RaziCTF2020

Author: MrT3acher

Diff for: README.md

@@ -9,9 +9,15 @@ Here we upload:
 - Helpful tools and sitess
 
 
-##### Design by our CTF Team, [0xDED5EC](https://ctftime.org/team/50270).
+##### Design by our CTF Team, [TernaryBits](https://ctftime.org/team/50270).
 
 ## List of challenges
+### Android
+
+ - [razictf2020-chasing-a-lock](./android/razictf2020-chasing-a-lock/)
+ - [razictf2020-ctf-coin](./android/razictf2020-ctf-coin/)
+ - [razictf2020-friends](./android/razictf2020-friends/)
+
 ### Cryptograpy:
 
  - [Tamuctf-crypto3: :)](./cryptography/tamuctf_\:\)/tamuctf-crypto3.md)
@@ -32,4 +38,4 @@ Here we upload:
 ### Web:
 
  - [UTCTF-web1: epic admin pwn](./web/epic-admin-pwn/WRITEUP.md)
- - [UTCTF-web3: Shrek Fans Only](./web/shrek-fans-only/WRITEUP.md)
+ - [UTCTF-web3: Shrek Fans Only](./web/shrek-fans-only/WRITEUP.md)

Diff for: android/razictf2020-chasing-a-lock/README.md

@@ -0,0 +1,12 @@
+# Challenge: Chasing a Lock
+score: 858
+difficulty: easy
+
+## Description
+[app-release.apk](./app-release.apk)
+
+as locks are so popular many will chase them but why? maybe a flag :)
+
+### Write-up
+[link](./WRITEUP.md)
+

Diff for: android/razictf2020-chasing-a-lock/WRITEUP.md

@@ -0,0 +1,120 @@
+# Write-up: Chasing a Lock
+![badge](https://img.shields.io/badge/Post%20CTF-Writeup-success)
+
+## Description
+
+### My Story
+First I executed the app and this is it:
+
+![chasing a lock](./challenge.png)
+
+Each time you touch the lock, the counter at the bottom of the page will decrease by one; while the lock changes its position randomly every second.
+
+me: "So I should make the counter zero!" :D
+
+I got the point and opened JADX and found the source code without any obfuscation. This is the source code of MainActivity:
+```
+package com.example.razictf_2;
+
+import android.os.Bundle;
+import android.util.DisplayMetrics;
+import android.view.View;
+import android.view.View.OnClickListener;
+import android.widget.ImageButton;
+import android.widget.TextView;
+import androidx.appcompat.app.AppCompatActivity;
+import java.util.Random;
+import java.util.Timer;
+import java.util.TimerTask;
+
+public class MainActivity extends AppCompatActivity {
+    public void onCreate(Bundle bundle) {
+        super.onCreate(bundle);
+        setContentView((int) R.layout.activity_main);
+        final ImageButton imageButton = (ImageButton) findViewById(R.id.my_button);
+        final DisplayMetrics displayMetrics = new DisplayMetrics();
+        getWindowManager().getDefaultDisplay().getMetrics(displayMetrics);
+        new Timer().schedule(new TimerTask() {
+            public void run() {
+                MainActivity.this.runOnUiThread(new Runnable() {
+                    public void run() {
+                        Random random = new Random();
+                        float nextFloat = random.nextFloat() * ((float) displayMetrics.widthPixels);
+                        float nextFloat2 = random.nextFloat() * ((float) displayMetrics.heightPixels);
+                        new Timer();
+                        imageButton.animate().x(nextFloat).y(nextFloat2).setDuration(0).start();
+                    }
+                });
+            }
+        }, 0, 1000);
+        imageButton.setOnClickListener(new OnClickListener() {
+            public void onClick(View view) {
+                TextView textView = (TextView) MainActivity.this.findViewById(R.id.Num);
+                int parseInt = Integer.parseInt(textView.getText().toString());
+                if (parseInt == 0 || parseInt < 0) {
+                    textView.setText("0");
+                    return;
+                }
+                int i = parseInt - 1;
+                String run = new switcher().run(i);
+                if (run != null) {
+                    ((TextView) MainActivity.this.findViewById(R.id.Flag)).setText(run);
+                }
+                textView.setText(String.valueOf(i));
+            }
+        });
+    }
+}
+```
+
+And this is the interesting point:
+```
+String run = new switcher().run(i);
+```
+
+It seems the magic part is inside the `switcher` class. This is the source code:
+```
+package com.example.razictf_2;
+
+public class switcher {
+    public String run(int i) {
+        if (i != 0) {
+            return null;
+        }
+        a1 a1Var = new a1();
+        StringBuilder sb = new StringBuilder();
+        sb.append(" ");
+        sb.append(a1Var.run(i));
+        String sb2 = sb.toString();
+        a2 a2Var = new a2();
+        System.out.println(a2Var.run(i));
+        StringBuilder sb3 = new StringBuilder();
+        sb3.append(sb2);
+        sb3.append(a2Var.run(i));
+        String sb4 = sb3.toString();
+        a3 a3Var = new a3();
+        StringBuilder sb5 = new StringBuilder();
+        sb5.append(sb4);
+        sb5.append(a3Var.run(i));
+        String sb6 = sb5.toString();
+        a4 a4Var = new a4();
+        StringBuilder sb7 = new StringBuilder();
+        sb7.append(sb6);
+        sb7.append(a4Var.run(i));
+        String sb8 = sb7.toString();
+        a5 a5Var = new a5();
+        StringBuilder sb9 = new StringBuilder();
+        sb9.append(sb8);
+        sb9.append(a5Var.run(i));
+        return sb9.toString();
+    }
+}
+```
+
+### Exploit Time
+So the only thing I need to do is hooking the `run` method and rewrite the value of `i` argument to zero. It's really easy using Frida.
+I wrote [loader.py](./loader.py) and [script.js](./script.js).
+
+### Flag
+And this is the result:
+![flag](./flag.png)

