HackMDNAHAMCON CTF 2022 - UDOM CYBER CLUB
THE COMPETITION ORGANIZED BY JOHN HAMMOND WITH MANY SPONSORS
CHALLENGES
JOHNKS
| Name | Points | Authored By |
|---|---|---|
| johnks | 500 | birch#9901 |
Description
This is Forensic challenge
solution
i downloaded a png file and i can see a john Hammond pic and some stock values but the discription saying "Rising rising in height" so what if i increase the height of picture?
using tweak png to edit image height
then boom!!!
we get flag
DONE!!!
A WILD WIDE
| Name | Points | Authored By |
|---|---|---|
| A wild Ride | 500 | Kkevsterrr#7469 |
Description
This is Forensic challenge
solution
i downloaded a zip file and it procteted but inside there bunch of file with extension gpx
after some googling i found that gpx is "is simply a text file with geographic information such as waypoints, tracks, and routes saved in it." so its like MAP point uhhh well
but the zip is Protected so i have to crack first
pasword:crackme
so its time to get the flag from those file where inside contain xml code
so its dead end , i need to open those file so i must find the right tool for this. i just googled how to open but many tools was able to open one by one but not in group until i found https://gpx.studio/
then after loading files. we get flag
STEAM LOCOMOTIVE
| Name | Points | Authored By |
|---|---|---|
| Steam Locomotive | 500 | JohnHammond#6971 |
Description
This is Miscellaneous challenge
solution
after clicking start challenge i was given a ssh credentials then when i login i see train running on terminal then connection is closed
so i know to solve this type of challenge i need ssh tool that automate a login and execute commands before a server command do, then i used sshpass to do that
I run
DONE!! EAZY PIIIEZY
CEREAL
| Name | Points | Authored By |
|---|---|---|
| Cereal | 500 | BusesCanFly#2237 |
Description
This is Hardware/RF challenge
solution
i downloaded a file and it called mystery.sal . so here its about looking for extension name . i just found that there tool called logic analyzer can open that
well on topi can see weird characters
i had to zoom out so i can see clear
boom flag is there
EAZY PIIEZY
so android challenge its about doing code review you just need to know where sensitive data are stored or what function pull important data and so on. so i just wanted to give a try here are challenges i solved and learning something new
OTP VAULT
| Name | Points | Authored By |
|---|---|---|
| otp vault | 500 | congon4tor#2334 |
Description
This is Mobile challenge
solution
i downloaded a file and its apk which means its android file
installed a app and its
so i am supposed to enter a correct code which i dont know yet
i fired a jdx tool and start to look for source
i started with androidmanifest.xml
activity running is MainActivity so lets check it
looks like it built IN react my guess was there must some javascript vile outhere
so looking for index.android.bundle we can see some javascript code so i had to copy and put to beautifier so i can see clearly
now after spent time looking for something good , finnaly i found interested function under line 31975 (daaamn so many lines to look, but sometimes you can search for some keyword like "flag" and that what i did after struggling)
**analyzing the code, **
seems the flag come from web server which use basic bearer authorization so my gues is i dont need to bypass the OTP app to get flag so i copied the url put to web
first shot
ohh no!! i just remember there /flag path lemme try itt
second shot
ohh are we go again , i just remember there bearer token outhere
third shot (using burp)
BOOOM we get flag!!!
EAZY PIIZY
CLICK ME
| Name | Points | Authored By |
|---|---|---|
| Click Me | 500 | M_alpha#3534 |
Description
This is Mobile challenge
solution
i downloaded a file and its apk which means its android file
installed a app and its
so i am supposed to click until flag pop and i dont know how many times, could be 19029292939393 times or whetever but must be a larger number which will took me forever.
so lets view source code using jadx tool
starting with androidmanifest
we can see activity we are dealing with it its MainActivity, so lets check it out
we spoted this code
public final void cookieViewClick(View view) {
int i = this.CLICKS + 1;
this.CLICKS = i;
if (i >= 13371337) {
this.CLICKS = 13371337;
}
((TextView) findViewById(C0574R.C0577id.cookieCount)).setText(String.valueOf(this.CLICKS));
}
public final void getFlagButtonClick(View view) {
Intrinsics.checkNotNullParameter(view, "view");
if (this.CLICKS == 99999999) {
Toast.makeText(getApplicationContext(), getFlag(), 0).show();
return;
}
Toast.makeText(getApplicationContext(), "You do not have enough cookies to get the flag", 0).show();
}
well seems like even we automate the action, one the click become greater or equal to 13371337 it will be assigned with that number everytime, so we wont be at 99999999 (am not sure but that what is my understand about the code)
continue …
i can see if the click become 99999999 i get the flag from method called getFlag() .
ohh getFlag() is interested!!
so then adventure beginn , the fact is i want to try a tool called frida and this is a time to give a try
i setup Frida ,
android emulator or rooted phone (i used genymotion)
i started frida server
its running !!!
my app its there so here is a big picture, we need to write a javascript code that will hook getFlag() method and give to us:
after hours i finaly come with this short payload that do the magic
BOOM!!! so excited , i get flag
so much fun on this! but end up learning something new, hope i will play around more with frida
REFERENCES
https://blog.ikuamike.io/posts/2020/razictf-chasingalock-writeup/
https://alyagomaa.github.io/blog/Using-Frida-to-call-unused-android-methods/
