CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Challenge - Pinned
  • Challenge - Manager
  • Challenge Anchored
  • Challenge APKrypt
  • Challenge - SeeTheSharpFlag
  • Writeup will be public as soon as this challenge is retired
  • Box - Explore
  • Challenge - SAW
  • Writeup will be public as soon as this challenge is retired
  • Challenge - Don't Overreact
  • Writeup will be public as soon as this challenge is retired
  • Challenge - APKey
  • Writeup will be public as soon as this challenge is retired
  • Full track achieved
  1. Writeups
  2. Hackthebox Tracks

Hackthebox - Introduction to Android Exploitation - Track

PreviousHackthebox TracksNextHackthebox Writeups

Last updated 2 years ago

  • Requires a VIP account to access the retired box and challenges

  • For this track you will need a setup for Android App Hacking. You can see how to set this up

Challenge - Pinned

  • Here is the readme

1. Install this application in an API Level 29 or earlier (i.e. Android 10.0 (Google APIs)).
  • For this challenge we need to bypass certificate pinning.

  • unxz frida-server-version-android-x86.xz to decompress the file

  • mkdir frida-on-venv In my opt folder, I created a new folder for frida.

  • sudo python3 -m venv frida Create the virtual env for frida

  • source frida/bin/activate Activate the env

  • pip3 install frida-tools Install Frida

  • Install the apk file in your virtual machine (you can drag and drop it)

  • Launch it and keep it on screen

  • adb push frida-server-16.0.8-android-x86 /data/local/tmp/frida-server

  • adb root (it should be already rooted but just for sanity)

  • adb shell "chmod 755 /data/local/tmp/frida-server" so that you can launch it ;)

  • In another terminal tab adb shell to drop in your android shell

  • su

  • /data/local/tmp/frida-server & to launch frida-server

  • frida-ps -U -ai from your host (will list the process) you should see pinned in the list

  • Then you just need to run frida -U -l ./frida-script.js -f com.example.pinned

  • Now we should be able to intercept the traffic and actually see it in Burp (frida server should still be running for this process)

  • Click login in your screen

  • And we got the flag from Burp

Challenge - Manager

  • Here is the readme

  • We need to exactly the same process as we did for Pinned and bypass cert pining.

  • For it to work I used Android 7 API 25

  • You should now be able to intercept the traffic.

  • Connect to the instance you started

  • Create an account

  • When I logged in with my account I saw there was this role parameter that looked interesting

  • I tried to register a member with an admin role but without success. However I tried admin and got this error Username already taken!

  • So we know that there is a user admin.

  • And after some exploration I saw that to change the password it just need a username and a password.

  • So why not try to change the password for the admin user

  • It works!

  • We can now login as admin and we get the flag

Challenge Anchored

  • Here is the readme

1. Install this application in an API Level 29 or earlier (i.e. Android 10.0 (Google Play)).

2. Install this application in a non-rooted device (i.e. In Android Studio AVD Manager select an image that includes (Google Play)).
  • So for the other challenged I used Genymotion, but for this one I am going to use android studio (with burp and all the necessary setup)

  • It seems like we will need to bypass cert pining without root rights

  • So we have a non-rooted Android 10 VM

  • In order to do this we need objection and objection needs clean version of apktool (not the one that has -dirty in the end)

$ apktool --version
2.7.0
  • Now we need to patch the apk objection patchapk -s ~/Documents/kali-shared/hackthebox/Anchored/Anchored/Anchored.apk

