SANS HHC 2016 - Part 2: Awesome Package Konveyance

Security research, CTF writeups, and hacking adventures

šŸ“… January 05, 2017 · šŸ‘¤ gu4r15sm0 · šŸ“ sans-hhc
šŸ·ļø sans hhc-2016 ctf

SANS Holiday Hack Challenge 2016

Part 2: Awesome Package Konveyance

Bushy Evergreen talking about APKTool

3) What username and password are embedded in the APK file?

My new friend Bushy Evergreen told me about this tool called APKTOOL and point me to a nice video by none other than Joshua Wright himself about working with apk files and making changes in the smali code.

I moved all my APK work to Kali Linux becauseā€¦ wellā€¦ thatā€™s where the good stuff is J

root@igor-kali:~/hhack2016# apktool d SantaGram_4.2.apk

I: Using Apktool 2.2.0-dirty on SantaGram_4.2.apk

I: Loading resource tableā€¦

I: Decoding AndroidManifest.xml with resourcesā€¦

I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk

I: Regular manifest packageā€¦

I: Decoding file-resourcesā€¦

I: Decoding values */* XMLsā€¦

I: Baksmaling classes.dexā€¦

I: Copying assets and libsā€¦

I: Copying unknown filesā€¦

I: Copying original filesā€¦

Ok, now we have decoded values in the XML files, letā€™s do that search again

root@igor-kali:~/hhack2016/SantaGram_4.2# grep -r password *

ā€¦

ā€¦

ļ»æsmali/com/northpolewonderland/santagram/b.smali:Ā Ā Ā  const-string v1, ā€œpasswordā€

smali/com/northpolewonderland/santagram/SplashScreen.smali:Ā Ā Ā  const-string v1, ā€œpasswordā€

Doesnā€™t show me any string that could be a password but itā€™s showing me smali code with variables with the string ā€œpasswordā€ next to them, this means that the password might be hardcoded in the smali files and not in some XML configuration file.

root@igor-kali:~/hhack2016/SantaGram_4.2# grep -r password -A 3 -B 6 smali/com/northpolewonderland/santagram/SplashScreen.smali

Ā Ā Ā  const-string v1, "username"

Ā Ā Ā  const-string v2, "guest"

Ā Ā Ā  invoke-virtual {v0, v1, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

Ā Ā Ā  const-string v1, "password"

Ā Ā Ā  const-string v2, "busyreindeer78"

Done!Ā 

4) What is the name of the audible component (audio file) in the SantaGram APK file?

Wellm since we have the APK decompressed and decompiled, letā€™s look for known audio file extensions:

root@igor-kali:~/hhack2016/SantaGram_4.2# find . | egrep mp3|wav|flac|ogg

./res/raw/discombobulatedaudio1.mp3

Done! That was easy J

ā† Back to all posts