*SPOILERS* Highlight to read.
The hardest part of this challenge was figuring out and setting up Mercury. It's a cool little app that lets you execute commands as an app on the phone. Once it is set up (no easy task, at least for me) all you have to do is execute the command "run app.provider.query content://com.intrepidusgroup.learner.contentprovider/iglearnerdb" in the Mercury terminal. It queries the Learner's insecurely created database using info gleaned from the app itself (database name, content URI)
Tuesday, June 11, 2013
IG Learner Challenge #6
*SPOILERS* Highlight to read.
This challenge was not as much difficult as it was frustrating. From a quick glance at the code it was clear it used AES encryption with the key "intrepidlearner1", but for the life of me I couldn't generate the correct code with the correct combinations of base 64, binary, and luck. So, I wrote some code to do it for me. I will not show it here since I can't cover it in white, but here's the link (excuse the sloppy code, I made it quickly and it's based off the learner app). With that program the challenge was quick.
IG Learner Challenge #5
*SPOILERS* Highlight to read.
Number 5 was a more difficult version of four. Just like in four, in order to complete it, I had to forward phone traffic through my computer and read the secret key. I used burp to read the data on my computer and ProxyDroid to forward the phone data to my computer (IG has a great tutorial here). However, this challenge had a twist. The app used certificate pinning to link the certificate to the website. Since I could not mimic the certificate, I changed the app to pin my certificate instead of the IG one. After hours of frustration at the program not sending the key, I finally found that I had to pin the "trail" of certificates that led from my proxy to Intrepidusgroup.com, not just my proxy's certificate.
Number 5 was a more difficult version of four. Just like in four, in order to complete it, I had to forward phone traffic through my computer and read the secret key. I used burp to read the data on my computer and ProxyDroid to forward the phone data to my computer (IG has a great tutorial here). However, this challenge had a twist. The app used certificate pinning to link the certificate to the website. Since I could not mimic the certificate, I changed the app to pin my certificate instead of the IG one. After hours of frustration at the program not sending the key, I finally found that I had to pin the "trail" of certificates that led from my proxy to Intrepidusgroup.com, not just my proxy's certificate.
Wednesday, June 5, 2013
IG Learner Challenge #4
*SPOILERS* Highlight to read.
This challenge was quite difficult. In order to complete it, I had to set up ProxyDroid, an app that forwards all traffic to a proxy, on my phone and have it forward traffic to Burp, a package sniffer I installed on my computer. This setup forwards all of my phone's internet traffic to my computer. However, since the Learner app will not send the key unless it has an SSL connection to the Intrepidus Group website, I also had to use burp to make an SSL certificate, then register it on my phone as a trusted CA Certificate. Finally, I sent the token, ProxyDroid redirected it to my computer, and I found the key in the parameter SecretTokenHeader.
This challenge was quite difficult. In order to complete it, I had to set up ProxyDroid, an app that forwards all traffic to a proxy, on my phone and have it forward traffic to Burp, a package sniffer I installed on my computer. This setup forwards all of my phone's internet traffic to my computer. However, since the Learner app will not send the key unless it has an SSL connection to the Intrepidus Group website, I also had to use burp to make an SSL certificate, then register it on my phone as a trusted CA Certificate. Finally, I sent the token, ProxyDroid redirected it to my computer, and I found the key in the parameter SecretTokenHeader.
Tuesday, June 4, 2013
IG Learner Challenge #3
*SPOILERS* Highlight to read.
I was fairly disappointed by this challenge. I decompiled it just like the other one and started looking through the code. I was (rather stupidly) confounded for a long time by looking at lesson3activity since I couldn't find where it checked the input against a key. I eventually realized that, in addition to lesson3activity there was lesson3handlerActivity, which prominently displayed at the top "final String unlockkey = "crazyurihandler";". Lo and behold, I entered iglearner://www.intrepidusgroup.com/crazyurihandler and I am greeted with "UNLOCKED. Challenge is completed." It was sort of an undramatic conclusion to the lesson. I love the idea of the app and I am very grateful that Roman created it, but I feel as though it could have included the URI handler in some way that forces the user to learn about URIs to be able to complete the task.
