Monday, November 25, 2024

SANS: Holiday Hack 2024: Act 2: Mobile Analysis

 Mobile Analysis

Eve Snowshoes:

Hi there, tech saviour! Eve Snowshoes and Team Alabaster in need of assistance.

I've been busy creating and testing a modern solution to Santa’s Naughty-Nice List, and I even built an Android app to streamline things for Alabaster’s team.

But here’s my tiny reindeer-sized problem: I made a debug version and a release version of the app.

I accidentally left out a child's name on each version, but for the life of me, I can't remember who!

Could you start with the debug version first, figure out which child’s name isn’t shown in the list within the app, then we can move on to release? I’d be eternally grateful!

Silver

Eve Snowshoes in The Front Yard: Act II gives this challenge.  The goal for this challenge is to examine the debug version of the Naughty/Nice List Android SantaSwipe app.  The hints recommend tools:

"Try using apktool or jadx"

They also recommend working backwards from the names and seeing what names are there.

"Maybe look for what names are included and work back from that?"

For this one, I didn't use either tool.  Apk's are archive files.  You can extract the files using 7Zip.  This exposes the dex files.  There's a tool called dex2jar that's useful.

#checking to see if any of the dex files have anything to do with the naughty or nice list.

grep -H naughty ~/Desktop/SantaSwipe/classes*.dex

#used dex2jar to create a jar file

./d2j-dex2jar.sh ~/Desktop/SantaSwipe/classes3.dex -o ~/Desktop/SantaSwipe/class3.jar

#jar files can be disassembled from byte code

# view listing of the contents of the jar
jar tvf class3.jar
# disassemble contents of jar
jar xvf class3.jar
cd ~/Desktop/SantaSwipe
mkdir class3
mv class3.jar class3
cd class3
unzip class3.jar

#The following is a relative path.  No / because it's relative to the class3 directory.
#It's the same as cd ~/Desktop/SantaSwipe/class3/com/northpole/santaswipe
cd com/northpole/santaswipe

The DatabaseHelper.class file shows the database structure and names being added into the naughtynicelist.db database tables NaughtyList, NormalList, and NiceList.

Class files can be viewed like so:

javap -c DatabaseHelper.class

It makes sense to look in the MainActivity because that's where the application starts.
In this case, the name was in the MainActivity$WebAppInterface.class.

javap -c 'MainActivity$WebAppInterface.class' | grep Ellie

      22: ldc           #218                // String SELECT Item FROM NormalList WHERE Item NOT LIKE \'%Ellie%\'

The answer in the badge for the Mobile Analysis Objective is "Ellie"

Silver achieved.

Gold

The objective of this one is to do the same thing as silver, except you have to reverse engineer a different Android format.  The hints are the following:

"Obfuscated and encrypted? Hmph. Shame you can't just run strings on the file."

"So yeah, have you heard about this new Android app format? Want to convert it to an APK file?"

I had trouble building bundletool, so I downloaded and used the jar version.

java -jar "./bundletool-all-1.17.2.jar" build-apks --bundle=~/Desktop/SantaSwipeSecure/SantaSwipeSecure.aab --output=~/Desktop/SantaSwipeSecure/SantaSwipeSecure.apks --mode=universal

cd ~/Desktop/SecureSantaSwipe

unzip ~Desktop/SantaSwipeSecureUniversal.apks

This made a Universal.apk file.

I used jadx-gui for this one.  After opening the Universal.apk, there's a navigation pane on the left-hand side that contains the components of the Universal.apk apk.

Under com>northpole.santaswipe>DatabaseHelper, the source code for the DatabaseHelper can be viewed.

Important parts:

Encrypted data:

db.execSQL(decryptData("IVrt+9Zct4oUePZeQqFwyhBix8cSCIxtsa+lJZkMNpNFBgoHeJlwp73l2oyEh1Y6AfqnfH7gcU9Yfov6u70cUA2/OwcxVt7Ubdn0UD2kImNsclEQ9M8PpnevBX3mXlW2QnH8+Q+SC7JaMUc9CIvxB2HYQG2JujQf6skpVaPAKGxfLqDj+2UyTAVLoeUlQjc18swZVtTQO7Zwe6sTCYlrw7GpFXCAuI6Ex29gfeVIeB7pK7M4kZGy3OIaFxfTdevCoTMwkoPvJuRupA6ybp36vmLLMXaAWsrDHRUbKfE6UKvGoC9d5vqmKeIO9elASuagxjBJ"));

A function which tells the type of encryption and the settings for the encryption:

From the following we can see: Encryption:AES, Mode: GCM, Padding: NoPadding, GCM Tag Length: 128, the initialization vector (We don't know what this is yet, but we know it's passed in.)   We also know that these are base64 encoded and the character set is UTF-8.

    private final String decryptData(String encryptedData) {

        try {

            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

            cipher.init(2, this.secretKeySpec, new GCMParameterSpec(128, this.iv));

            byte[] doFinal = cipher.doFinal(Base64.decode(encryptedData, 0));

            Intrinsics.checkNotNull(doFinal);

            return new String(doFinal, Charsets.UTF_8);

        } catch (Exception e) {

            Log.e("DatabaseHelper", "Decryption failed: " + e.getMessage());

            return null;

        }

    }

This file also references the iv and keys in the resource file.  

String string = context.getString(R.string.ek)
String string2 = context.getString(R.string.iv)

There's also an encrypted list of names in here much like what was in the silver list.

In jadx-gui, in the navigation pane to the left-hand side, there's an R file in Source Code>com>R.  R files are resource files that maps the names and ids for strings and other resources for the app.  The following can look different depending on what tool you're using to view it.  Sometimes it's represented in a decimal format instead of hex.  The idea is still the same though.  It's an id telling the app where to find the actual value.

public static int ek = 0x7f090033;
public static int iv = 0x7f090037;

In jadx-gui, in the navigation pane to the left-hand side, under resources.arsc>res>values, the actual value of the ek and the iv can be found.

ek="rmDJ1wJ7ZtKy3lkLs6X9bZ2Jvpt6jL6YWiDsXtgjkXw="
iv="Q2hlY2tNYXRlcml4"

We can now decode the encrypted data.

I used this site to decrypt it adding the information as necessary.  Please be careful, I can't vouch for it.

https://www.lddgo.net/en/encrypt/aes

It outputs this:

DELETE FROM NormalList WHERE Item = 'KGfb0vd4u/4EWMN0bp035hRjjpMiL4NQurjgHIQHNaRaDnIYbKQ9JusGaa1aAkGEVV8=';

That doesn't look like a name. Maybe if we decrypt that weird looking base-64 encoded AES GCM Mode encrypted string? Use the same settings as before to decrypt it... This output makes more sense.

Joshua, Birmingham, United Kingdom

The name for the badge in the Objectives for Mobile Analysis is "Joshua".

Gold Achieved.

Note:

I downloded a copy of apktool. apktool can be used to get the values for the key and iv as well.

https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.10.0.jar

There's a wrapper script that needs to be downloaded to use this.

https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool

mv ~/Downloads/apktool_2.10.0.jar apktool.jar
mv apktool /usr/local/bin
mv apktool.jar /usr/local/bin
sudo chmod u+x /usr/local/bin/apktool
sudo chmod u+x /usr/local/bin/apktool.jar
apktool universal.apk
apktool d universal.apk -o universal.out
cd universal.out
cd res
cd values
cat strings.xml | grep 'string name="iv"'
cat strings.xml | grep 'string name="ek"'


No comments:

Post a Comment