Looking at MainActivity, we can see that there is a read process for file "vault.env" on cache directory. After that there is a call to function c with editTextOTP as argument. editTextOTP is input field which is OTP on main screen when we open the APK.
Looking at onclick listener on c class. We can see that it will decrypt vault.enc if the third argument is 2 (default switch case). To decrypt the file, we know all the needed data which are
Algorithm -> AES ECB
Key -> processed from input (OTP)
OTP + reverse(OTP) + OTP + reverse(OTP)
e.g OTP = 1234
key == 1234432112344321
Encrypted data -> dump from cache dir
Cache dir is located in /data/data/your.application.package/cache based on this reference. Our target application has package name com.tarek.myvault, so below is our final command to dump the file.
Those branch will create toast "Bad env" if condition like below
So we need to get brave value as False and getRadioVersion == null as True to pass the bad env check. In this case we can use frida to manipulate return value of each function. To make the debugging process easier, we can change string value showed on toast by patching the smali. Decompile the APK first
apktool d brave.apk
Change string value for each "Bad env"
During the recompilation process, we will facing issue like image below
To fix this issue, we can replace all @android value in colors.xml with @*android based on this reference. After that just recompile and it will be successful.
Sign the APK using uber-apk-signer using command below and then install the signed version (brave-aligned-debugSigned.apk).
When i tried to hook the function using my script, it didn't show "Bad env 1" or "Bad env 2".
functionchangesValue() {Java.perform(function() { var class_name =Java.use("android.os.Build")class_name.getRadioVersion.implementation=function(){console.log("getRadioVersion called")returnnull } })}setImmediate(changesValue);
From image above, we can conclude that there is another "checking", searching in decompiled directory from apktool we found there is "Bad Env" string on library.
Since my emulator use aarch64, i will patch library on arm64-v8a directory. In this case we can use decompiler like ghidra or ida to decompile then patch the function.
Check the call reference, we will get into Java_com_tarek_brave_MainActivity_brave function.
We can see that there is checking of rooted device and frida. To bypass this i implemented patching like below
isDeviceRooted
My emulator has access to /system/xbin/su and there is possibility that it has access to another related root binary. To bypass this, the easy way is just make the comparation invalid, for example changing from CMP W0, #0 to CMP W0, #4
1F 10 00 71 E0 17 9F 1A FD 7B C1 A8 C0 03 5F D6
Frida check
It only check string frida, to bypass this we just need to change "frida" to any random string that doesn't exist for example "fridb"
Recompile the APK and run the frida again, we will get valid text which is "are you brave?". In this case we don't need to bypass the brave return, since it failed to detect rooted device and frida after we patch the library.
From the MainActivity, there is some process of string initialization. To check that our flow is correct, we can try to dump the string builder process
As we can see, that there is /Flag access through firebase and from the string builder we can also get the firebase endpoint.
Author said that it is intended that /Flag is permission denied, since we are on the correct flow so basically the APK step has been done. Next step is doing exploitation on firebase. Searching firebase endpoint on decompiled directory, we found below information
Actually, in this case all of the data required to access firebase database written on strings.xml. By using those data, i tried to access the firebase database.
To get the flag, using those data we just need to signin anonymously based on this reference.
Flag : 0xL4ugh{Ohhh!_F3n_t3s_t1c!}
Tracer (500 pts)
Description
Believe me, just think out of the box XxXDdd
Solution
ipa file basically like apk, we can rename it to .zip then unzip it.
Because 2 challenges before are related to firebase, in this challenge i tried to search firebase string just to make sure that maybe this challenge related to firebase also.
From image above, we can see that there is firebase string inside tracer file which is the main binary of the application. On the same directory, there is GoogleService-Info.plist file and when i tried to search about it i found that the file is related to firebase account. Opening the plist file using xcode i got below information
We know that storage bucket URL moslty also project id. So the next step is trying to access firebase project through URL. One of the well known firebase vulnerability is publicly access .json endpoint, so trying that endpoint we got the flag