Add solution for new challenges

CTF/Mobile/APKey/Readme.md

@@ -0,0 +1,226 @@
+# Challenge: APKey
+## Rate: Easy
+
+Try to install the APK.
+
+```bash
+adb install APKey.apk
+Performing Streamed Install
+adb: failed to install APKey.apk: Failure [-124: Failed parse during installPackageLI: Targeting R+ (version 30 and above) requires the resources.arsc of installed APKs to be stored uncompressed and aligned on a 4-byte boundary]
+```
+
+The error indicates that the APK you are trying to install targets Android R (API level 30) or above, which requires the `resources.arsc` file within the APK to be stored uncompressed and aligned on a 4-byte boundary. Here's how you can fix it:
+
+```bash
+zipalign -v 4 APKey.apk aligned_APKey.apk
+adb install aligned_APKey.apk
+Performing Streamed Install
+adb: failed to install aligned_APKey.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Scanning Failed.: No signature found in package of version 2 or newer for package com.example.apkey]
+```
+
+The new error indicates that the APK is not signed. Android requires all APKs to be digitally signed before installation. Here's how you can resolve the issue by signing the APK:
+
+```bash
+keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-key-alias
+apksigner sign --ks my-release-key.jks --out signed_aligned_APKey.apk aligned_APKey.apk
+apksigner verify signed_aligned_APKey.apk
+adb install signed_aligned_APKey.apk
+```
+
+Now Analyze the `AndroidManifest.xml` using `Apktool` or `Jadx`.
+
+![1.png](1.png)
+
+Go to `MainActivity`:
+
+![2.png](2.png)
+
+In the `MainActivity`, the `onClick` function in the key function of this challenge which contains the login validation process. We have two conditions:
+
+1. The username should be equal to `admin`
+2. The password hash should be equal to `a2a3d412e92d896134d9c9126d756f`
+
+From Here we have to approach to solve this challenge:
+
+1. Frida Hooking
+2. Smali Patching
+
+## Frida Hooking
+
+The original app checks if the MD5 hash of a user input equals `"a2a3d412e92d896134d9c9126d756f"`. When the condition is true, it proceeds with a branch that likely grants access or performs a sensitive action. We need to invert that check at runtime to effectively reverse the condition. In other words, if the hash matches, the check will now return `false`, and if it doesn’t match, the check will return `true`.
+
+`script.js`:
+
+```jsx
+Java.perform(function() {
+    // Get a reference to the java.lang.String class
+    var StringClass = Java.use("java.lang.String");
+    // Define the target hash string
+    var targetHash = "a2a3d412e92d896134d9c9126d756f";
+
+    // Save a reference to the original implementation of equals(Object)
+    var origEquals = StringClass.equals.overload("java.lang.Object");
+
+    // Overwrite the equals implementation
+    origEquals.implementation = function(other) {
+        // Check if the parameter is non-null and equals our target hash string
+        if (other !== null && other.toString() === targetHash) {
+            var selfValue = this.toString();
+            // Determine what the original equals() would return:
+            // true if 'this' is equal to targetHash, false otherwise.
+            var originalResult = (selfValue === targetHash);
+            // Invert the result:
+            // If 'this' equals targetHash (originalResult === true), return false.
+            // Otherwise, return true.
+            var newResult = !originalResult;
+            console.log("[Frida Hook] Intercepted String.equals(): '" +
+                        selfValue + "'. Compared with '" + targetHash +
+                        "'. Original result: " + originalResult +
+                        " | Inverted result: " + newResult);
+            return newResult;
+        }
+        // For all other comparisons, call the original method.
+        return origEquals.call(this, other);
+    };
+
+    console.log("[Frida Hook] String.equals() hook installed.");
+});
+```
+
+- `Java.perform()`
+
+    ```jsx
+    Java.perform(function() {
+        ...
+    });
+    ```
+
+    - This ensures that the script runs after the Android runtime is fully loaded. It provides a safe environment to interact with Java classes and methods.
+- Getting a Reference to `java.lang.String`
+
+    ```jsx
+    var StringClass = Java.use("java.lang.String");
+    ```
+
+    - This gets a handle on the `java.lang.String` class so we can modify its behavior.
+- Defining the Target Hash
+
+    ```jsx
+    var targetHash = "a2a3d412e92d896134d9c9126d756f";
+    ```
+
+    - The script defines the MD5 hash string that is used in the application's original comparison.
+- Saving the Original `equals()` Method
+
+    ```jsx
+    var origEquals = StringClass.equals.overload("java.lang.Object");
+    ```
+
+    - This saves the original implementation of the `equals(Object)` method. The overload is specified because `equals` can be overloaded; we target the one that takes a single `Object` parameter.
+- Overriding the `equals()` Method
+
+    ```jsx
+    origEquals.implementation = function(other) {
+        if (other !== null && other.toString() === targetHash) {
+            var selfValue = this.toString();
+            var originalResult = (selfValue === targetHash);
+            var newResult = !originalResult;
+            console.log("[Frida Hook] Intercepted String.equals(): '" +
+                        selfValue + "'. Compared with '" + targetHash +
+                        "'. Original result: " + originalResult +
+                        " | Inverted result: " + newResult);
+            return newResult;
+        }
+        return origEquals.call(this, other);
+    };
+    ```
+
+    - Hook Condition:
+
+        The hook checks if the object (`other`) being compared is not `null` and if its string representation equals the target hash.
+
+    - Capturing `this.toString()`:
+
+        It converts the current string (`this`) to a regular string (`selfValue`) to perform a comparison.
+
+    - Determining the Original Result:
+
+        It checks whether `selfValue` is equal to the target hash (what the original method would have returned).
+
+    - Inverting the Result:
+
+        The script inverts the original boolean result:
+
+        - If `selfValue` **is equal** to the target hash (`originalResult` is `true`), then `newResult` becomes `false`.
+        - If `selfValue` **is not equal** to the target hash (`originalResult` is `false`), then `newResult` becomes `true`.
+    - Logging:
+
+        It logs the details of the hook execution to help with debugging.
+
+    - Return Value:
+
+        The method returns the inverted result instead of the original one.
+
+    - Fallback:
+
+        If the `equals` method is called with an argument that doesn’t match the target hash, it simply calls the original `equals()` implementation.
+
+- Logging Hook Installation
+
+    ```jsx
+    console.log("[Frida Hook] String.equals() hook installed.");
+    ```
+
+    - A message is logged to confirm that the hook has been successfully set up.
+
+Run the Frida script:
+
+```bash
+frida -U -f com.example.apkey -l .\script.js
+```
+
+Enter `admin` as a username with any password you want:
+
+![3.png](3.png)
+
+## Smali Patching
+
+```bash
+apktool d signed_aligned_APKey.apk
+```
+
+go to `MainActivity$a.smali`:
+
+```java
+...
+
+    :goto_1
+    const-string v1, "a2a3d412e92d896134d9c9126d756f"
+
+    .line 2
+    invoke-virtual {p1, v1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
+
+    move-result p1
+
+    if-eqz p1, :cond_1
+
+    iget-object p1, p0, Lcom/example/apkey/MainActivity$a;->b:Lcom/example/apkey/MainActivity;
+
+...
+```
+
+Change `if-eqz` to `if-nez`.
+
+Build, Sign, and install the APK again:
+
+```bash
+apktool b signed_aligned_APKey -o modified_signed_aligned_APKey.apk
+zipalign -p 4 modified_signed_aligned_APKey.apk modified_signed_aligned_APKey1.apk
+apksigner sign --ks a.keystore modified_signed_aligned_APKey1.apk
+adb uninstall com.example.apkey
+adb install signed_aligned_APKey.apk
+```
+
+Enter `admin` as a username with any password you want:
+
+![3.png](3.png)

