Challenge

Challenge 2: When nothing seems to work, external tools can be great to browse SQLite database.

Challenge 3: This challenge is a great way to learn that querying data from a SQLite internal database is not always a wise choice.

A apk file was included with both challenges.

Solution

Static Analysis

I first launched MobSF and started a static analysis scan. MobSF is a mobile application reverse engineering tool that allows you to decompile mobile apps and do static and dynamic analyses.

Here is part of the result:

It looks like the application has raw SQL queries in its source code which we can see in ets/dci/ctf2022/c2/DBHandler.java:

private void addFlag(SQLiteDatabase sqLiteDatabase) {
        ContentValues values = new ContentValues();
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < Constants.key.length(); i++) {
            sb.append(Constants.key.charAt((Constants.key.length() - i) - 1));
        }
        String hashtext = "";
        try {
            byte[] bytesOfMessage = sb.toString().getBytes("UTF-8");
            MessageDigest md = MessageDigest.getInstance("MD5");
            byte[] digest = md.digest(bytesOfMessage);
            BigInteger bigInt = new BigInteger(1, digest);
            hashtext = bigInt.toString(16);
        } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        System.out.println(hashtext);
        values.put("flag", "FLAG-" + hashtext);
        sqLiteDatabase.insert("Flag", null, values);
    }
}

Looking at the source code, it looks like the application creates a SQLite database, computes a flag and inserts it in the DB.

There were a lot of different ways to get the flag for both challenges:

Understand the source code and compute the flag (it’s actually just a MD5 hash of some value stored in the source code)
Emulate the application and perform a SQL injection (the intended solution)
Emulate the application and browse the local SQLite DB (what I did)

If I’m correct, solutions 1 and 3 worked for both challenges.

Running the App on a Android Emulator

For the Android emulator I used anbox which simply allows you to emulate a Android OS on Linux. If you are doing a mobile app pentest, the emulator can be configured to use BurpSuite as a proxy.

┌─[✗]─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $anbox.appmgr

Starting anbox

┌─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $adb devices
List of devices attached
emulator-5558   device

Using adb to interact with the emulator

┌─[✗]─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $adb install -r -t mobile-challenge1.apk        
Performing Streamed Install

Installing the apk on the emulated Android

┌─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $adb -s emulator-5558 shell
x86_64:/ $

Starting a shell on the emulated android

x86_64:/ $ su

By default, you won’t have permissions to list the content of /data/data, so change your permissions with su

x86_64:/ # cd /data/data
x86_64:/data/data # cd ets.dci.ctf2022.c1
x86_64:/data/data/ets.dci.ctf2022.c1 # cd databases/
x86_64:/data/data/ets.dci.ctf2022.c1/databases # ls
coursedb coursedb-journal

Finding the sqlite file

x86_64:/data/data/ets.dci.ctf2022.c1/databases # sqlite3 coursedb
SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> .tables
Courses           Flag              android_metadata
sqlite> SELECT * FROM Flag;
1|FLAG-c8ebd76d7c6e19b0aaae7df749c0272d
sqlite>

The flag was stored in the sqlite file

Great beginner level mobile app challenge which teaches you a little bit about mobile app pentests (static and dynamic analysis, android emulation, android filesystem) !

App|ETS Challenges 2 and 3

Challenge

Solution

Static Analysis

Running the App on a Android Emulator