Presented by Paul w

Follow me on Twitter

Introduction

Last night I went to the meetup group “M1 Con” hosted by Digital Interruption and Outsource UK Ltd.

Jay Harris gave a talk about mobile security - it wasn’t super technical, but it highlighted the fact that clearly security is still a bit of an after thought especially when it comes to mobile development - he cited examples of issues that crop up in mobile devices that were fixed in web apps (XSS vulnerabilities for example) long ago.

He also gave a shout out to the Manchester Grey Hats - but you’re already here so … you’re already checking us out … moving on

The CTF

So the CTF brief we were given was that it was a bit of OSINT (link to Brett’s OSINT Workshop) and a bit of mobile security involved. There were a couple of USB pen drives going around with a live image (Jay assured us the USB sticks were legit) for us to boot to with most of the environment set up this included an android virtual device (running Android 7 - Nougat) the CTF APK - an application called safepass and a couple of tools - ADB and a tool called JADX which is used to decompile the APK into readable android code.

After unsuccessfully trying to run the APK in the android emulator in the live environment for a while I decided I was going to look at the APK code and see if I could rebuild the APK in Android Studio with some helpful breakpoints. First I put the APK on a pen drive and rebooted back into my regular environment, created a virtual device in android studio as I was going to do this anyway and installed the APK and ran it. I was greeted with a login screen what a handsome devil!

As you can see the app lists a user name but asks for a password. Since I heard there was going to be some OSINT in this CTF I started searching for handsomerob some of the results were … interesting but on twitter I found a user that had the same image and user name - so that probably wasn’t coincidence.

Seeing as this is OSINT we should poke around this user’s twitter account and see what info may be relevant.

Looking at the user’s posts they have posts about kiwis and complains about having to use numbers in passwords. A couple of likely passwords:

kiwi1 k1w1 Kiwi1 K1w1 Kiwi0379 kiwi0379

Entering the correct password gives us a a 2fa prompt …

But we don’t have any info on the 2fa … we’ll try 0379… nope, let’s bust the apk with Jadx.

Jadx

Jadx is a tool that allows you to export apk into a gradle project so you can review the code.

Select the apk to export

as you can see by looking at the apk in jadx, it shows the code in a tree including the package name.

you can also export into a gradle project to open in android studio.

Examining the project structure in jadx we can also see there is an SQLite DB - we can look at this in jadx but it’s a little garbled … instead what we’re going to to is open the apk with an archive manager winrar will work if you’re in Windows, in Linux you’ll be able to just pop it open from the file explorer and in the assets folder there will be a database file safepass.db. Let’s examine it using SQLiteBrowser.

SQLiteBrowser

SQLiteBrowser is a tool that allows you to browse sqlite databases.

settings table

credentials table

So the string we need to decrypt is the notes field in the credentials_table : Qqb1yxdZYPpO7IkgcwgY8Viv4lmNw/MQlb128tpcC1n+05vNWKRZrypzDWE3rtuG

The Android Code

Looking at the code we can see the following functions that seem interesting

LoginActivity.java

public class LoginActivity extends AppCompatActivity implements OnClickListener { private String getAuthenticationToken() { Cursor cursor = this.mDatabase.query("settings", new String[]{"key", "value"}, "key = ?", new String[]{"aes_token"}, null, null, null); String retval = null; if (cursor.moveToFirst()) { retval = cursor.getString(1); } cursor.close(); return retval; } public boolean checkPassword(String password) { if (password.trim().equals("")) { return false; } return new CryptoHandler(password).decrypt(getAuthenticationToken()).equals("DI{Th15_u53r_15_l0gg3d_1n}"); } private void login() { if (checkPassword(this.mPasswordEditText.getText().toString())) { this.mHasValidPassword = true; toggleControls(false); return; } Toast.makeText(this, "The password entered was incorrect", 1).show(); } //...Snip public void onClick(View view) { if (view != this.mLoginButton) { return; } if (this.mHasValidPassword) { this.mHasValidPassword = false; toggleControls(true); Toast.makeText(this, "The token entered was incorrect", 1).show(); return; } login(); } }

CryptoHandler.java

public class CryptoHandler { private static CryptoHandler instance = null; private byte[] mIV; private byte[] mKey; public CryptoHandler(String secretKey) { try { this.mKey = (secretKey + "0000000000000000").substring(0, 16).getBytes("UTF8"); this.mIV = "itsasecret000000".getBytes("UTF8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } } public String encrypt(String message) { try { byte[] srcBuff = message.getBytes("UTF8"); SecretKeySpec keySpec = new SecretKeySpec(this.mKey, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(this.mIV); Cipher ecipher = Cipher.getInstance("AES/CBC/PKCS7Padding"); ecipher.init(1, keySpec, ivSpec); return Base64.encodeToString(ecipher.doFinal(srcBuff), 0); } catch (Exception ex) { ex.printStackTrace(); return ""; } } public String decrypt(String encrypted) { try { SecretKeySpec keySpec = new SecretKeySpec(this.mKey, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(this.mIV); Cipher ecipher = Cipher.getInstance("AES/CBC/PKCS7Padding"); ecipher.init(2, keySpec, ivSpec); return new String(ecipher.doFinal(Base64.decode(encrypted, 0)), "UTF8"); } catch (Exception ex) { ex.printStackTrace(); return ""; } } }