$ objection patchapk -s Anchored.apk 
No architecture specified. Determining it using `adb`...
Detected target device architecture as: x86
Using latest Github gadget version: 16.0.8
Patcher will be using Gadget version: 16.0.8
Detected apktool version as: 2.7.0
Running apktool empty-framework-dir...
I: Removing 1.apk framework file...
Unpacking Anchored.apk
App already has android.permission.INTERNET
Target class not specified, searching for launchable activity instead...
Reading smali from: /tmp/tmpfr2zcaji.apktemp/smali/com/example/anchored/MainActivity.smali
Injecting into an existing constructor
Injecting loadLibrary call at line: 18
Attempting to fix the constructors .locals count
Current locals value is 1, updating to 2:
Writing patched smali back to: /tmp/tmpfr2zcaji.apktemp/smali/com/example/anchored/MainActivity.smali
Copying Frida gadget to libs path...
Rebuilding the APK with the frida-gadget loaded...
Built new APK with injected loadLibrary and frida-gadget
Performing zipalign
Zipalign completed
Signing new APK.
Signed the new APK
Copying final apk from /tmp/tmpfr2zcaji.apktemp.aligned.objection.apk to Anchored.objection.apk in current directory...
Cleaning up temp files
  • After this we get a version of the apk with objection in the name Anchored.objection.apk

  • We can install it in our VM adb install Anchored.objection.apk

  • We can lauch it. The app will be frozen (it's normal)

  • objection explore

  • And now we have to disable ssl pinning android sslpinning disable

  • It will launch the screen and you will see the traffic in burp

  • Here is the app we can try to enter a random email and request access

  • And we get the flag (do not forget to put it in HTB{} before submitting it)

Challenge APKrypt

  • Here is the readme

1. Install this application in an API Level 29 or earlier (i.e. Android 10.0 (Google APIs)).
  • Let's have a look at the code ./jadx-gui

  • Having a look at the java code, we can see that it takes a string it md5 it and compares it to this md5 hash 735c3628699822c4c1c09219f317a8e9

  • Here is the snippet from jadx-gui

  • Let's see if we can crack it. We are not successful with crackstation or hashcat.

  • We know we could modify the smali code. Maybe we could change the hash to a custom hash like my name in md5 or test or anything.

  • We could also modify the condition

  • So yes, with access to the code and possibility to modify it we can do multiple things

  • So let decompile the apk with apktool apktool d ../APKrypt.apk

  • We get these files

  • So let's change the md5 hash

$ echo -n "test" | md5sum
098f6bcd4621d373cade4e832627b4f6  -
  • Spoiler alert: this does not work. Let's change the condition instead

  • We need to change this if-eqz p1, :cond_0 to this if-nez p1, :cond_0

  • Let's save it and recompile it

    • apktool b APKrypt/

    • keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

    • So for me keytool -genkey -v -keystore my-release-key.keystore -alias apkrypt -keyalg RSA -keysize 2048 -validity 10000

    • In my case jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore APKrypt.apk apkrypt

  • Let's open our new file with Android Studio to debug it

  • In android studio we go to file>profile and debug apk

  • And with the modified condition it works so even if what we type is not equal to the hash we will get the code

  • This is also our flag HTB{3nj0y_y0ur_v1p_subscr1pt1on}

Challenge - SeeTheSharpFlag

Writeup will be public as soon as this challenge is retired

Box - Explore

Challenge - SAW

Writeup will be public as soon as this challenge is retired

Challenge - Don't Overreact

Writeup will be public as soon as this challenge is retired

Challenge - APKey

Writeup will be public as soon as this challenge is retired

Full track achieved

  • And we finished the track!

Take frida server from

Take wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js

Let's open the folder in a code editor (I use VSCodium see my page about it ) and look for the md5 hash 735c3628699822c4c1c09219f317a8e9. We find it in /APKrypt/smali/com/example/apkrypt/MainActivity$1.smali

Now we need to sign or we will not be able to debug it. We can use this command that we found in of stack overflow to generate the key (it will ask for a password you will need it to sign the apk)

Now that we have the key we can sign the apk with jarsigner see on stackoverflow for a command jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

See my writeup

here
this script
here
this thread
this thread
here
here
Pinned
launch frida-server
Pinned process detailed
spawned
Pinned
Flag
Manager
Android 7
login
new admin
change password
flag
Anchored
Non rooted Android 10
disable ssl pinning
Anchored
flag
APKrypt
jadx
decompiled
snippet
change condition
recompile
jar signed
android studio
code
SeeTheSharpFlag
SAW
dont overreact
APKey
Track finished