Whilst working on the BountyCon 2022 CTF, I spent the majority of the time focusing on the Android Trinity challenge.
This was one of two PWN challenges which only had one solve between them at the time finding the flag.
Of course, I took many failed paths before I could crack it, I went down the obvious route first -
- Breaking out of the html
- Executing javascript to communicate with the javascript interfaces via the bridge
- Pull the contents of the file:
/data/user/0/bountycon.ctf.pwn.android.trinity/files/password(required for a couple of functions)
Either way, before I threw in the towel, I stumbled across a tool called objection. With a bit of learning on the fly, I managed to come up with this solution!
Looking back, there's probably a couple of shortcuts I could have taken but this was ultimately the method I took to PWN this challenge. Enjoy!
P.s. I'm not entirely sure this was the intended solution ?
Commands Used
- apktool d .\trinity.apk -f
- apktool b -f -d .\trinity\ trinity_built.apk
- zipalign -v 4 trinity_built.apk trinity_built_aligned.apk
- apksigner.bat sign -ks my-release-key.keystore .\trinity_built_aligned.apk
- adb install .\trinity_built_aligned.apk
- python .\patch-apk.py bountycon.ctf.pwn.android.trinity --no-enable-user-certs
- objection explore
- android hooking watch class bountycon.ctf.pwn.android.trinity.MainActivity --dump-args --dump-backtrace --dump-return
- memory search "BountyCon" --string --offsets-only
- memory dump from_base [offset] 100 output.txt
Links
- APK Tool -
https://ibotpeaches.github.io/Apktool/ - Jadx Gui -
https://github.com/skylot/jadx - Patch APK -
https://github.com/NickstaDB/patch-apk - Objection -
https://github.com/sensepost/objection
Follow @AshleyKingUK