Nahamcon CTF 2024 - Mobile Challenge Writeups Helped clear the mobile board for ARESx, also blooded flyaway1 (the flutter pentests are paying off lmao). The mobile challs this year were pretty much simple reverse engineering tasks, here's how I speedran them: Kitty kitty bang bang, Easy - 50 (303 solves) Someone else got to this earlier, but pretty much you just need to run the app on your device then watch the device logs -- you can do this by using logcat which is built-in with the Android Studio IDE or you can monitor them on the commandline via adb logcat | grep <your-search-string: image Guitar, Easy - 50 (335 solves) Wouldn't be a nahamcon mobile challenge without the usual flag in strings challenge. When reversing an apk, or pretty much anything, always check the strings.xml resource file: image

Mobile Hacking Lab - Document Viewer :::warning :rotating_light: This is a writeup for an active challenge from Mobile Hacking Labs. Try to solve the lab on your own first hosted here: https://www.mobilehackinglab.com/course/lab-document-viewer-rce before peeking. ::: Lab Info In this challenge, we are tasked to exploit a path traversal vulnerability within a "Document Viewer" application then escalate the attack by leveraging a dynamic code loading scenario to perform remote code execution (RCE).

Background Info I participated in the TCP1P ctf this past week and was intrigued by their set of mobile challenges which I mainly focused on and got first blood🩸on the challs I solved. On this writeup, I'll discuss the solutions for both solved and (may be a bit delayed) unsolved mobile challenges. Mobile Infrastructure Been a while since I last played ctfs, but this seems like the first time I've seen mobile challenges deployed like this because normally Mobile challengest mostly revolved on reverse engineering the app or native lib. Hopefully, other ctfs will follow suit and implement more mobile exploitation challenges since they are very fun to do. For reference, the TCP1P team has released the infra + source code on their github repo. Fig. 1 Main Dashboard Fig. 2 Device Shell

Patched Target apk On later attacks, we will be performing data exfiltration against vulnerable webviews. However, the permissions on the original target application only allowed us to retrieve media files which doesn't really show the impact of the vuln. That's why I patched the application to add a single line in the manifest file: android:requestLegacyExternalStorage="true" The patched application can be found on my google drive. It was tested on an Android 10 (API level 29) physical device. Vulnerability #8: Insecure Broadcast Receiver Exported activities are some possible attack vectors to look out for in the android manifest. In the target application, one such activity that has the attribute android:exported='true' is com.insecureshop.AboutUsActivity.

It's been quite a while since I've last tried to reverse engineer and hunt for vulnerabilities in android applications (last was when I took emapt?), I badly need to brush up on android stuff since I've got a new project in mind. The Target: InsecureShop.apk InsecureShop is an application that showcases vulnerabilities found in mobile pentesting scenarios. A few things to take note from the README are that: You don't necessarily have to have a rooted android device in order to perform the exploits -> because, what's the point of trying to exploit an application when you already have superuser access to the device itself? Having a rooted phone does help immensely when performing dynamic analysis/reverse engineering tho, especially when you need to use Frida to hook into a certain function or if you want to bypass SSL pinning in order to intercept network requests. The application only demonstrates android-specific vulnerabilities and does not include attacks against a vulnerable API server or other back-end systems.

K3RN3LCTF 2021: easy_kernel This writeup will cover my first foray into linux kernel exploitation. Disclaimer, I just started learning kernel pwn this month, so some information here might be incomplete. I plan to improve it after I learn a little more about the kernel. Challenge Description Since the CTF was held and aimed for beginner-intermediate players, it is a safe assumption that this is an easy and introductory kernel pwn challenge. We are given the remote server details + challenge files in easy_kernel.tar.gz Challenge + Environment Files testpwn@testpwn-VirtualBox:~/Desktop/kernelarmy/pwn-kernel-extract$ ls -la total 22236

CoalFire CTF Notes HTB CTF challs are sometimes reused Injection, pwn 350 quick file recon reveals that we have a 64-bit pwnable challenge which is not stripped -> making it easier to reverse engineer. doing checksec shows that most protections are disabled and that we are dealing with a Position Independent Executable (PIE) binary. Reverse Engineering Opening the binary in GHIDRA, we only have the main function to analyze. We can ignore setup since it only deals with the normal buffering issues. First, the program asks for an integer input in which 1 is the correct answer to take.