*SPOILERS* Highlight to read.
Number 5 was a more difficult version of four. Just like in four, in order to complete it, I had to forward phone traffic through my computer and read the secret key. I used burp to read the data on my computer and ProxyDroid to forward the phone data to my computer (IG has a great tutorial here). However, this challenge had a twist. The app used certificate pinning to link the certificate to the website. Since I could not mimic the certificate, I changed the app to pin my certificate instead of the IG one. After hours of frustration at the program not sending the key, I finally found that I had to pin the "trail" of certificates that led from my proxy to Intrepidusgroup.com, not just my proxy's certificate.
No comments:
Post a Comment