Bountycon 2022 - Android Trinity - PWN

Home > Blog > Meta

Bountycon 2022 - Android Trinity - PWN

Whilst working on the BountyCon 2022 CTF, I spent the majority of the time focusing on the Android Trinity challenge.

This was one of two PWN challenges which only had one solve between them at the time finding the flag.

Of course, I took many failed paths before I could crack it, I went down the obvious route first -

  • Breaking out of the html
  • Executing javascript to communicate with the javascript interfaces via the bridge
  • Pull the contents of the file: /data/user/0/bountycon.ctf.pwn.android.trinity/files/password (required for a couple of functions)
But I kept getting distracted and never followed that through or got stuck or something..

Either way, before I threw in the towel, I stumbled across a tool called objection. With a bit of learning on the fly, I managed to come up with this solution!

Looking back, there's probably a couple of shortcuts I could have taken but this was ultimately the method I took to PWN this challenge. Enjoy!

P.s. I'm not entirely sure this was the intended solution ?


Commands Used

  • apktool d .\trinity.apk -f
  • apktool b -f -d .\trinity\ trinity_built.apk
  • zipalign -v 4 trinity_built.apk trinity_built_aligned.apk
  • apksigner.bat sign -ks my-release-key.keystore .\trinity_built_aligned.apk
  • adb install .\trinity_built_aligned.apk
  • python .\patch-apk.py bountycon.ctf.pwn.android.trinity --no-enable-user-certs
  • objection explore
  • android hooking watch class bountycon.ctf.pwn.android.trinity.MainActivity --dump-args --dump-backtrace --dump-return
  • memory search "BountyCon" --string --offsets-only
  • memory dump from_base [offset] 100 output.txt

Links


Comments

about me

28 year old multistack developer & security researcher based in Gosport, UK. I like to blog about interesting vulnerabilities I come across, when allowed 🙄