Certified App

Category: Reversing
200 Points
Solved by the JCTF Team

Description

Certified-App

What we got

The download link points to an APK file. APK is an Android Package file that's used to distribute applications on Google's Android operating system.

I used Android Studio (Google's IDE for Android development) to install this APK into an emulator.

Application

Trial to login gives me the following message. Login Failed!

Solution

To unpack and start reversing I used apktool, which extracts the apk and decompile the Android code into smali. My preferable format for Android reversing, simple, like assembly.

Looking at the decompiled files, we can see the LoginActivity which receives the username and password and has an onClick method for the login.

On the same path of LoginActivity there is another activity called TestActivity wich is not referenced from the application and not called. On this activity instead of receiving a username/password combination, we can see a token being created.

Looking at the code we can see

Get the application "signature", as cited on android reference, "This class name is slightly misleading, since it's not actually a signature." it represents the public certificate which signed the application.

Call method a/b/k/o;->a(Application context, 0x7f0c0001, "token", Base64(Sha256("signature")), True);

Method a/b/k/o;->a() does a TLS connection to the server:

"https://certifiedapp.ctf.bsidestlv.com:8003/authenticate"

Creates some classes to help verifing the pulic certificate received from the TLS server.

Then it goes to the android resource [0x7f0c0001] and retrieves a PKCS12 file called qa.p12 <public type="raw" name="qa" id="0x7f0c0001" />

This file is password protected and the code retrieves the password with a resource string [0x7f0d001c] wich is <public type="string" name="clientCertPassword" id="0x7f0d001c" /> with the value <string name="clientCertPassword">thecakeisalie</string>. So the password for PKCS12 file is thecakeisalie.

This pkcs12 file has a certificate pair (public-private keys). That can be used to sign android applications.

Seems that this TestLogin will help us to get the challenge done!

I reworked the application instead of calling the login onClick method from the LoginActivity I used the onClick method of the TestActivity.

I used apktool again to re-build the new apk.

To run an application on android we must sign the apk. I used APK Signed Tool to sign the apk, and I used the qa PKCS12 file.

As we changed the signature of the application also the certificate that was signing the application was different, so I needed also instead of getting the "signature" of our new APK it will retrieve the same signature as before.

The "signature" is placed on the APK META-INF folder named CERT.RSA, this file is in pkcs7 format, but the "signature" we receive is in Jar format digest.

Used OpenSSL to convert and got p9/BXgbp6d1vRtHIcCbi6Vm6faNALQIhYzQ6jXCpUvk=

which I changed the call to a/b/k/o;->a(Application context, 0x7f0c0001, "token", "p9/BXgbp6d1vRtHIcCbi6Vm6faNALQIhYzQ6jXCpUvk=", True);