Supermarket HTB
Mobile Challenge
My supermarket list is too big and I only have $50. Can you help me get the Discount code?
Source code review
Looking at the soruce code form MainAcitvity, when we try to submit a cupon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public void onTextChanged(CharSequence charSequence, int i2, int i3, int i4) {
try {
String obj = MainActivity.this.f2075q.getText().toString();
MainActivity mainActivity = MainActivity.this;
String stringFromJNI = mainActivity.stringFromJNI();
Objects.requireNonNull(mainActivity);
SecretKeySpec secretKeySpec = new SecretKeySpec(mainActivity.stringFromJNI2().getBytes(), mainActivity.stringFromJNI3());
Cipher cipher = Cipher.getInstance(mainActivity.stringFromJNI3());
cipher.init(2, secretKeySpec);
int i5 = 0;
if (!obj.equals(new String(cipher.doFinal(Base64.decode(stringFromJNI, 0)), "utf-8"))) {
MainActivity.this.f2081w.clear();
MainActivity.this.f2076r = 5.0d;
while (true) {
String[] strArr = this.f2085c;
if (i5 >= strArr.length) {
break;
}
MainActivity.this.f2081w.add(strArr[i5]);
i5++;
}
where comes those stringFromJNIX().
1
2
3
4
5
6
7
8
static {
System.loadLibrary("supermarket");
}
public native String stringFromJNI();
public native String stringFromJNI2();
public native String stringFromJNI3();
So we can make this CTF by two ways:
- An easy way, hooking the crypto library javax.crypto.Cipher
- Reversing the libsupermarket.so whith ghidra, and find there the value for the Key, the iv and the flag.
Local Testing
Found a good crypto hook in frida library codes here, just run it
1
frida -U -f com.example.supermarket --codeshare Serhatcck/java-crypto-viewer
then enter whatever you want on the cupon text field.
Proof of Concept
Doing it the easy way.
This post is licensed under CC BY 4.0 by the author.