- CTF Name: H1 Thermostat
- Resource: Hacker101 CTF
- Difficulty: Easy
- Number of Flags: 2
Note::: NO, I won't be posting my found FLAGS, but I will be posting the methods I used.
Flag1
- Hint:
- Doesn't the MAC seem interesting?
- Access to the source code would help
- Check out the Android Quickstart video from Hacker101
- Acquired By:
- Oops! I did this one first by accident sooo here it is.
-This flag took a bit as I first had to install an Android Emulator. I chose to use the Android Studio and it was straightforward to install but not so straightforward to use.
-Then it was time to look at the files in the apk through the Android Emulator. I didn't see a way to make this apk run as there was no active "run" button, they were all greyed out. So, now it's time to just look through the files and see if anything is interesting there. As I have not used this/any android emulator before this took a minute to see what my options were and what would populate what. Eventually I found an interesting file called "PayloadRequest".
-Once I looked at the files I realized that it wasn't straightforward to see what was in each file. 
On right-clicking there was an option to "show the bytecode" and this looked like interesting information but this means that I need to look at each file... Not fun but being that this is a CTF I took the chance to just look at them.
-To my luck there was a flag in the first file. 
- Learned/Thoughts: I learned a bit about Android APKs and that they can hold key information in them that might be want to be kept private. As to what security issue that might be from this... maybe this is an information disclosure issue? This could be an issue if an API key or password is stored in plain text in the apk assuming that users won't have access to it. But, with a simple program it is right there.
Flag0
- Hint:
- Communication is key
- Have you looked at what the app is sending to the server?
- Acquired By:
-I first wanted to see if the key would be in some of the network communications of the downloaded apk file, but there was nothing that I saw that was a flag with Burp or ZAP.
-From here I looked at the Network tab of the browser and saw that on download there was a Response Header that was not snowing up in Burp. 
-Now it's time to try and decode this Payload. However, Burp didn't like the side of the payload annnnnnd froze.. 
-Plan B. Because I already have the apk file and the emulator installed I wanted to see what the app would be/doing. As I didn't need to do that for the other flag this means that I need to get the apk file working. This involved deleting it a few times, downloading it again, and instead of simply opening the apk I needed to "profile or debug" and from here I was able to pick a device, edit the configuration, and run it.
-Oops... No JDK.. Time to install one I guess? 
This involved going into my Tools tab, selecting the Android SDK option, going into the SDK Tools tab next to the SDK Platforms tab in the upper middle of the page, and checking off the Android SDK Build-Tools 30-rc1 and letting it run.
-Now that that is done I still needed to specify a JDK.. This involves a lot of setup that honestly didn't work for me. Onto Plan C.
-Plan C. This was a process of breaking apart the apk with Java Decompiler 
.
-Once that was broken apart I opened it with Android Studio and was able to look at the "classes.dex" file. Once I was in it I was able to search for a "^flag" which produced me 2 flags. Once that I had found from the previous flag and one for this one.
- Learned/Thoughts: This is another flag that I am not super sure what was learned except that I am able to look at the apk files. I feel like this was not the intended way to solve this flag but it worked...
Learned
These CTFs got me to look at Android Studio and apk files. It took me a few days of messing with my computer and programs on it to get this to work so it was more annoying that I feel like I really learned something valuable.
Happy Hacking
Top comments (4)
Hello DaNeil,
That is an interesting first try. Indeed installing everything is boring.
Why didn't you use a VM with Kali Linux. you have everything on it to perform these CTFs.
My very first articles on dev.to were related on offensive security on Android applications. Perfect for this kind of CTFs.
Have a look at them, if that is a some interest to you. ;-)
Article No Longer Available
There are 4 articles about offensive security on Android. If you want some hints or if you have some question, feel free to reach me. I'll help if I can. :-)
It really just depends on what computer I am on as my laptop doesn't have Kali on, but I have a VM of it on my desktop computer.
Also, people rely on Kali a lot and don't always understand the tools they are using and why and I like to talk about the issues that might come up if someone doesn't have the tools or maybe runs into issues, like I have, using them. I've found reading through a few CTF writeups that I struggle to follow because it can be difficult to know exactly what part of BurpSuite they are using or what script they ran with Hydra or why its not working on my system so it's a good practice to struggle and really learn more to me.
Super curious about your write up on Android applications. I've only looked at it once and it was not a fun experience... Need to learn more about it all.
That is really very interesting to me as I want to produce more content about all of this.
Indeed, we assume that everyone has the tools but it can be difficult to make it work.
Kali is very useful because all the relevant/most used tools are already installed. So you don't have to struggle to install them.
Nevertheless, I agree that it is a very good practice to do the CTF using the least amount of tools you can so that you understand the core of it. And then, you can use tools to either automate it or accelerate it.
I hope you'll learn about Android with my writings. I'll try to post some videos about it in the (near) future. 😄
Nice writeup.
Personally I prefer JADX if I want to peek into Source.
Also Maddie Stone's Android RE workshop is a nice place to start , if you are interested in Android.