> For the complete documentation index, see [llms.txt](https://thamizhiniyancs.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thamizhiniyancs.gitbook.io/writeups/hackthebox/tracks/intro-to-android-exploitation/apkrypt.md).

# APKrypt

## Overview

Hey everyone, in this write-up we will be solving an HTB challenge APKrypt.

Link to the challenge: <https://app.hackthebox.com/challenges/285>

Let’s Start!!!!!!

***

## Initial Setup

First download and extract the given file.

<figure><img src="/files/uF1oSr641UUWubcqDTYl" alt=""><figcaption></figcaption></figure>

From the README.txt file, we can see that the application supports API level 29 or earlier.

<figure><img src="/files/MsaHMDEIj7UtF0kbnFsC" alt=""><figcaption></figcaption></figure>

Next I used `apktool` to extract the apk file.

<figure><img src="/files/4vG1WldbQpPk138Gu0m6" alt=""><figcaption></figcaption></figure>

After extracting the apk, I first took a look at the `AndroidManifest.xml` file to check whether there is any minimum SDK version is required to run the app.

<figure><img src="/files/Cqy2RIKfUo0LDBt56FvL" alt=""><figcaption></figcaption></figure>

There was nothing mentioned about that. So, In my case I installed the apk on an Android 10 / API 29 Virtual Device with Google API’s.

To install the `apk`, I used `adb`.

<figure><img src="/files/s2Vbccwq31KLTa679BuC" alt=""><figcaption></figcaption></figure>

***

## Application Interaction

Next I just take a look at the app and its functionality.

<figure><img src="/files/fWxTDa0MnLTmhWZpZ9hD" alt=""><figcaption></figcaption></figure>

The app loads with a page, where we have to enter the VIP code to get the ticket. There is nothing else in the page except a submit button. So I moved on to analyse the decompiled `smali` code.

I first opened the apk with `jadx-gui`, to get the basic understanding of the application.

***

## Code Analysis

{% embed url="<https://github.com/skylot/jadx>" %}

In the `MainActivity` class file, you can find the main function which checks whether the VIP code is valid or not and if valid, it returns the flag.

<figure><img src="/files/qxveGXz2vrN4QeUIZAr7" alt=""><figcaption></figcaption></figure>

* The if condition checks whether the MD5 version of the code that we input is equal to the MD5 hashed VIP code. For that, it uses the `equals` method.
* Now to bypass this check, we can modify the `equals` method to `notEqual`, so that even if the input is empty or invalid the flag will be shown.
* To modify the above condition, we have to first decompile the `apk` and modify the `smali` code of this particular if condition and recompile the `apk` and sign it with a key, to bypass the check.

To perform the above task, I used `APKlab` tool to Modify the apk.

{% embed url="<https://github.com/APKLab/APKLab>" %}

***

## Modifying the APK

First open vscode and use the shortcut key `ctrl + shift + p` to open the command pallet and search for `APKLab: Open an APK` option and click it.

<figure><img src="/files/mfQnsiXwJQIqRCOt3T0r" alt=""><figcaption></figcaption></figure>

Now locate the apk file and select it.

<figure><img src="/files/WG7SVdrvoHMMiubgGZ20" alt=""><figcaption></figcaption></figure>

Next leave the defaults in the popup and click OK.

<figure><img src="/files/EFHfuGZxqxekXz14mxz4" alt=""><figcaption></figcaption></figure>

After pressing ok, `APKLab` will decompile the android application and will load a new window with the decompiled files.

I used the search feature in the vscode to find the condition, by looking out for the MD5 hashed version of the VIP code to which our input code is compared.

<figure><img src="/files/nbvhnKIbxXn1olt3mCDR" alt=""><figcaption></figcaption></figure>

From the results, we have found the if condition. Now its time to modify the if condition.

Replace the `if-eqz` to `if-nez`, which means `not equals` and save the file.

<figure><img src="/files/tzZnkpmyfGfG1kunKaQa" alt=""><figcaption></figcaption></figure>

***

## Rebuilding and Signing the APK

Now it’s time to compile and sign the apk.

To do that select the `apktool.yml` file in the file explorer → right click to view the options → click on the option `APKLab: Rebuild the APK`

<figure><img src="/files/npMW4Jw0JbvjlYIs5xag" alt=""><figcaption></figcaption></figure>

After the build process is completed you should see a output similar to this:

<figure><img src="/files/9YngNStRpK1KZNjf62rc" alt=""><figcaption></figcaption></figure>

***

## Installing the Modified APK

Now its time to install app. Before installing the modified version of the app, ensure that you have uninstalled the unmodified version of the app.

<figure><img src="/files/DwfQoBba3jmFcPSjXSIP" alt=""><figcaption></figcaption></figure>

After installing the app, open the app and press the submit button \[ with or without the VIP code ( Both should WORK ) ].

<figure><img src="/files/0hPVRWxv8X929jLDCggL" alt=""><figcaption></figcaption></figure>

You can see the toast message with the flag.

We have successfully obtained the flag.

Thank You !!!!!!
