Whilst working on the BountyCon 2022 CTF, I spent the majority of the time focusing on the Android Trinity challenge.
This was one of two
PWN challenges which only had one solve between them at the time finding the flag.
Of course, I took many failed paths before I could crack it, I went down the obvious route first -
- Breaking out of the html
- Pull the contents of the file:
/data/user/0/bountycon.ctf.pwn.android.trinity/files/password(required for a couple of functions)
Either way, before I threw in the towel, I stumbled across a tool called
objection. With a bit of learning on the fly, I managed to come up with this solution!
Looking back, there's probably a couple of shortcuts I could have taken but this was ultimately the method I took to PWN this challenge. Enjoy!
P.s. I'm not entirely sure this was the intended solution ?
- apktool d .\trinity.apk -f
- apktool b -f -d .\trinity\ trinity_built.apk
- zipalign -v 4 trinity_built.apk trinity_built_aligned.apk
- apksigner.bat sign -ks my-release-key.keystore .\trinity_built_aligned.apk
- adb install .\trinity_built_aligned.apk
- python .\patch-apk.py bountycon.ctf.pwn.android.trinity --no-enable-user-certs
- objection explore
- android hooking watch class bountycon.ctf.pwn.android.trinity.MainActivity --dump-args --dump-backtrace --dump-return
- memory search "BountyCon" --string --offsets-only
- memory dump from_base [offset] 100 output.txt
- APK Tool -
- Jadx Gui -
- Patch APK -
- Objection -