I was fairly disappointed by this challenge. I decompiled it just like the other one and started looking through the code. I was (rather stupidly) confounded for a long time by looking at lesson3activity since I couldn't find where it checked the input against a key. I eventually realized that, in addition to lesson3activity there was lesson3handlerActivity, which prominently displayed at the top "final String unlockkey = "crazyurihandler";". Lo and behold, I entered iglearner://www.intrepidusgroup.com/crazyurihandler and I am greeted with "UNLOCKED. Challenge is completed." It was sort of an undramatic conclusion to the lesson. I love the idea of the app and I am very grateful that Roman created it, but I feel as though it could have included the URI handler in some way that forces the user to learn about URIs to be able to complete the task.
IG Learner Challenge #2
*SPOILERS* Highlight to read.
This challenge was more difficult than the last since you must look through the application's source to figure out what the passphrase is. My first step was pulling the learner application off of my phone so I could decompile it. I then used the dex2jar utility to convert it to a jar file and used the jd-gui utility to view the source. For whatever reason, the application was not obfuscated, meaning that all of the class and variable names were intact, making searching through it very easy. I looked in the lesson2activity class under com.intrepidusgroup.learner and figured out the code relating to the naming of the file. I will let you do the same, but once you figure out how the name is generated, it is simple to piece together the name of the application from the date and your phone number.
This challenge was more difficult than the last since you must look through the application's source to figure out what the passphrase is. My first step was pulling the learner application off of my phone so I could decompile it. I then used the dex2jar utility to convert it to a jar file and used the jd-gui utility to view the source. For whatever reason, the application was not obfuscated, meaning that all of the class and variable names were intact, making searching through it very easy. I looked in the lesson2activity class under com.intrepidusgroup.learner and figured out the code relating to the naming of the file. I will let you do the same, but once you figure out how the name is generated, it is simple to piece together the name of the application from the date and your phone number.
IG Learner Challenge #1
*SPOILERS* Highlight to read.
The first challenge was fairly simple if you know how to access the android logs -- or even exactly what they are. I, unfortunately, did not. I did some research on what the logs were and came up with the understanding that they were a global resource that applications could dump output into for debugging and logging purposes. While the latter part of that is self explanatory (I guessed as much but I wanted to be sure), the global part is important since that means there is one log to rule them all. I didn't have to search for the app's individual log, but instead could pull directly from the global log. I used ADB to get the log with the command "adb logcat > log_android.txt". This pulls the log from your phone and writes it in log_android.txt. The only issue with this method is that it is slow, taking hours to gather the full log. However, you don't need the full log, just a few recent additions to it, so you can cut it off after a few minutes of downloading. I then searched the log (in a standard text editor using ctrl-f) for the phrase "com.intrepidusgroup.learner" since that is the system name of the application. I found the process ID associated with the app (just the number next to "com.intrepidusgroup.learner") and searched for that instead since the full name doesn't always appear next to the log entries. I looked through the log finding all instances of the process ID until I found a fairly distinctive patch of log entries with one of them containing the code that let me proceed.
NOTE: the passphrase is procedurally generated, meaning it changes if you restart the app, so you must do all of this without killing the app.
This would suggest that you only need to run it for as long as it takes to press Lesson 1. Thanks Max!
IG challenges
For the past few days I have been working on completing challenges in an application that was given to me by my brother. The app is called "IG Learner" and it has a series of discrete challenges that teach the user about android security. On this blog I will post walkthroughs for the challenges so that you can solve them the same way I did. However, I encourage you to try them on your own first as they are very rewarding to complete without any help. I would also like to thank Roman Faynberg for creating the app, it is an awesome resource.
Subscribe to:
Comments (Atom)