# Hackthebox - Introduction to Android Exploitation - Track * Requires a VIP account to access the retired box and challenges * For this track you will need a setup for Android App Hacking. You can see how to set this up [here](https://csbygb.gitbook.io/pentips/mobile-app-pentest/android) ## Challenge - Pinned ![Pinned](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-4acd6884eba49dbfc3af3701f56b7ec744dec527%2F2023-01-20-14-43-53.png?alt=media) * Here is the readme ``` 1. Install this application in an API Level 29 or earlier (i.e. Android 10.0 (Google APIs)). ``` * For this challenge we need to bypass certificate pinning. * Take frida server from [here](https://github.com/frida/frida/releases) * `unxz frida-server-version-android-x86.xz` to decompress the file * `mkdir frida-on-venv` In my opt folder, I created a new folder for frida. * `sudo python3 -m venv frida` Create the virtual env for frida * `source frida/bin/activate` Activate the env * `pip3 install frida-tools` Install Frida * Install the apk file in your virtual machine (you can drag and drop it) * Launch it and keep it on screen * `adb push frida-server-16.0.8-android-x86 /data/local/tmp/frida-server` * `adb root` (it should be already rooted but just for sanity) * `adb shell "chmod 755 /data/local/tmp/frida-server"` so that you can launch it ;) * In another terminal tab `adb shell` to drop in your android shell * `su` * `/data/local/tmp/frida-server &` to launch frida-server ![launch frida-server](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-7ddfc5972e268178bac6e12596d0161203715f91%2F2023-01-20-14-20-07.png?alt=media) * `frida-ps -U -ai` from your host (will list the process) you should see pinned in the list ![Pinned process detailed](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-6bc042a01104f103e6fe3cab712c52cbf5ed2449%2F2023-01-07-14-31-39.png?alt=media) * Take [this script](https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js) `wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js` * Then you just need to run `frida -U -l ./frida-script.js -f com.example.pinned` ![spawned](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-711547c843f2da85e93e3d663cc5b90adbc79679%2F2023-01-07-14-32-47.png?alt=media) * Now we should be able to intercept the traffic and actually see it in Burp (frida server should still be running for this process) * Click login in your screen ![Pinned](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-6b723c2480addce5e48502182235f9394fcaf0c0%2F2023-01-19-19-07-46.png?alt=media) * And we got the flag from Burp ![Flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-429fdf0232400f41dc4221f7150741c4ffec4ce1%2F2023-01-19-19-08-40.png?alt=media) ## Challenge - Manager ![Manager](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-4dde60d8f919fec43fb936a072e167a23ac7a85c%2F2023-01-20-14-44-31.png?alt=media) * Here is the readme ``` ``` * We need to exactly the same process as we did for Pinned and bypass cert pining. * For it to work I used Android 7 API 25 ![Android 7](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ad25aa78ae6800a139a589fee496b094fca04df5%2F2023-01-20-14-28-09.png?alt=media) * You should now be able to intercept the traffic. * Connect to the instance you started * Create an account * When I logged in with my account I saw there was this role parameter that looked interesting ![login](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-f14ca529fb13c8ebb69bae801daa7f86cec7974b%2F2023-01-20-14-30-21.png?alt=media) * I tried to register a member with an admin role but without success. However I tried admin and got this error `Username already taken!` ![new admin](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-314107015f689dd6b81e834bcdb712d5d5d15c92%2F2023-01-20-14-31-42.png?alt=media) * So we know that there is a user admin. * And after some exploration I saw that to change the password it just need a username and a password. * So why not try to change the password for the admin user ![change password](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-7da4d6aa3b5ef852567d9b6b353c2080b895ce8a%2F2023-01-20-14-33-10.png?alt=media) * It works! * We can now login as admin and we get the flag ![flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-fd50670d3d6f6f1460090441f04e9623d4aa0959%2F2023-01-20-14-34-12.png?alt=media) ## Challenge Anchored ![Anchored](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-070a28438a3e1ffed49b8538be59797aa03c450c%2F2023-01-20-14-45-42.png?alt=media) * Here is the readme ``` 1. Install this application in an API Level 29 or earlier (i.e. Android 10.0 (Google Play)). 