htb-juno-private

IP: 10.150.150.224
Links:
https://online.pwntilldawn.com/
https://www.wizlynxgroup.com/

Nmap (Enum phase)

PORT   STATE SERVICE
80/tcp open  http

Not much here apart from a webpage with default apache, Time for fuzzing!!

Ffuf

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt   -u http://10.150.150.224/FUZZ -mc all -fc 404,403

login.php               [Status: 200, Size: 1213, Words: 400, Lines: 55]
index.html              [Status: 200, Size: 10701, Words: 3427, Lines: 369]
.                       [Status: 200, Size: 10701, Words: 3427, Lines: 369]
const.php               [Status: 200, Size: 0, Words: 1, Lines: 1]

Login page

Going to the login page presents a pin protected login, after brute forcing i got no where. Then I noticed a .apk file download. Looks like we need to reverse engineer the apk.
(This was not the case but i left this here for information purpouses)

Decompile and Recompile

apktool -r d app.apk

d2j-dex2jar ~/scratch/android/JunoClient.apk  #jd-gui

apktool -r b app.apk

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name \
-keyalg RSA -keysize 2048 -validity 10000

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore JunoClient.apk alias_name

jarsigner -verify -verbose -certs JunoClient.apk 
#Line 91 change value
  if-eqz v2, :cond_0

MobSF (nice tool)

I failed at the reverse engineering manually and had to seek a nudge. I got told of a software to try out next called MobSF

MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF

Instructions Install.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
┌─[puck@parrot-lt]─[/opt/Mobile-Security-Framework-MobSF]
└──╼ $sudo apt-get install python3-venv
┌─[puck@parrot-lt]─[/opt/Mobile-Security-Framework-MobSF]
└──╼ $sudo pip3 install -r requirements.txt 
┌─[puck@parrot-lt]─[/opt/Mobile-Security-Framework-MobSF]
└──╼ $sudo ./setup.sh

To Run the tool.

./run.sh 127.0.0.1:9999

Then open a webpage to be presented with the tools interface where you can now upload an android file to be inspected.

image

Drag and drop the JunoClient.apk file onto the webpage to start the analysis.

image

Having already manually tring to do this, I had decompiled the apk file and already seen parts of the code I thought would be a good start.

Namily FLAG43 (seen in the code base) and youknowhat variables.

Using search on the webpage I qucklyu found them both.

image

image
*Cut off on purpous

FLAG 43 = c1d93b510b8f78d2b4f3336022618d8c5b04b27e

With the correct pin we can now log in to the webpage.

image

We are presented with the last 2 flags.

Flag Value Encoded
Flag44 022642b57e3eaa4daee6dec155b991f8fae58925 No
Flag45 e;;h:6i:ej769gj54<=ie=h9:66<hj=9=4f5g7:: Yes

image

One is encoded the other is not. For the encoded one, I worked out that the ASCII shift cypher is being used so we can decompile it.
Then grab the last flag from the box!

https://www.dcode.fr/ascii-shift-cipher

=>image

flag45 =

a77d62e6af325cf1089ea9d56228df9590b1c366

Greetings puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *