Android CTF

Description I asked for the challenge from other people so I have no idea what the description is. All I know is this challenge required me to upload my malicious APK into the server SecureNote.apk Static Analysis I started out using jadx-gui to decompile and read the code. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <activity android:name="com.app.rehack.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> <activity android:name="com.app.rehack.NoteListActivity" android:exported="true"/> <activity android:name="com.app.rehack.AddNoteActivity" android:exported="true"/> <activity android:name="com.app.rehack.ViewNoteActivity" android:exported="false"/> <provider android:name="com.app.rehack.Utils.FileProvider" android:writePermission="false" android:enabled="true" android:exported="false" android:authorities="com.app.rehack" android:grantUriPermissions="true"> <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/provider_path"/> </provider> Based on the AndroidManifest.xml, there’s 4 activities in total but only one activity is not exported. Aside of that, there’s a provider with grantUriPermissions="true". Based on previous challenge, this is actually vulnerable so I assume exploit path should be similar. The provider has a @xml/provider_path which provide the folder path of the file provider. ...

Description I asked for the challenge from other people so I have no idea what the description is. All I know is this challenge required me to upload my malicious APK into the server Senoparty.apk Static Analysis I started out using jadx-gui to decompile and read the code. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 <activity android:theme="@style/Theme.Senoparty" android:label="@string/app_name" android:name="com.example.senoparty.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.BROWSABLE"/> <category android:name="android.intent.category.DEFAULT"/> <data android:scheme="content"/> <data android:scheme="file"/> </intent-filter> </activity> <provider android:name="com.example.senoparty.SenopartyProvider" android:exported="false" android:authorities="com.example.senoparty.SenopartyProvider" android:grantUriPermissions="true"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </provider> Based on the AndroidManifest.xml, there’s a MainActivity activity and a SenopartyProvider provider. I then first looked into the MainActivity. ...

Description I asked for the challenge from other people so I have no idea what the description is. EmojiGachaRPG.apk Static Analysis I started out by decompiling it using jadx-gui and looked into the AndroidManifest.xml 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <uses-permission android:name="android.permission.INTERNET"/> <activity android:theme="@style/Theme.UltraAddictiveGachaGame" android:name="com.honque.ultraaddictivegachagame.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> <activity android:name="androidx.compose.ui.tooling.PreviewActivity" android:exported="true"/> <activity android:theme="@android:style/Theme.Material.Light.NoActionBar" android:name="androidx.activity.ComponentActivity" android:exported="true"/> Based on the information found, the application requires internet connection and the only interesting activity is the MainActivity. ...