# Pinned ## Overview Hey everyone, in this write-up we will be solving an HTB challenge Pinned. Link to the challenge: Let’s Start!!!!!! *** ## Initial Setup First download and extract the given file.

From the README.txt file, we see can that the application supports API level 29 or earlier. First I used `apktool` to extract the contents of the `apk` file.

After extracting the apk, I checked the `AndroidManifest.xml` file to look out for minimum required API level. But there was no minimum API level mentioned in the `AndroidManifest.xml` file.

So, I decided to use Android 6 ( API 23 ). Next I installed the `pinned.apk` using adb on to the emulated android 6 device.

*** ## Application Interaction I opened the application in the android emulator and it opened with credentials filled by default.

I clicked on LOGIN and it toasted a message that “You are logged in”.

From the challenge description, we can see that the user had tried to intercept the request, but the connection seems to be secure.

*** ## Intercepting Requests Let’s try to intercept the login request using burpsuite. For that check this guide: {% content-ref url="" %} [Burpsuite Proxy Setup for Android](https://app.gitbook.com/s/7mqWWcMJ2puXtqlIgHfA/) {% endcontent-ref %} Now Drop the above request and try to intercept the login request by trying to login from the pinned app. But I can’t able to intercept the request. Instead burpsuite thrown the following error:

*** ## Code Analysis So let’s take a look at the code. I used `jadx` viewer to view the code. You can get it from here: {% embed url="" %} Open the apk in `jadx` Viewer. I first checked the `MainActivity.class` file and found the function that checks the credentials.

And also I found another function above the validation function which was generating SSL connection.

On further investing I found the `run()` function which runs while generating SSL connection in the `MainActivity` file:

The above function is a custom certificate pinning function which checks whether the certificate used is valid or not. To make burpsuite intercept the login request, we have to bypass the above check. *** ## SSL Pinning Bypass On searching for SSL pinning bypass in google, found the following: {% embed url="" %} ### Frida Installation To use the above exploit, first we need to install `Frida`. Follow the below commands to install `frida`: ```bash python3 -m venv env source ./env/bin/activate pip3 install frida-tools ``` ### Firda Server Setup After installing frida on your local system, next you have to install frida server on the android device. To do that follow the below steps: 1. Download the latest frida server release for android that matches your android device’s architecture from the following link: 2. The file you download will be in `.xz` format. To extract it follow the steps: 1. `sudo apt-get install xz-utils` 2. `unxz frida-server-16.1.4-android-x86_64.xz` 3. Rename the extracted file to `frida-server` using the command: `mv frida-server-16.1.4-android-x86_64 ./frida-server` 3. Next we have to push this `frida-server` file to the android device using the following command: `adb push frida-server /data/local/tmp/` 4. Now we have change the permissions of the `frida-server` file using the command: `adb shell "chmod 755 /data/local/tmp/frida-server"` 5. Now open `adb shell` and move to the directory where we pushed the `frida-server` and run the `frida-server` using the command: `./frida-server`.

6. Now open a new terminal and again initialise the python environment using the command: `source ./env/bin/activate` 7. Now run the command: `frida-ps -U`, to check whether the frida server is running. This command should list all the packages.

Now we have successfully established the connection to the frida-server. Now its time to run the exploit. Before running the exploit, let’s take a look at it:

We can see that it is generating the SSL using a custom certificate, which is the burpsuite ca certificate in our case. So to successfully run the exploit first we have to push the burp certificate to the location mentioned in the script, with the same name as mentioned in the script. Since we have the burp suite certificate already in our local machine which we downloaded and renamed as `cacert.pem` , we can use the same. To push the certificate to the android device, use the following command: `adb push ./cacert.pem /data/local/tmp/cert-der.crt`

After successfully pushing the file, its time to execute the exploit. Make sure that you have turned burp intercept on and also make sure that you have connected to burp proxy in the android device. ### Exploitation Now run the following command to execute the payload: `frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -U -f com.example.pinned`

The exploit has executed successfully and is waiting for the request. Now go to the Pinned application and try to login and check the captured request in burp:

We have successfully obtained the flag…… Thank you…….