Posts

Introduction about myself a student that complated university studies related to cybersecurity a CTF player learnt cybersecurity for a few years but still weak in it How I learn ethical hacking Part 0 Back then, I don’t really know about red team and blue team and I just decided to learn hacking for fun. Since hacking others looks more fun, I decided to look into videos and anything related. The first courses I go through is actually Practical Ethical Hacking from TCM Security. After going through the first few topic of the course, I have some basic understanding about how hacking works (that’s what I thought back then). Eventually, I stopped the course halfway because the course started to go through hackthebox retired machine and I don’t have a VIP account to follow along. Instead, I decided to move on with PicoCTF and Tryhackme as some of the people mentioned this 2 platform is great for learning cybersecurity. I further improved my basic skills such as linux command and getting more new knowledge from Tryhackme since it has a lot of different room. As for PicoCTF, I was stunned for quite some times as that is the first time I find out about CTF. That is also when I found out that there are a lot of different hacking. ...

Challenge Description Welcome to the Android App Security Lab: SQL Injection Challenge! Dive into the world of cybersecurity with our hands-on lab. This challenge is centered around a fictitious “Food Store” app, highlighting the critical security flaw of SQL Injection (SQLi) within the app’s framework. foodstore.apk Solution As usual, static analysis to understand first. Static Analysis I started out by reading the AndroidManifest.xml code first. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 <activity android:name="com.mobilehackinglab.foodstore.Signup" android:exported="false"/> <activity android:name="com.mobilehackinglab.foodstore.MainActivity" android:exported="true"/> <activity android:name="com.mobilehackinglab.foodstore.LoginActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> There is a Signup, MainActivity and LoginActivity activity but only Signup activity is not exported. Reading the objective provided, this challenge will be focused in the signup function. ...

Challenge Description Welcome to the “Guess Me” Deep Link Exploitation Challenge! Immerse yourself in the world of cybersecurity with this hands-on lab. This challenge revolves around a fictitious “Guess Me” app, shedding light on a critical security flaw related to deep links that can lead to remote code execution within the app’s framework. guessme.apk Solution I started out by performing static analysis. Static Analysis As usual, jadx-gui for reading the code. ...