Due to economic downturns and lack of resources, Monsters Inc. has decided to scare kids regularly door to door, instead of using their teleport technology. Their office in Touran City has developed an Android app, which is used by the head office to communicate with the monsters (i.e. transmit new assignments to them). Recently, the Touran City Police Department (TCPD) tracked and captured a thief and found a cell phone on him. It seems that the thief had stolen the cell phone from one of the Monsters Inc. employees. A backup of the cell phone is attached.
Can you find out whose phone is this?
Flag: Full Name of the Monster
Solution:
The attached file is standard android backup without password. we can convert it to tar file with this command:
dd if=phone-backup bs=24 skip=1 | openssl zlib -d > phone-backup.tar
the backup contains an apk file which sound interesting:
/apps/inc.monsters.commandservice/a/inc.monsters.commandservice-1.apk
it also contains a file containing username and password:
/apps/inc.monsters.commandservice/sp/inc.monsters.commandservice.xml
apk file has no protection and can be easily decompiled. we used www.decompileandroid.com
in source files, from src/inc/monsters/commandservice/TrackerService.java this line pops out:
endpoint = "http://ctf.sharif.edu:8085/webservice.php";went to http://ctf.sharif.edu:8085/ and logged in using retrieved info from xml file.
the website sets a silly cookie called isAdmin and by setting int to yes, you become admin in it.
in page source we searched for “c6bce”.
the flag is : Lenna Aubut
No comments:
Post a Comment