APKey

APKey writeup by Thamizhiniyan C S

Overview

Hey everyone, in this write-up we will be solving an HTB challenge APKey.

Link to the challenge: https://app.hackthebox.com/challenges/240

Let’s Start!!!!!!

Initial Setup

First download and extract the given file.

Next I opened the apk with jadx-gui.

GitHub - skylot/jadx: Dex to Java decompilerGitHub

I checked the AndroidManifest.xml file and found that we need at least API version 16 to run this app and the target API version is 30 i.e., Android 10. So, I installed the app on Android 10 emulator.

Application Interaction

Now let’s take a look at the app.

It opened with a login page, and if we enter wrong credentials, it throws a toast stating “Wrong Credentials”.

Nothing else is found in the app.

Code Analysis

Now let’s take a look at the source code of the application.

From the MainActivity class file, we can see a if condition, which looks out for the user admin and checks whether the md5 version of the entered password matches the predefined hash in the second if condition, and if the condition satisfies the application throws a toast with the key.

The if condition checks whether the MD5 version of the code that we input is equal to the MD5 hashed VIP code. For that, it uses the equals method.
Now to bypass this check, we can modify the equals method to notEqual, so that even if the input is empty or invalid the flag will be shown.
To modify the above condition, we have to first decompile the apk and modify the smali code of this particular if condition and recompile the apk and sign it with a key, to bypass the check.

Modifying the Code

To perform the above task, I used APKlab tool to Modify the apk.

GitHub - APKLab/APKLab: Android Reverse-Engineering Workbench for VS CodeGitHub

First open vscode and use the shortcut key ctrl + shift + p to open the command pallet and search for APKLab: Open an APK option and click it.

Now locate the apk file and select it.

Next leave the defaults in the popup and click OK.

After pressing ok, APKLab will decompile the android application and will load a new window with the decompiled files.

I used the search feature in the vscode to find the condition, by looking out for the MD5 hashed version of the password to which our input code is compared.

From the results, we have found the if condition. Now its time to modify the if condition.

Replace the if-eqz to if-nez, which means not equals and save the file.

Rebuiding and Installing the APK

Now it’s time to compile it into apk,sign the apk and install the apk onto the emulator.

To do that select the apktool.yml file in the file explorer → right click to view the options → click on the option APKLab: Rebuild and Install the APK

Before performing the above task, don’t forget to uninstall the original version of the app from the emulator.

After the build process is completed and the app is successfully installed, you should see a output similar to this:

Now open the app and type the user name as admin and enter some random password.

You can see the toast message with the flag.

We have successfully obtained the flag.

Thank You !!!!!!

PreviousDon't Overreact NextPwn With Metasploit

Last updated 7 months ago