2. Install this application in a non-rooted device (i.e. In Android Studio AVD Manager select an image that includes (Google Play)). ``` * So for the other challenged I used Genymotion, but for this one I am going to use android studio (with burp and all the necessary setup) * It seems like we will need to bypass cert pining without root rights * So we have a non-rooted Android 10 VM ![Non rooted Android 10](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-33d6534599d2e79de3c993e0301c1efd0a9b4d3f%2F2023-01-20-15-18-58.png?alt=media) * In order to do this we need objection and objection needs clean version of apktool (not the one that has `-dirty` in the end) ```bash $ apktool --version 2.7.0 ``` * Now we need to patch the apk `objection patchapk -s ~/Documents/kali-shared/hackthebox/Anchored/Anchored/Anchored.apk` ```bash $ objection patchapk -s Anchored.apk No architecture specified. Determining it using `adb`... Detected target device architecture as: x86 Using latest Github gadget version: 16.0.8 Patcher will be using Gadget version: 16.0.8 Detected apktool version as: 2.7.0 Running apktool empty-framework-dir... I: Removing 1.apk framework file... Unpacking Anchored.apk App already has android.permission.INTERNET Target class not specified, searching for launchable activity instead... Reading smali from: /tmp/tmpfr2zcaji.apktemp/smali/com/example/anchored/MainActivity.smali Injecting into an existing constructor Injecting loadLibrary call at line: 18 Attempting to fix the constructors .locals count Current locals value is 1, updating to 2: Writing patched smali back to: /tmp/tmpfr2zcaji.apktemp/smali/com/example/anchored/MainActivity.smali Copying Frida gadget to libs path... Rebuilding the APK with the frida-gadget loaded... Built new APK with injected loadLibrary and frida-gadget Performing zipalign Zipalign completed Signing new APK. Signed the new APK Copying final apk from /tmp/tmpfr2zcaji.apktemp.aligned.objection.apk to Anchored.objection.apk in current directory... Cleaning up temp files ``` * After this we get a version of the apk with objection in the name `Anchored.objection.apk` * We can install it in our VM `adb install Anchored.objection.apk` * We can lauch it. The app will be frozen (it's normal) * `objection explore` * And now we have to disable ssl pinning `android sslpinning disable` ![disable ssl pinning](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-07364288021fe3dc78a04e56765286136a81ddd5%2F2023-01-20-16-22-49.png?alt=media) * It will launch the screen and you will see the traffic in burp * Here is the app we can try to enter a random email and request access ![Anchored](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-22782d81f2ab69e553d4229df838aa9efa209a3b%2F2023-01-20-16-24-48.png?alt=media) * And we get the flag (do not forget to put it in `HTB{}` before submitting it) ![flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-35c62a1e593056491e7a1e9fa91a713331312c4f%2F2023-01-20-16-25-38.png?alt=media) ## Challenge APKrypt ![APKrypt](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ef60a83d86e3a3039988161eb6b5adf8d23be036%2F2023-01-20-16-32-17.png?alt=media) * Here is the readme ```bash 1. Install this application in an API Level 29 or earlier (i.e. Android 10.0 (Google APIs)). ``` * Let's have a look at the code `./jadx-gui` * Having a look at the java code, we can see that it takes a string it md5 it and compares it to this md5 hash `735c3628699822c4c1c09219f317a8e9` * Here is the snippet from jadx-gui ![jadx](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ebde38050adaa35a0933f7521f2f107f133b1e25%2F2023-01-21-10-40-46.png?alt=media) * Let's see if we can crack it. We are not successful with crackstation or hashcat. * We know we could modify the smali code. Maybe we could change the hash to a