Diff for: android/razictf2020-chasing-a-lock/app-release.apk

@@ -0,0 +1,14 @@
+import time
+import frida
+
+device = frida.get_usb_device()
+pid = device.spawn(["com.example.razictf_2"])
+device.resume(pid)
+time.sleep(1)  # Without it Java.perform silently fails
+session = device.attach(pid)
+with open("script.js") as f:
+    script = session.create_script(f.read())
+script.load()
+
+# prevent the python script from terminating
+input()

Diff for: android/razictf2020-chasing-a-lock/challenge.png

@@ -0,0 +1,15 @@
+console.log("Script loaded successfully ");
+Java.perform(function x() { //Silently fails without the sleep from the python code
+	console.log("Inside java perform function");
+	//get a wrapper for our class
+	var my_class1 = Java.use("com.example.razictf_2.switcher"); // freind page
+	//replace the original implmenetation of the function `fun` with our custom function
+	my_class1.run.implementation = function (i) {
+		//print the original arguments
+		console.log(": run(" + i + ")");
+		//call the original implementation of `fun` with args (2,5)
+		i = 0;
+		var ret_value = this.run(i);
+		return ret_value;
+	}
+});

Diff for: android/razictf2020-chasing-a-lock/flag.png

@@ -0,0 +1,11 @@
+# Challenge: Chasing a Lock
+difficulty: easy
+
+## Description
+[ctf-coin.apk](./ctf-coin.apk)
+
+Make your CTF Coins Unlimited (more than 1000000000000000)
+
+### Write-up
+[link](./WRITEUP.md)
+

Diff for: android/razictf2020-chasing-a-lock/loader.py

@@ -0,0 +1,34 @@
+# Write-up: CTF Coin
+![badge](https://img.shields.io/badge/Post%20CTF-Writeup-success)
+
+## Description
+There are some images in this directory of the app In-App Purchase (IAP) and ...
+
+### My Story
+First I thought it should be a problem of app itself! so I dived deep inside the app. I used static analysis to understand what it is doing. but it was somehow confusing and complicated. so I tried another way; dynamic analysis. I started Burp and trying to monitor the traffic.
+
+but there was a problem! This error was occurring repeatedly and I couldn't do the purchase while system proxy setting was set to my Burp IP! I had set the cert; so I didn't know the cause of the problem!
+```
+BurpSuite Error: failed to negotiate an SSL connection
+```
+I saw a new phrase I didn't know what is it; `SSL Pinning`. But I remembered a script from [codeshare.frida.re](https://codeshare.frida.re) named `Universal Android SSL Pinning Bypass with Frida`. So this is the solution to bypass this #&%^#@!
+
+![SSL Pinning Bypassed](./7.png)
+
+It took a lot of time to analyze statically and finding out the solution of `SSL Pinning` problem. But I learned a lot! :P
+
+After bypassing SSL Pinning it was so easy to capture the traffic to the back-end server.
+
+![SSL Pinning Bypassed](./6.png)
+
+### Exploit Time
+Then I sent another value as `coins` parameter:
+
+![SSL Pinning Bypassed](./5.png)
+
+### Flag
+And this is the flag:
+
+```
+RaziCTF{ZmRzdnNkRlNEcWUzQFFxZURXRUZEU1ZGU0RTNTVkc2Y1ZmV2c0RGcnEzNSRSI3J3ZnNlZnJ3IyQjJSNA}
+```

Diff for: android/razictf2020-chasing-a-lock/script.js

@@ -0,0 +1,11 @@
+# Challenge: Friends
+difficulty: easy
+
+## Description
+[friends.apk](./friends.apk)
+
+The flag is created by putting it together
+
+### Write-up
+[link](./WRITEUP.md)
+

Diff for: android/razictf2020-ctf-coin/1.png

@@ -0,0 +1,36 @@
+# Write-up: Friends
+![badge](https://img.shields.io/badge/Post%20CTF-Writeup-success)
+
+## Description
+
+### My Story
+I just started Burp and analyzed the traffic! this is the result:
+
+![network traffic](./1.png)
+
+There are some data that server respond, but the app doesn't show them; phone numbers.
+
+I didn't know what should I do with these phone numbers to get the flag. This is the captured server response:
+```
+HTTP/1.1 200 OK
+Server: nginx/1.18.0 (Ubuntu)
+Content-Type: application/json
+Cache-Control: no-cache, private
+Date: Mon, 26 Oct 2020 16:17:47 GMT
+X-RateLimit-Limit: 60
+X-RateLimit-Remaining: 57
+Access-Control-Allow-Origin: *
+Connection: close
+Content-Length: 1388
+
+[{"id":1,"name":"Bugs Bunny","avatar":"bugs_bunny.jpg","email":"[email protected]","address":"4617  Goodwin Avenue","gender":"male","age":"22","phone":"36213893021"},{"id":2,"name":"Mickey Mouse","avatar":"mickey_mouse.jpg","email":"[email protected]","address":"3844  Stiles Street","gender":"male","age":"28","phone":"12369532255"},{"id":4,"name":"Bart Simpson","avatar":"bart_simpson.jpg","email":"[email protected]","address":"2418  Loving Acres Road","gender":"male","age":"35","phone":"55634559910"},{"id":3,"name":"Popeye","avatar":"popeye.jpg","email":"[email protected]","address":"New Jersey popeye Street","gender":"male","age":"43","phone":"22361255893"},{"id":5,"name":"Patrick Star","avatar":"patrick_star.jpg","email":"[email protected]","address":"Richmond 2136  Queens Lane","gender":"male","age":"18","phone":"41223365236"},{"id":6,"name":"Homer Simpson","avatar":"homer_simpson.jpg","email":"[email protected]","address":"Timber Oak Drive","gender":"male","age":"47","phone":"99632531930"},{"id":7,"name":"Olive Oyl","avatar":"olive_oyl.jpg","email":"[email protected]","address":"Ocala Rhapsody Street","gender":"female","age":"52","phone":"89633366552"},{"id":8,"name":"Sylvester","avatar":"sylvester.jpg","email":"[email protected]","address":"Tigard 2285  Kincheloe Road","gender":"male","age":"31","phone":"77632351752"}]
+```
+
+### Exploit Time
+...
+
+### Flag
+It's ridiculous. just putting the numbers together:
+```
+RaziCTF{3621389302112369532255556345599102236125589341223365236996325319308963336655277632351752}
+```