looking at the checkPassword function, it creates a new instance of CryptoHandler passing the password and then checks that the value returned by the decrypt function equals “DI{Th15_u53r_15_l0gg3d_1n}”

return new CryptoHandler(password).decrypt(getAuthenticationToken()).equals("DI{Th15_u53r_15_l0gg3d_1n}");

From both the decrypt and encrypt functions we can see that the cipher is “AES” and we know the password is kiwi0379

this.mKey = (secretKey + "0000000000000000").substring(0, 16).getBytes("UTF8"); this.mIV = "itsasecret000000".getBytes("UTF8");

We know we have all we need to decrypt the notes as we have everything to build the key so we could take those things and use something like CyberChef but where’s the fun in that? ;-)

We’re going to use the app against itself with frida!

Frida

Seeing as I wanted to play around with Frida a little bit I thought I’d use it to solve this challenge. I created an android virtual device and install the CTF app on it,

First you need we need to push the frida server to the phone or the virtual device

phyu@Balamb:~/Android/Sdk/platform-tools$ ./adb push ~/Dev/M1Con/frida-server /data/local/tmp/frida-server /home/phyu/Dev/M1Con/frida-server: 1 file pushed. 168.5 MB/s (25126612 bytes in 0.142s)

And then connect to the shell.

generic_x86:/ $ su generic_x86:/ # cd /data/local/tmp generic_x86:/data/local/tmp # chmod 775 frida-server generic_x86:/data/local/tmp # ./frida-server &

Once we have the server running on the device we need to connect to it.

phyu@Balamb:~$ frida -U -f com.digitalinterruption.safepass.safepass --no-pause ____ / _ | Frida 10.7.7 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ Spawned `com.digitalinterruption.safepass.safepass`. Resuming main thread! [Android Emulator 5554::com.digitalinterruption.safepass.safepass]->

We get the above window and then we know it’s running. Now we can create a script file that we inject into the running program, which will allow us to overwrite functionality of the program.

phyu@Balamb:~$ frida -U -l ~/Dev/M1Con/ctf.js -f com.digitalinterruption.safepass.safepass --no-pause

the current contents of ctf.js is

CTF.js (initial)

setImmediate(function() { Java.perform(function () { console.log("[*] Starting script"); }); });

What currently happens is the user clicks the login button and it calls the decrypt function like so:

decrypt(getAuthenticationToken()).equals("DI{Th15_u53r_15_l0gg3d_1n}");

What we want to do is call the decrypt function to decrypt the notes field. What’s really cool is we can actually use the current implementation to decrypt it.

With frida we can use the Java.use function to create a wrapper for the CryptoHandler class

var crypto = Java.use("com.digitalinterruption.safepass.safepass.CryptoHandler");

It’s important to note that crypto will now refer to the CryptoHandler that’s instantiated when the user clicks the login button so we need to provide the correct passwords.

What we do then is instead of checking if the password matches, log the output of the decrypt function after passing in the notes field

CTF.js (final)

setImmediate(function() { Java.perform(function () { console.log("[*] Starting script"); var crypto = Java.use("com.digitalinterruption.safepass.safepass.CryptoHandler"); console.log("[*] Overriding implementation of decrypt function in : com.digitalinterruption.safepass.safepass.CryptoHandler") crypto.decrypt.implementation = function(){//we change the decrypt function to decrypt the notes field instead of the password console.log("called decrypt"); console.log(this.decrypt("Qqb1yxdZYPpO7IkgcwgY8Viv4lmNw/MQlb128tpcC1n+05vNWKRZrypzDWE3rtuG")); //passing the string we want to decrypt instead of the token return "Solved"; //we need to return a string as the decrypt function we're overriding returns one and if we don't the app will throw an error } }); });

Success!!

phyu@Balamb:~$ frida -U -l ~/Dev/M1Con/ctf.js -f com.digitalinterruption.safepass.safepass --no-pause ____ / _ | Frida 10.7.7 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ Spawned `com.digitalinterruption.safepass.safepass`. Resuming main thread! [Android Emulator 5554::com.digitalinterruption.safepass.safepass]-> [*] Starting script [*] Overriding implementation of decrypt function in : com.digitalinterruption.safepass.safepass.CryptoHandler called decrypt Congratulations on finishing the challenge! :)

Thanks for reading and thanks for the CTF :) - Phyu