Skip to content

FastJson and Furious – Hack The Box

Difficult: Easy Category: Mobile OS: Android

Description: A couple years ago I was experimenting with Android Development and I created this application to hide my secret, but now I forgot how to get it back. Can you help me?

First, download the .zip file and extract them with hackthebox password. Then, we’ll use apktool for decompile and extract the application content. 

apktool d app-release.apk

We can see that the compiled version SDK is 33, then, I’ll use an Genymotion Android device API 31. Install the apk file with 

adb install -r app-release.apk

The app looks like

The package is 

hhhkb.ctf.fastjson_and_furious

After read the java source code of the MainActivity.java class, we can notice that 

public class MainActivity extends AppCompatActivity {
    public static String POSTFIX = "20240227";
    public static boolean succeed = false;
[...]

The succeed variable is set in false. And the function calcHash ever will return “ ” if succeed is false. Then, we need modify the MainActivity.smali code, and change false for true.

smali_classes2/hhhkb/ctf/fastjson_and_furious
├── Flag.smali
├── MainActivity$1.smali
├── MainActivity.smali
├── R$color.smali
├── R$drawable.smali
├── R$id.smali
├── R$layout.smali
├── R$mipmap.smali
├── R$string.smali
├── R$style.smali
├── R$xml.smali
├── R.smali
└── ui

Now we need rebuild the apk 

apktool b app-release -o patchedFast.apk

Align the apk 

zipalign -v -p 4 patchedFast.apk patchedFastAligned.apk

Generate a new key 

keytool -genkey -v -keystore my-release-key.keystore -alias my-key-alias -keyalg RSA -keysize 2048 -validity 10000

Sign the apk 

apksigner sign --ks my-release-key.keystore --out patchedFastAlignedSigned.apk patchedFastAligned.apk

Install the apk 

adb install -r patchedFastAlignedSigned.apk

And if we go to jadx, we can see that the MainActivity.java class is now patched.

Then, now if we send a valid json 

{"username":"admin","password":"1234"}

We get this

Assuming that now the app work correctly, let’s keep reviewing the source code searching “hints” Then, the app now is waiting for a json string. And this need 2 keys, we can conclude that because

JSONObject parseObject = JSON.parseObject(str.replace("\":", POSTFIX + "\":"));
            if (parseObject.keySet().size() != 2) {
                return "";

If the key size isn’t 2, then return nothing. We can see in the class 

com.alibaba.fastjson.JSON

The following information 

public abstract class JSON implements JSONStreamAware, JSONAware {
    public static final String DEFAULT_TYPE_KEY = "@type";
    public static final String VERSION = "1.1.52";
[...]

After a simple research, I found this article https://jfrog.com/blog/cve-2022-25845-analyzing-the-fastjson-auto-type-bypass-rce-vulnerability/ Then, after some hours, I conclude that we can craft the key 1 (with @type vulnerability) and key 2, the succeed that we fixed for true.

We need a hinted java class for this param. 

hhhkb.ctf.fastjson_and_furious.Flag

The final json looks like 

{"@type":"hhhkb.ctf.fastjson_and_furious.Flag","success":true}

I hope you found it useful (: