Pinned
Pinned writeup by Thamizhiniyan C S
Last updated
Pinned writeup by Thamizhiniyan C S
Last updated
Hey everyone, in this write-up we will be solving an HTB challenge Pinned.
Link to the challenge: https://app.hackthebox.com/challenges/282
Let’s Start!!!!!!
First download and extract the given file.
From the README.txt file, we see can that the application supports API level 29 or earlier.
First I used apktool
to extract the contents of the apk
file.
After extracting the apk, I checked the AndroidManifest.xml
file to look out for minimum required API level. But there was no minimum API level mentioned in the AndroidManifest.xml
file.
So, I decided to use Android 6 ( API 23 ).
Next I installed the pinned.apk
using adb on to the emulated android 6 device.
I opened the application in the android emulator and it opened with credentials filled by default.
I clicked on LOGIN and it toasted a message that “You are logged in”.
From the challenge description, we can see that the user had tried to intercept the request, but the connection seems to be secure.
Let’s try to intercept the login request using burpsuite.
For that check this guide:
Now Drop the above request and try to intercept the login request by trying to login from the pinned app.
But I can’t able to intercept the request. Instead burpsuite thrown the following error:
So let’s take a look at the code. I used jadx
viewer to view the code. You can get it from here:
Open the apk in jadx
Viewer. I first checked the MainActivity.class
file and found the function that checks the credentials.
And also I found another function above the validation function which was generating SSL connection.
On further investing I found the run()
function which runs while generating SSL connection in the MainActivity
file:
The above function is a custom certificate pinning function which checks whether the certificate used is valid or not. To make burpsuite intercept the login request, we have to bypass the above check.
On searching for SSL pinning bypass in google, found the following:
To use the above exploit, first we need to install Frida
. Follow the below commands to install frida
:
After installing frida on your local system, next you have to install frida server on the android device. To do that follow the below steps:
Download the latest frida server release for android that matches your android device’s architecture from the following link: https://github.com/frida/frida/releases
The file you download will be in .xz
format. To extract it follow the steps:
sudo apt-get install xz-utils
unxz frida-server-16.1.4-android-x86_64.xz
Rename the extracted file to frida-server
using the command: mv frida-server-16.1.4-android-x86_64 ./frida-server
Next we have to push this frida-server
file to the android device using the following command: adb push frida-server /data/local/tmp/
Now we have change the permissions of the frida-server
file using the command: adb shell "chmod 755 /data/local/tmp/frida-server"
Now open adb shell
and move to the directory where we pushed the frida-server
and run the frida-server
using the command: ./frida-server
.
Now open a new terminal and again initialise the python environment using the command: source ./env/bin/activate
Now run the command: frida-ps -U
, to check whether the frida server is running. This command should list all the packages.
Now we have successfully established the connection to the frida-server. Now its time to run the exploit. Before running the exploit, let’s take a look at it:
We can see that it is generating the SSL using a custom certificate, which is the burpsuite ca certificate in our case.
So to successfully run the exploit first we have to push the burp certificate to the location mentioned in the script, with the same name as mentioned in the script. Since we have the burp suite certificate already in our local machine which we downloaded and renamed as cacert.pem
, we can use the same.
To push the certificate to the android device, use the following command:
adb push ./cacert.pem /data/local/tmp/cert-der.crt
After successfully pushing the file, its time to execute the exploit. Make sure that you have turned burp intercept on and also make sure that you have connected to burp proxy in the android device.
Now run the following command to execute the payload:
frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -U -f com.example.pinned
The exploit has executed successfully and is waiting for the request.
Now go to the Pinned application and try to login and check the captured request in burp:
We have successfully obtained the flag……
Thank you…….