Skip to content

IceCTF 2015 Husavik

Description: This handy Android App is supposed to display the flag, but it's not working! Note: For this challenge, we need install some things into our Android 5.1 device with Genymotion. For example, an ARM Translator. https://github.com/m9rco/Genymotion_ARM_Translation

Download APK: https://lautarovculic.com/my_files/husavik.apk

Install the apk with adb 

adb install -r husavik.apk

Then, decompile it with apktool 

apktool d husavik.apk

We can see inspecting the source code with jadx (GUI version) That in the MainActivity we don't have any interesting.. We just can see that some Threads of c and b class are started.

In RedHerring we don't have any of our interest. So, we can see in the run method of b class 

public void run() {  
        try {  
            Socket socket = new Socket("127.0.0.1", 6464);  
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(socket.getOutputStream());  
            objectOutputStream.writeObject("ZmxhZ193YWl0X3dhc250X2l0X2RhbHZpawo=");  
            objectOutputStream.close();  
            socket.close();  
        } catch (IOException e) {  
            e.printStackTrace();  
        }  
    }

As in the c class 

public void run() {  
        try {  
            this.f4a.f2c = new ServerSocket(6464);  
            while (true) {  
                this.f4a.f2c.accept();  
            }  
        } catch (IOException e) {  
            e.printStackTrace();  
        }  
    }

The same thing, a Socket Connection that send the string ZmxhZ193YWl0X3dhc250X2l0X2RhbHZpawo= Which if we decode in base64 the string we get the flag 

echo 'ZmxhZ193YWl0X3dhc250X2l0X2RhbHZpawo=' | base64 -d
flag_wait_wasnt_it_dalvik

But, here we don't make the things of this way. So, let's get the flag of the correct way that is via a socket connection.

Let's modify the b class, the run method. Changing the 127.0.0.1 IP address for our LAN IP, in this case, our laptop or PC. In my case, is 192.168.1.6. So, let's search the code in the smali file

grep -r "127.0.0.1" husavik/smali/ -n

We have the sentence in husavik/smali/tf/icec/husavik/b.smali:36: const-string v3, "127.0.0.1"

In the line 36 of b.smali file. Change the IP, and save the file.

So now, rebuild the apk with apktool 

apktool b husavik

Generate a key 

keytool -genkey -v -keystore name.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias alias

Sign the apk 

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore name.keystore husavik/dist/husavik.apk alias

Then, uninstall the old apk in our device and install the recently signed. 

adb install -r husavik/dist/husavik.apk

Let's run an listener in our 6464 port with nc 

nc -lvp 6464

Launch the app and press the button 

nc -lvp 6464
Connection from 192.168.1.6:51098
�t$ZmxhZ193YWl0X3dhc250X2l0X2RhbHZpawo=%
We will receive the flag via the socket.

I hope you found it useful (: