intentional exercise

Author: testert1ng

README.md

@@ -22,7 +22,7 @@
 | Moderate (5 / flag) | [TempImage][4]                                    | Web         | 2 / 2      |
 | Easy (2 / flag)     | [H1 Thermostat][11]                               | Android     | 2 / 2      |
 | Expert (13 / flag)  | [Model E1337 v2 - Hardened Rolling Code Lock][14] | Math        | 0 / 1      |
-| Moderate (3 / flag) | [Intentional Exercise][15]                        | Android     | 0 / 1      |
+| Moderate (3 / flag) | [Intentional Exercise][15]                        | Android     | 1 / 1      |
 | Moderate (4 / flag) | [Hello World!][16]                                | Native      | 0 / 1      |
 | Expert (9 / flag)   | [Rend Asunder][17]                                | Native      | 0 / 3      |
 

intentional_exercise/README.md

@@ -0,0 +1,7 @@
+# Intentional Exercise
+
+## [Flag0](./flag0) -- Found
+
+- Check the manifest
+- Is the link really broken?
+- Launching from another app might help

intentional_exercise/flag0/MainActivity.java

@@ -0,0 +1,54 @@
+package com.hacker101.level13;
+
+import android.net.Uri;
+import android.os.Bundle;
+import android.support.v7.app.AppCompatActivity;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class MainActivity extends AppCompatActivity {
+  protected void onCreate(Bundle paramBundle) {
+    super.onCreate(paramBundle);
+    setContentView(2131296284);
+    WebView webView = (WebView)findViewById(2131165328);
+    webView.setWebViewClient(new WebViewClient());
+    Uri uri = getIntent().getData();
+    str1 = "http://127.0.0.1/xxxxxxxxxx/appRoot";
+    String str3 = "";
+    if (uri != null) {
+      str3 = uri.toString().substring(28);
+      StringBuilder stringBuilder = new StringBuilder();
+      stringBuilder.append("http://127.0.0.1/xxxxxxxxxx/appRoot");
+      stringBuilder.append(str3);
+      str1 = stringBuilder.toString();
+    } 
+    String str2 = str1;
+    if (!str1.contains("?")) {
+      StringBuilder stringBuilder = new StringBuilder();
+      stringBuilder.append(str1);
+      stringBuilder.append("?");
+      str2 = stringBuilder.toString();
+    } 
+    try {
+      MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
+      messageDigest.update("s00p3rs3cr3tk3y".getBytes(StandardCharsets.UTF_8));
+      messageDigest.update(str3.getBytes(StandardCharsets.UTF_8));
+      byte[] arrayOfByte = messageDigest.digest();
+      BigInteger bigInteger = new BigInteger();
+      this(1, arrayOfByte);
+      String str = String.format("%064x", new Object[] { bigInteger });
+      StringBuilder stringBuilder = new StringBuilder();
+      this();
+      stringBuilder.append(str2);
+      stringBuilder.append("&hash=");
+      stringBuilder.append(str);
+      webView.loadUrl(stringBuilder.toString());
+    } catch (NoSuchAlgorithmException str1) {
+      str1.printStackTrace();
+    } 
+  }
+}

intentional_exercise/flag0/README.md

@@ -0,0 +1,121 @@
+# Intentional Exercise - FLAG0
+
+## 0x00 App Home
+
+On app load, a request is sening to server and got an flag link.
+
+![](./imgs/home.jpg)
+
+However, the result shows invalid request
+
+![](./imgs/invalid.jpg)
+
+## 0x01 Mutate Request
+
+It is a practice to modify all the HTTP parameters you can reach.
+
+It seems always send the same link no matter what parameter I send in request.
+
+![](./imgs/request.jpg)
+
+But the second request needs more data.
+
+![](./imgs/flagbearer.jpg)
+
+After adding the parameter **hash**, it shows a diffeerent response.
+
+![](./imgs/invalid_hash.jpg)
+
+## 0x02 Check Source
+
+As we have the **apk** file, we may check inside of it.
+
+### Dex to Jar
+
+Use [dex2jar][1] to convert to **jar**.
+
+```batch
+d2j-dex2jar.bat -f ./level13.apk
+```
+
+So we got **level13-dex2jar.jar** now.
+
+### Decompile
+
+Use [jd-gui][1] to chek inside of the **jar**.
+
+![](./imgs/source.jpg)
+
+## 0x03 Code Review
+
+The full source can be found at [MainActivity.java][3]
+
+```java
+MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
+messageDigest.update("s00p3rs3cr3tk3y".getBytes(StandardCharsets.UTF_8));
+messageDigest.update(str3.getBytes(StandardCharsets.UTF_8));
+byte[] arrayOfByte = messageDigest.digest();
+```
+
+The request hash is generated with the secret key **s00p3rs3cr3tk3y** and the message payload **str3** with **SHA-256**
+
+However, the first request [hash][4] is just the secret key without any payload. 
+
+http://127.0.0.1/xxxxxxxxxx/appRoot?&hash=61f4518d844a9bd27bb971e55a23cd6cf3a9f5ef7f46285461cf6cf135918a1a
+
+```
+SHA-256(s00p3rs3cr3tk3y) = 61f4518d844a9bd27bb971e55a23cd6cf3a9f5ef7f46285461cf6cf135918a1a
+```
+
+## 0x04 Get Hash
+
+There is another piece of code shows the hint.
+
+```java
+Uri uri = getIntent().getData();
+str3 = uri.toString().substring(28);
+```
+
+and
+
+```xml
+<data 
+	android:scheme="http"
+    android:host="level13.hacker101.com" 
+/>
+```
+
+So the payload string after the index of 28 should be
+
+```java
+"http://level13.hacker101.com".substring(28);
+```
+
+| uri                | payload     |
+| ------------------ | ----------- |
+| /appRoot           | null        |
+| /appRoot/flagBeare | /flagBearer |
+
+So we need to encrypt **/flagBearer** with secret key **s00p3rs3cr3tk3y** for this hash.
+
+Try use this online [tool][5].
+
+![](./imgs/encrypt.jpg)
+
+```
+SHA-256(s00p3rs3cr3tk3y/flagBearer) = 8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e
+```
+
+## 0x05 FLAG
+
+Create a new get request with the new generated hash. The server will send back FLAG.
+
+http://127.0.0.1/xxxxxxxxxx/appRoot/flagBearer?&hash=8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e
+
+![](./imgs/flag.jpg)
+
+[1]: https://github.com/pxb1988/dex2jar
+[2]: https://github.com/java-decompiler/jd-gui
+[3]: ./MainActivity.java
+[4]: https://www.cmd5.com/hash.aspx?s=s00p3rs3cr3tk3y
+[4]: https://www.cmd5.com/hash.aspx?s=s00p3rs3cr3tk3y/flagBearer