.zip Use apktool for decompile the .apk file apktool d YouCanHideButYouCannotRun.apk And install the .apk with adb adb install -r YouCanHideButYouCannotRun.apk Launching the app we can see that we have a text that talk about encryption and a button. That say Start to Running if we press it. Let’s load the .apk to jadx for…
-
Read more: AHE17: Android Hacking Events 2017 (Flag-Validator)
Methods For this challenge, probably we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APKhttps://team-sik.org/wp-content/uploads/2017/06/FlagValidator.apk_.zip With apktool will extract the content of the apk file apktool d FlagValidator.apk Let’s see the content of MainActivity.java that say so clear the structure of the flag.In the onValidateClick method public void onValidateClick(View view) { new StringBuilder(“Validate Token…
-
Read more: FastJson and Furious – Hack The Box – @lautarovculic
Difficult: Easy Category: Mobile OS: Android Description: A couple years ago I was experimenting with Android Development and I created this application to hide my secret, but now I forgot how to get it back. Can you help me? First, download the .zip file and extract them with hackthebox password. Then, we’ll use apktool for…
-
Read more: Injured Android – Flag 1 to 13
This CTF Mobile has taken from here:https://github.com/B3nac/InjuredAndroid I use a Genymotion Android device (API 29) for this challenge.For install and use the application, you must install an ARM Translator. I use the .zip file for Android 9.0, it’s work fine for the emulator. You can find the translator here:https://github.com/m9rco/Genymotion_ARM_Translation Flags First Steps There are so many flags in the application,…
-
Read more: AHE17: Android Hacking Events 2017 (AES-Decrypt)
For this challenge, we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APK https://team-sik.org/wp-content/uploads/2017/06/AES-Decrypt.apk_.zip Now, installing the APK, we can see a button and two text box for decrypt something. Then, let’s take around the code with jadx. Just we need this piece of Java…
-
Read more: burpCertAndroid
This is an automated script for installing BurpSuite certificate in Android devices. GitHub BurpSuite Cert for Android Installer – v1 The script was tested and developed for Android devices running in Genymmotion. If you have errors in the execution of the script, visit the step by step in the post I have written: POST Setup…
-
Read more: Joker – Hack The Box – @lautarovculic
Difficult: Hard Category: Mobile OS: Android Description: The malware reverse engineering team got an alert about malware which is still published on Google’s PlayStore and has thousands of installs. Can you help them to identify the address of the command and control server in order to blacklist it ? Download and extract the .zip file…
-
Read more: Explore – Hack The Box – @lautarovculic
User.txt Let’s check the open ports with nmap sudo nmap -sV -p- -Pn -vv -T4 10.10.10.247 Output: PORT STATE SERVICE REASON VERSION 2222/tcp open ssh syn-ack ttl 63 Banana Studio SSH server app (net.xnano.android.sshserver.tv) (protocol 2.0) 5555/tcp filtered freeciv no-response 46243/tcp open unknown syn-ack ttl 63 59777/tcp open http syn-ack ttl 63 Bukkit JSONAPI httpd…