custom hash like my name in md5 or test or anything. * We could also modify the condition * So yes, with access to the code and possibility to modify it we can do multiple things * So let decompile the apk with apktool `apktool d ../APKrypt.apk` * We get these files ![decompiled](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-67b1f5ca4752e0800bc13f7aa4158131307e6e52%2F2023-01-21-10-48-18.png?alt=media) * Let's open the folder in a code editor (I use VSCodium see my page about it [here](https://csbygb.gitbook.io/pentips/digital-skills/vscodium)) and look for the md5 hash `735c3628699822c4c1c09219f317a8e9`. We find it in `/APKrypt/smali/com/example/apkrypt/MainActivity$1.smali` ![snippet](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-955a8c255ccdc76b2238d767a29ee6978743c30c%2F2023-01-21-11-05-38.png?alt=media) * So let's change the md5 hash ```bash $ echo -n "test" | md5sum 098f6bcd4621d373cade4e832627b4f6 - ``` * Spoiler alert: this does not work. Let's change the condition instead * We need to change this `if-eqz p1, :cond_0` to this `if-nez p1, :cond_0` ![change condition](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-c30a9ea2bb2075e33d780964c5afc9cbb1a9b1bb%2F2023-01-21-11-51-58.png?alt=media) * Let's save it and recompile it * `apktool b APKrypt/` ![recompile](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-e07a33c09e7a4125dfb5f6f304d90827d6c924dd%2F2023-01-21-11-24-44.png?alt=media) * Now we need to sign or we will not be able to debug it. We can use this command that we found in [this thread](https://stackoverflow.com/questions/3997748/how-can-i-create-a-keystore) of stack overflow to generate the key (it will ask for a password you will need it to sign the apk) * `keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000` * So for me `keytool -genkey -v -keystore my-release-key.keystore -alias apkrypt -keyalg RSA -keysize 2048 -validity 10000` * Now that we have the key we can sign the apk with jarsigner see [this thread](https://stackoverflow.com/questions/21457538/how-to-use-jarsigner-for-signing-an-apk) on stackoverflow for a command `jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name` * In my case `jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore APKrypt.apk apkrypt` ![jar signed](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-9aa84d69324e2ee81bf93e73d14ea61c4fce25db%2F2023-01-21-11-43-14.png?alt=media) * Let's open our new file with Android Studio to debug it * In android studio we go to `file>profile and debug apk` ![android studio](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-5d2888b94c53eeda6a4b6666304f77aace7576f5%2F2023-01-21-11-30-21.png?alt=media) * And with the modified condition it works so even if what we type is not equal to the hash we will get the code ![code](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-cd7fa0f58d98decfb0717c3b6ce689204c9cfa73%2F2023-01-21-11-57-18.png?alt=media) * This is also our flag `HTB{3nj0y_y0ur_v1p_subscr1pt1on}` ## Challenge - SeeTheSharpFlag ![SeeTheSharpFlag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-e51c678990fdd65a3584ebb894c0ef50e5170481%2F2023-01-21-12-03-08.png?alt=media) ### Writeup will be public as soon as this challenge is retired ## Box - Explore * See my writeup [here](https://csbygb.gitbook.io/pentips/writeups/htbwriteups/htb-explore) ## Challenge - SAW ![SAW](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-e337a83acebcb5490baddea67c72632f319ef5a0%2F2023-01-28-12-18-04.png?alt=media) ### Writeup will be public as soon as this challenge is retired ## Challenge - Don't Overreact ![dont overreact](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-bbdfe3e01234bdb74a549aba2113f97ae343ca62%2F2023-02-04-09-19-00.png?alt=media) ### Writeup will be public as soon as this challenge is retired ## Challenge - APKey ![APKey](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-26924bf97ff1692630ced0e9eff9bab6c0c9ccbb%2F2023-02-04-09-19-44.png?alt=media) ### Writeup will be public as soon as this challenge is retired ## Full track achieved * And we finished the track! ![Track finished](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-28f62401e10ccf34a0e44aa9c4cc89d781d32d94%2F2023-02-04-14-12-29.png?alt=media)