Cryptohorrific – Hack The Box¶

Difficult: Medium Category: Mobile OS: iOS

Description: Secure coding is the keystone of the application security!

After downloading the compressed file and decompressing it, we will have a folder where inside we find the files we need: The hackthebox file, is the main file of the program that contains the binary files. The .plist file is a list that contains details about the app and author. This is for gather information when you search an App in the App Store.

The challenge.plist have some interesting:

This must be an base64 encrypted text.

Tq+CWzQS0wYzs2rJ+GNrPLP6qekDbwze6fIeRRwBK2WXHOhba7WR2OGNUFKoAvyW7njTCMlQzlwIRdJvaP2iYQ==

So it’s source code time. I recommend use IDA for that:

https://hex-rays.com/ We load the hackthebox program to our IDA and let’s inspect that.

Here we have a insteresting function: _CCCrypt Following to CCCrypt_ptr we can see that jmp. So, navigate to CCCrypt_ptr and:

We can see between __cfstring some interesting things:

__cfstring:0000000100003128 dq offset aFlag ; "flag”

__cfstring:0000000100003108 dq offset aPlist ; "plist”

__cfstring:00000001000030E8 dq offset aChallenge ; "challenge”

__cfstring:00000001000030C8 dq offset aQftjwnzq4t7wZC ; "QfTjWnZq4t7w!z%C”

__cfstring:00000001000030A8 dq offset aADGKapdsgvky ; "!A%D*G-KaPdSgVkY”

Following, for example: aADGKapdsgvky

We are redirect to:

And may be this is the key and IV of an AES encryption. Let’s check:

!A%D*G-KaPdSgVkY

Tq+CWzQS0wYzs2rJ+GNrPLP6qekDbwze6fIeRRwBK2WXHOhba7WR2OGNUFKoAvyW7njTCMlQzlwIRdJvaP2iYQ==

So with these values, we can go to this online tool for decrypt: https://www.devglan.com/online-tools/aes-encryption-decryption

And here is, the flag: Decode to Plain Text and you will get the flag.

I hope you found it useful (: