Android CTF

Description This is a mini challenge that I created for MCC 2025. chall.zip (Pass:McC2025aNdRoId) Solution I started with static analysis first. Static Analysis First step that I tried is to use jadx-gui to look into the application to check and see the source code. After looking into the code, I noticed that the format is quite weird especially the apktool.yml which looks suspicious. After some research, the apktool.yml file is there because the APK was actually decompiled using apktool. The correct method here is to unzip it first. ...

Description I asked for the challenge from other people so I have no idea what the description is. All I know is this challenge required me to upload my malicious APK into the server SecureNote.apk Static Analysis I started out using jadx-gui to decompile and read the code. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <activity android:name="com.app.rehack.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> <activity android:name="com.app.rehack.NoteListActivity" android:exported="true"/> <activity android:name="com.app.rehack.AddNoteActivity" android:exported="true"/> <activity android:name="com.app.rehack.ViewNoteActivity" android:exported="false"/> <provider android:name="com.app.rehack.Utils.FileProvider" android:writePermission="false" android:enabled="true" android:exported="false" android:authorities="com.app.rehack" android:grantUriPermissions="true"> <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/provider_path"/> </provider> Based on the AndroidManifest.xml, there’s 4 activities in total but only one activity is not exported. Aside of that, there’s a provider with grantUriPermissions="true". Based on previous challenge, this is actually vulnerable so I assume exploit path should be similar. The provider has a @xml/provider_path which provide the folder path of the file provider. ...

Description I asked for the challenge from other people so I have no idea what the description is. All I know is this challenge required me to upload my malicious APK into the server Senoparty.apk Static Analysis I started out using jadx-gui to decompile and read the code. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 <activity android:theme="@style/Theme.Senoparty" android:label="@string/app_name" android:name="com.example.senoparty.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.BROWSABLE"/> <category android:name="android.intent.category.DEFAULT"/> <data android:scheme="content"/> <data android:scheme="file"/> </intent-filter> </activity> <provider android:name="com.example.senoparty.SenopartyProvider" android:exported="false" android:authorities="com.example.senoparty.SenopartyProvider" android:grantUriPermissions="true"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </provider> Based on the AndroidManifest.xml, there’s a MainActivity activity and a SenopartyProvider provider. I then first looked into the MainActivity. ...