CTF/Mobile/Cat/Readme.md

@@ -0,0 +1,45 @@
+# Challenge: Cat
+## Rate: Easy
+
+This challenge gives us only a file named `cat.ab`. `.ab` files are Android Backup files created by the `adb backup` command, part of the Android Debug Bridge (ADB) toolkit. They are used to back up application data, settings, and, sometimes, parts of the Android system.
+Let's extract the backup:
+```bash
+java -jar abe.jar unpack cat.ab cat.tar
+```
+The `abe.jar` Converts the Android backup file `cat.ab` into a tar archive `cat.tar`.
+Now.
+
+Now extract the `cat.tar` which is an **unprotected backup file**.
+```bash
+tar -xvf cat.tar
+```
+```bash
+➜ tree
+.
+└── cat
+   ├── apps
+   └── shared
+       └── 0
+           ├── Alarms
+           ├── DCIM
+           ├── Download
+           ├── Movies
+           ├── Music
+           ├── Notifications
+           ├── Pictures
+           │   ├── IMAG0001.jpg
+           │   ├── IMAG0002.jpg
+           │   ├── IMAG0003.jpg
+           │   ├── **IMAG0004.jpg**
+           │   ├── IMAG0005.jpg
+           │   └── IMAG0006.jpg
+           ├── Podcasts
+           └── Ringtones
+```
+
+- `IMAG0004.jpg`
+
+    ![flag.png](flag.png)
+
+
+**Flag**: `HTP{ThisBackupIsUnprotected}`

CTF/Mobile/Cryptohorrific/Readme.md

@@ -0,0 +1,102 @@
+# Challenge: Cryptohorrific
+## Rate: Medium
+
+Unzip the `Cryptohorrific.zip`:
+
+```bash
+➜  hackthebox.app tree
+.
+├── Base.lproj
+│   ├── LaunchScreen.storyboardc
+│   │   ├── 01J-lp-oVM-view-Ze5-6b-2t3.nib
+│   │   ├── Info.plist
+│   │   └── UIViewController-01J-lp-oVM.nib
+│   └── Main.storyboardc
+│       ├── BYZ-38-t0r-view-8bC-Xf-vdC.nib
+│       ├── Info.plist
+│       └── UIViewController-BYZ-38-t0r.nib
+├── Info.plist
+├── PkgInfo
+├── _CodeSignature
+│   └── CodeResources
+├── challenge.plist
+├── hackthebox
+└── htb-company.png
+```
+
+Here we have `challenge.plist` file. A `.plist` (property list) file is a file format used by macOS, iOS, and other Apple operating systems to store serialized objects in a structured way, typically as key-value pairs.
+
+Since `.plist` file is not readable for us, we have to convert it to XML format:
+
+```bash
+plistutil -i challenge.plist
+```
+
+Output:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+        <dict>
+                <key>flag</key>
+                <string>Tq+CWzQS0wYzs2rJ+GNrPLP6qekDbwze6fIeRRwBK2WXHOhba7WR2OGNUFKoAvyW7njTCMlQzlwIRdJvaP2iYQ==</string>
+                <key>id</key>
+                <string>123</string>
+                <key>title</key>
+                <string>HackTheBoxIsCool</string>
+        </dict>
+</array>
+</plist>
+```
+
+The flag is encrypted.
+
+Also we have an executable file named `hackthebox`. Let’s analyze this file with `Ghidra`.
+
+![1.png](1.png)
+
+After examining the executable we found `SecretManager:key:iv:data` which is interesting thing. Let’s look further. 
+
+![2.png](2.png)
+
+As you can see we found `Key` and `IV` values. So we can decrypt the flag using `CipherText` and `Key`.
+
+You can use https://www.devglan.com/online-tools/aes-encryption-decryption to achieve the flag or use this python code:
+
+```python
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+import base64
+
+# AES decryption function
+def aes_decrypt(ciphertext_base64, secret_key):
+    # Decode the Base64 encoded ciphertext
+    ciphertext = base64.b64decode(ciphertext_base64)
+
+    # Initialize AES cipher in ECB mode
+    cipher = AES.new(secret_key.encode('utf-8'), AES.MODE_ECB)
+
+    # Decrypt and remove padding
+    decrypted_text = unpad(cipher.decrypt(ciphertext), AES.block_size)
+    return decrypted_text.decode('utf-8')
+
+# Inputs
+ciphertext = "Tq+CWzQS0wYzs2rJ+GNrPLP6qekDbwze6fIeRRwBK2WXHOhba7WR2OGNUFKoAvyW7njTCMlQzlwIRdJvaP2iYQ=="
+secret_key = "!A%D*G-KaPdSgVkY"
+
+# Decrypt and print the result
+try:
+    decrypted_text = aes_decrypt(ciphertext, secret_key)
+    print("Decrypted text:", decrypted_text)
+except Exception as e:
+    print("An error occurred during decryption:", str(e))
+
+```
+
+**Flag**:
+
+```
+Decrypted text: HTB{%SoC00l_H4ckTh3b0xbyBs3cur31stCh4ll3ng3!!Cr4zY%}
+```