H3dg3h0g's Blog
    H3dg3h0g's Blog

    Search

    Pentesting Guide and Notes

    Certification Reviews

    Writeups

    App|ETS Challenges 2 and 3

    Challenge

    Challenge 2: When nothing seems to work, external tools can be great to browse SQLite database.

    Challenge 3: This challenge is a great way to learn that querying data from a SQLite internal database is not always a wise choice.

    A apk file was included with both challenges.

    Solution

    Static Analysis

    I first launched MobSF and started a static analysis scan. MobSF is a mobile application reverse engineering tool that allows you to decompile mobile apps and do static and dynamic analyses.

    Here is part of the result:

    image

    It looks like the application has raw SQL queries in its source code which we can see in ets/dci/ctf2022/c2/DBHandler.java:

    Looking at the source code, it looks like the application creates a SQLite database, computes a flag and inserts it in the DB.

    There were a lot of different ways to get the flag for both challenges:

    1. Understand the source code and compute the flag (it’s actually just a MD5 hash of some value stored in the source code)
    2. Emulate the application and perform a SQL injection (the intended solution)
    3. Emulate the application and browse the local SQLite DB (what I did)

    If I’m correct, solutions 1 and 3 worked for both challenges.

    Running the App on a Android Emulator

    For the Android emulator I used anbox which simply allows you to emulate a Android OS on Linux. If you are doing a mobile app pentest, the emulator can be configured to use BurpSuite as a proxy.

    ┌─[✗]─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $anbox.appmgr
    Starting anbox
    ┌─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $adb devices
List of devices attached
emulator-5558   device
    Using adb to interact with the emulator
    ┌─[✗]─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $adb install -r -t mobile-challenge1.apk        
Performing Streamed Install
    Installing the apk on the emulated Android
    ┌─[h3dg3h0g@parrotOS]─[~/Downloads]
└──╼ $adb -s emulator-5558 shell
x86_64:/ $
    Starting a shell on the emulated android
    x86_64:/ $ su
    By default, you won’t have permissions to list the content of /data/data, so change your permissions with su
    x86_64:/ # cd /data/data
x86_64:/data/data # cd ets.dci.ctf2022.c1
x86_64:/data/data/ets.dci.ctf2022.c1 # cd databases/
x86_64:/data/data/ets.dci.ctf2022.c1/databases # ls
coursedb coursedb-journal
    Finding the sqlite file
    x86_64:/data/data/ets.dci.ctf2022.c1/databases # sqlite3 coursedb
SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> .tables
Courses           Flag              android_metadata
sqlite> SELECT * FROM Flag;
1|FLAG-c8ebd76d7c6e19b0aaae7df749c0272d
sqlite>
    The flag was stored in the sqlite file

    Great beginner level mobile app challenge which teaches you a little bit about mobile app pentests (static and dynamic analysis, android emulation, android filesystem) !

    private void addFlag(SQLiteDatabase sqLiteDatabase) {
        ContentValues values = new ContentValues();
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < Constants.key.length(); i++) {
            sb.append(Constants.key.charAt((Constants.key.length() - i) - 1));
        }
        String hashtext = "";
        try {
            byte[] bytesOfMessage = sb.toString().getBytes("UTF-8");
            MessageDigest md = MessageDigest.getInstance("MD5");
            byte[] digest = md.digest(bytesOfMessage);
            BigInteger bigInt = new BigInteger(1, digest);
            hashtext = bigInt.toString(16);
        } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        System.out.println(hashtext);
        values.put("flag", "FLAG-" + hashtext);
        sqLiteDatabase.insert("Flag", null, values);
    }
}