Guess the password (Rev) - SquareCTF2023

Reversing Challenge - SquareCTF 2023

Guess the password is a reversing ctf challenge of SquareCTF2023 in which the vulnerability of the given apk file, was that the random number was generated with the same seeds, leading to a predicable value in the randA.nextInt(); function.

APK file

Inspecting the apk was done with the following tool:

jadx-gui /home/kraken/MatavieHash/CTFs/square/guess/Authenticator.apk

In the AndroidManifest.xml we could see the location of the MainActivity function

AndroidManifest.xml

On MainActivity we can see how some variables are being declared, screenWidt, screenHight, an encoded FLAG, and a SHA256 string:

variables

The flow of the program was easy to understand, on the click of a button, the password introduced is passed through IsPassword(), and if the password is correct, the flag would be spitted out for us

code flow

We also notice that isPassword() compares the return value to the SHA256 string. Here comes the reversing part, we need to unshuffle the shuffle function, knowing that the shuffled value is our SHA256:

shuffle function

Reversing

As I explained earlier, the vulnerability of the given apk file, was that the random number was generated with the same seeds, leading to a predicable value in the randA.nextInt(); function.

It is using screenWidth and ScreenHight as both seeds to Identify the indexes that were being shuffled places. As I know little about Java, I slowly built a code that would spitt those indexes with the function nextInt of Java, using an online compiler (https://www.jdoodle.com/online-java-compiler)

import java.util.Random;

public class randoms {
    int seedA = 1080;
    int seedB = 2205;
    static String secret = "5dfd1ac9741873dbb889fc5f6362af39c7e8085ea3d952974f37ca66e6f6c597";

    public static void main(String[] args) {
        randoms randomio = new randoms(); 
        Random randA = new Random(1080*2205);
        for (int i = 0; i < 32; i++) {
            int randomIndex = randA.nextInt(32);
            System.out.println(randomIndex);
            
        }
    }
}

After getting the following list of indexes that were being shuffled:

next_ints = '4 20 29 1 25 27 24 24 18 25 18 25 24 21 21 13 8 18 26 10 22 29 31 29 23 29 20 31 6 28 5 7'.split()

I built a python code to unshuffle those indexes:

sha = '5d fd 1a c9 74 18 73 db b8 89 fc 5f 63 62 af 39 c7 e8 08 5e a3 d9 52 97 4f 37 ca 66 e6 f6 c5 97'.split()
next_ints = '4 20 29 1 25 27 24 24 18 25 18 25 24 21 21 13 8 18 26 10 22 29 31 29 23 29 20 31 6 28 5 7'.split()
n=1
for i in range(len(sha)):
    random_index = int(next_ints[-n])
    temp = sha[-n]
    sha[-n] = sha[random_index]
    sha[random_index] = temp
    n+=1

print( 'Unshuffled result: ' + ''.join(x for x in sha))

The value returned was:

8966d9fd5ddb97635e5fe8e697af4f62b8a3c7fcc939ca37f67408c5731a1852

Introducing the result in a decoder such as https://md5decrypt.net/en/Sha256/ gave me the password I was looking for:

password

It was only left to open my BlueStacks emulator and introduce the password to the app. Then, i get back my precious flag.

flag revealed

That was all for today´s write up, Hope you´ve enjoyed it.

I will be uploading a new write up every weekend, so don´t forget to stay up to the blog 😄

You can use my social media to leave me your thoughts about the write ups 👍

Twitter: https://twitter.com/KrakenEU_
Linkedin: https://www.linkedin.com/in/i%C3%B1aki-tornos-572580177/
Github: https://github.com/KrakenEU/

PreviousLaCTF 2024NextTUCTF - 2023

Last updated