hacker_Hacker101 CTF：Android挑战文章

hacker

In this article, I will be demonstrating how to solve the Hacker101 CTF (Capture The Flag) challenges for the Android category. Hacker101 is a free educational site for hackers, run by HackerOne.

在本文中，我将演示如何解决Android类别的Hacker101 CTF (捕获标志)问题。 Hacker101是由HackerOne经营的免费的黑客教育网站。

免责声明 (Disclaimer)

I was motivated to make this article out of a desire to learn more about Android mobile application security. This writeup will obviously contain spoilers and I encourage readers to attempt this CTF before reading this article. Try to solve as many of these challenges as you can and then come back later to read this article if you get stuck or want to see a potentially different approach to solving a challenge. Without any further delay, lets jump in 😃!

出于使我对学习更多有关Android移动应用程序安全性的渴望而感到兴奋。 该文章显然将包含破坏者，我鼓励读者在阅读本文之前尝试使用CTF。 尝试解决所有这些挑战，如果遇到困难或想了解解决挑战的潜在方法，请稍后再阅读本文。 没有任何进一步的延迟，让我们跳入😃！

H1温控器(简易，2个标志) (H1 Thermostat (Easy, 2 Flags))

I started this challenge by downloading the application APK file and installing it on my emulator device using Android Debug Bridge (ADB)

我通过下载应用程序APK文件并使用Android Debug Bridge ( ADB )将其安装在模拟器设备上而开始了这项挑战

adb install thermostat.apk

Opening the application showed that it only had a single activity with a thermostat and a gauge, allowing the user to raise or lower the temperature setting.

打开该应用程序表明，它只有一个带有恒温器和仪表的活动，允许用户升高或降低温度设置。

Next, I generated a static analysis report for the APK file using the Mobile Security Framework (MobSF) tool. I started reviewing the report by examining the AndroidManifest.xml file.

接下来，我使用移动安全框架 ( MobSF )工具为APK文件生成了静态分析报告。 我通过检查AndroidManifest.xml文件开始查看报告。

Looking through the manifest file, I can see that the application has requested only the android.permission.INTERNET permission, which allows the application to create network sockets. The developer has set the attributes android:usesCleartextTraffic and android:allowBackup to true which means the application intends to use cleartext traffic and can have it’s contents backed up by the user.

查看清单文件，可以看到该应用程序仅请求了android.permission.INTERNET权限，该权限允许该应用程序创建网络套接字。 开发人员已将android：usesCleartextTraffic和android：allowBackup属性设置为true ，这意味着应用程序打算使用明文流量，并且可以将其内容由用户备份。

The application also appears to only have two components. A activity called com.hacker101.level11.ThermosActivity has been declared with an intent filter. A content provider called ProcessLifecycleOwnerInitializer has also been declared but it is not exported. I decided to examine the java source code for the com.hacker101.level11.ThermosActivity.

该应用程序似乎也只有两个组件。 已经使用意图过滤器声明了一个名为com.hacker101.level11.ThermosActivity的活动 。 还声明了一个名为ProcessLifecycleOwnerInitializer的内容提供程序 ，但未导出。 我决定检查com.hacker101.level11.ThermosActivity的Java源代码。

Looking through the source code of the activity, I noted that a network request was being made. A class called PayloadRequest was used inside this network request as seen highlighted in green. Examining the source code for the PayloadRequest class, I discover both flags for the challenge.

通过查看活动的源代码，我注意到正在发出网络请求。 如绿色突出显示的那样，在此网络请求中使用了一个称为PayloadRequest的类。 检查PayloadRequest类的源代码，我发现了挑战的两个标志。

It appears that one flag is hashed using MD5 and then base64 encoded before being added as a value to a header called X-MAC. The other flag is simply added as a plaintext value to the header X-Flag. I can use the tool BurpSuite to intercept this network request when interacting with the application.

似乎是使用MD5对一个标志进行了哈希处理，然后对其进行了base64编码，然后再将其作为值添加到名为X-MAC的标头中。 另一个标志只是作为纯文本值添加到标头X-Flag 。 与应用程序进行交互时，我可以使用工具BurpSuite拦截此网络请求。

As seen in the image above, the intercepted network request shows the X-MAC and X-Flag headers with their equivalent values. Nice and easy for the first challenge 😃!

如上图所示，截获的网络请求显示X-MAC和X-Flag标头及其等效值。 轻松应对第一个挑战😃！

有意锻炼(中等，1个标志) (Intentional Exercise (Moderate, 1 Flag))

Following a similar approach as seen in the previous challenge, I installed the application using ADB and generated a static analysis report of the APK file using MobSF. Opening the application showed an activity with a welcome message and a link called “Flag”.

按照上一个挑战中所示的类似方法，我使用ADB安装了该应用程序，并使用MobSF生成了APK文件的静态分析报告。 打开应用程序显示了一个带有欢迎消息和名为“ Flag”的链接的活动。

Clicking on the link leads to a “Invalid request” error. Guess it won’t be that easy 😏.

单击链接将导致“无效请求”错误。 猜猜那不是那么容易😏。

As seen with the previous challenge, I started by looking at the manifest file for the application. There is only one activity declared in the manifest file. What standouts about the activity, is that it has been declared with three intent filters. The two intent filters surrounded by green in the image below shows how you create a deep links for your app’s content (see references).

从上一个挑战中可以看出，我首先查看了应用程序的清单文件。 清单文件中仅声明了一项活动 。 该活动的突出之处在于，它已通过三个Intent过滤器进行了声明。 下图中绿色包围的两个意图过滤器显示了如何为应用程序内容创建深层链接 ( 请参阅参考资料 )。

N.B. Deep Links are a concept that help users navigate between the web and applications. They are basically URLs which navigate users directly to the specific content in applications.

NB Deep Links是一个概念，可以帮助用户在Web和应用程序之间导航。 它们基本上是URL，可将用户直接导航到应用程序中的特定内容。

To test the first deep link (i.e. http), I can use ADB with the activity manager (am) tool to test that the intent filter URI’s specified for deep linking resolve to the correct app activity. The command seen below successfully starts the main activity for the application.

为了测试第一个深层链接(即http)，我可以将ADB与活动管理器(am)工具一起使用，以测试为深度链接指定的意图过滤器URI是否可以解析为正确的应用程序活动。 下面显示的命令成功启动了应用程序的主要活动。

adb shell am start -W -a "android.intent.action.VIEW" -d "http://level13.hacker101.com" com.hacker101.level13

I decided to look at the source code for the MainActivity. Looking through the java code, I can see that the application creates a WebView. Two string variables are also declared, with the variable