APKrypt

APKrypt writeup by Thamizhiniyan C S

Overview

Hey everyone, in this write-up we will be solving an HTB challenge APKrypt.

Link to the challenge: https://app.hackthebox.com/challenges/285

Let’s Start!!!!!!

Initial Setup

First download and extract the given file.

From the README.txt file, we can see that the application supports API level 29 or earlier.

Next I used apktool to extract the apk file.

After extracting the apk, I first took a look at the AndroidManifest.xml file to check whether there is any minimum SDK version is required to run the app.

There was nothing mentioned about that. So, In my case I installed the apk on an Android 10 / API 29 Virtual Device with Google API’s.

To install the apk, I used adb.

Application Interaction

Next I just take a look at the app and its functionality.

The app loads with a page, where we have to enter the VIP code to get the ticket. There is nothing else in the page except a submit button. So I moved on to analyse the decompiled smali code.

I first opened the apk with jadx-gui, to get the basic understanding of the application.

Code Analysis

GitHub - skylot/jadx: Dex to Java decompilerGitHub

In the MainActivity class file, you can find the main function which checks whether the VIP code is valid or not and if valid, it returns the flag.

The if condition checks whether the MD5 version of the code that we input is equal to the MD5 hashed VIP code. For that, it uses the equals method.
Now to bypass this check, we can modify the equals method to notEqual, so that even if the input is empty or invalid the flag will be shown.
To modify the above condition, we have to first decompile the apk and modify the smali code of this particular if condition and recompile the apk and sign it with a key, to bypass the check.

To perform the above task, I used APKlab tool to Modify the apk.

GitHub - APKLab/APKLab: Android Reverse-Engineering Workbench for VS CodeGitHub

Modifying the APK

First open vscode and use the shortcut key ctrl + shift + p to open the command pallet and search for APKLab: Open an APK option and click it.

Now locate the apk file and select it.

Next leave the defaults in the popup and click OK.

After pressing ok, APKLab will decompile the android application and will load a new window with the decompiled files.

I used the search feature in the vscode to find the condition, by looking out for the MD5 hashed version of the VIP code to which our input code is compared.

From the results, we have found the if condition. Now its time to modify the if condition.

Replace the if-eqz to if-nez, which means not equals and save the file.

Rebuilding and Signing the APK

Now it’s time to compile and sign the apk.

To do that select the apktool.yml file in the file explorer → right click to view the options → click on the option APKLab: Rebuild the APK

After the build process is completed you should see a output similar to this:

Installing the Modified APK

Now its time to install app. Before installing the modified version of the app, ensure that you have uninstalled the unmodified version of the app.

After installing the app, open the app and press the submit button [ with or without the VIP code ( Both should WORK ) ].

You can see the toast message with the flag.

We have successfully obtained the flag.

Thank You !!!!!!

PreviousAnchored NextExplore

Last updated 7 months ago