- Published on
Where's my APK? - 1337UP LIVE 2024 CTF
- Authors
- Name
- 0xM4hm0ud
- @0xM4hm0ud
| CTF | 1337UP LIVE 2024 (CTFtime) |
| Author | et3rnos |
| Category | mobile |
| Solves | 4 |
| Difficulty | Easy |
Can you achieve a leet download speed?
Note 1: Flag is not in the usual format. Note 2: Only non password protected files can be opened with the app.
A first look into the challenge
When we check the handout, we can see that we have an AAB file.
AAB stands for Android App Bundle. You can read more about this here.
We can use Google bundletool to convert aab to an apk.
Before converting, I will create a signed keystore using this command
keytool -genkey -noprompt -dname 'CN=, OU=, O=, L=, S=, C=' -keystore apk.keystore -alias 'apk' -keyalg RSA -storepass 'password' -keypass 'password'
Now, we can use the BundleTool to create an APK from the bundle. We use the --mode=universal flag to generate a single APK.
java -jar bundletool-all-1.17.2.jar build-apks --bundle=app-release.aab --output=output.apks --mode=universal --ks=apk.keystore --ks-key-alias=apk --ks-pass=pass:password --key-pass=pass:password
Let's open this apk inside jadx-gui.
We can see that Flutter is used to build this app, so let’s reverse it. Before I start the reversing process, I will open the app to see what I can find.
Exploring the app
Let's install the app using ADB (Android Debug Bridge).
Inside my emulator, I will open the app. We can see the following screen.
We don’t see anything special on this screen. However, it does mention intercepting cybersharing links. Let's investigate further to understand how this feature works.
Intercepting traffic
To intercept the traffic, I will use httptoolkit. It’s a user-friendly and effective tool. After installing it, run the tool and connect your machine to your phone or emulator using ADB.
Click on Android Device via ADB inside httptoolkit. 
This will automatically install the necessary certificates and the httptoolkit app on your phone or emulator. 
Inside the emulator, you will need to trust the source by accepting the certificate installation. This ensures that the tool can intercept and inspect the traffic from the app.
After that, the app will connect to your HTTP Toolkit, allowing it to intercept and display the traffic between the app and the server.
Let's upload a dummy file and copy the link. Now, when visiting the link, it will prompt us to open it in either the browser or the app. Let's click on the app option.
It will open the link inside the app.
We can see a request to an api endpoint.
This will return information about the file.
There is nothing else happening. It seems the app intercepts the link and opens it inside the app. Now, let’s proceed with reversing the app.
Reverse the app
To reverse the Flutter app, I will use blutter. First, we use apktool to decompile the APK and extract its resources. After that, we can use Blutter to further analyze and reverse the app's code.
After blutter is finished, we can find the decompiled dart assembly inside the output directory.
In the description, it mentions leet, so we can try searching for keywords like flag, leet, 1337, or anything related to download speed. We can also examine the assembly code starting from the main function to gather more clues.
Inside files.dart we can find the value 13371337:
I also see some unusual strings—two of them—and I notice the value 13371337 appears three times. Based on this, we need to set the download speed to 13371337. The app then makes a request to the API, and in the response, it will return the download speed as we observed earlier.
Get the flag
Inside httptoolkit we can define a rule.
I set up a rule to intercept POST requests from the host cybersharing.net. This will pause the request, allowing me to manually edit it. All matching traffic will breakpoint when a response is received from the upstream server, so I can modify the download speed or any other parameters before the response is processed by the app.
The app hangs after visiting the link.
Now, inside HTTP Toolkit, I can modify the request as needed and then forward it. This allows me to adjust parameters, such as the download speed, before sending it to the app.
After resuming, I can see this screen:
We can see the flag at the top of the screen. Let's submit it on the CTF page.
