HackZeugma CTF Semi-Finals Potter & Signal Writeup

hackzeugma-ctf-logo

Summary

My teammates and I were able to solve a couple of the ctf questions, we finished it in top 10 at the end. I would like to talk about two of them. Both of which were the android related questions. Since the points for these questions were set dynamically then I didn’t include them here.

First one was named Potter and we were given a apk file, sorry I cannot remember the exact question text. Potter app was revealing the flag itself but extremely slow revealing. Inside that apk file there was a sleep method whose parameter was a quadratically increasing number to reveal, hooking the parameter of that sleep function was needed in order to make it run without waiting any sleep delays. But instead of hooking the sleep function directly I hooked a variable which was used as its parameter.

Other question was named Signal and we were given a rar file, I was believing it was some sort of a storage dump of a/an phone/emulator. We were asked to find some sort of secret messages/documents amongst those files, sorry I cannot remember the exact text. Inside that rar file there were two other 7z files, one of them looked like sdcard dump other one was the data folder in the phone’s/emulator’s root directory. After some inspection I understood that I need to recover messages of the Signal messenger, which I did so. Capturing the flag following message recovery process was totally unpleasant because the question turned into a stego challenge which was extremely unnecessary. I spent most of my time solving/understanding the last part.

Solutions

Potter

We were given a apk file called potter.apk, first I installed it to an emulator. After clicking the emoji button flag started to reveal itself but it looked like it was getting slower at every character reveal.

I opened the potter.apk file with jadx-gui[1] tool and started looking from the MainActivity class to understand how the flag reveals and what causes that slowness.

hackzeugma-ctf-potter

As you can see in the screenshot above, Thread.sleep was used in order to make revealing the flag slow. At every iteration the parameters of Thread.sleep was increasing by multiplying it with some other values.

hackzeugma-ctf-potter

But those parameters had an origin value which was coming from the variable r and I thought if I could make its value to zero then parameters of sleep function would be zero and the app would require zero seconds to reveal the entire flag.

In order to test my thought I wrote a basic frida[2] script. What does this script basically does is it hooks com.hz.potter.MainActivity class and attempts to change the value of that class’ variable r to zero.

script.js
1
2
3
4
5
6
7
8
9
10
11
12
Java.perform(function () {
Java.choose("com.hz.potter.MainActivity", {
onMatch: function (instance) {
console.log("initial value: " + instance.r.value);
instance.r.value = 0;
console.log("after change" + instance.r.value);
},
onComplete: function () {
console.log("[*] Function complete!");
}
});
});

Potter Flag

After I clicked that emoji button in the app I loaded my script via frida and flag revaled almost instantly.

Signal

In this question we were asked to find any secret messages/files which were possibly related to Signal messenger app. We were given a signal.rar file, inside this rar file there were another two 7z files. I did not extract them all at first, I was just looking files at them at Ark tool. While looking at files I was thinking that if we were expected to recover any Signal app messages. Because if I remember correctly a Signal messenger app version number was given in the question. I started focusing on this thought.

hackzeugma-ctf-signal hackzeugma-ctf-signal

I started with the smaller sized 7z file, and inside the Download folder there was an encrypted pdf file called super_secret_doc_enc.pdf. While I was trying to find of its password I started a john[3] brute-force attack with rockyou.txt[4] password list in the background and continued with my first thought.

I started looking at data.7z file.

hackzeugma-ctf-signal

Inside /data/app/org.thoughtcrime.securesms-1 folder I’ve found the Signal Messenger app’s apk(I was going to download provided version in the question’s text from the internet if I didn’t find this).

I installed it to my android emulator, after seeing that it was working I quit from the app. Continued my investigation through data.7z file.

hackzeugma-ctf-signal

I found Signal messenger’s data folder under /data/data/org.thoughtcrime.securesms there was a signal database file(signal.db) which was an encrypted sqlite database. Signal uses sqlcipher[5] to encrypt its database.

Under the shared_prefs folder there were two xml files which I thought these files could decrypt the signal database because there were encryption keys in these files.

SecureSMS-Preferences.xml
1
2
3
4
5
6
7
8
9
10
11
12
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="encryption_salt">4gZmBfVyhaR+VT0QBetqZQ==</string>
<string name="master_secret">yU7g8B4mcmiLAVZZZoysizjOKHg6USd+5/nyJKr+WDBlGlnHcSFfTW6jCUXd6RPuhH17idsNhTDzG+2dYMM080SXcIM=</string>
<string name="pref_identity_private_v3">aKK6zZPN+X0axo1A+mzhAsT6BTCQiymKb1YxGIGg8E4=</string>
<string name="asymmetric_master_secret_curve25519_private">JrPr1x7ck807FkgcizA5S9LZfXErqTUQwHKv2Pq5laStA5THfMvSQNB1lvbcIGdckdrRix27RQeMwcTC81X41AH/gI4eYtE7HFSeeVSHvWptIq7q</string>
<string name="mac_salt">EGFdsQ5k1Vv8LQULfpCf1Q==</string>
<string name="pref_identity_public_v3">BblnR3QaHvR4ds7ok7hLrCDCX81qP5aV/YGkGVaTwXRM</string>
<int name="passphrase_iterations" value="1128" />
<boolean name="passphrase_initialized" value="true" />
<string name="asymmetric_master_secret_curve25519_public">BbGpuKODz4o8JYyKEZzVKoX936tAyyrKxZqEVlT6GEd4</string>
</map>
org.thoughtcrime.securesms_preferences.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="pref_gcm_registered" value="true" />
<long name="pref_update_apk_refresh_time" value="1588002152881" />
<string name="pref_attachment_unencrypted_secret">{&quot;classicCipherKey&quot;:null,&quot;classicMacKey&quot;:null,&quot;modernKey&quot;:&quot;5cyQ4YHuBvheqkcY3LouqWunFKn4PdduXUNp+cW2f+I&quot;}</string>
<int name="pref_job_manager_version" value="5" />
<boolean name="pref_seen_sticker_intro_tooltip" value="true" />
<boolean name="insights.opt.out" value="true" />
<string name="pref_gcm_password">p6/L0y+6QtiyntaYDiMUrDWM</string>
<long name="pref_unidentified_access_certificate_rotation_time" value="1588066952870" />
<string name="pref_log_unencrypted_secret">B0KNgJXPM7RRUKWynWVaNQEKhnBp1Uw6E8sSQE6hw+g=</string>
<string name="pref_unidentified_access_certificate">CqcBCgwrMTUwOTM2ODc0OTUQARnzyxDfcQEAACIhBblnR3QaHvR4ds7ok7hLrCDCX81qP5aV/YGkGVaTwXRMKmkKJQgBEiEFdUMjcS5ytG1NqDjdyJ105jFx4m0UZZZGinS98eiWSWUSQB8y83lxaj0e/L/LC2nzOGXuuN8yaBda9wDVgUyoYll9A+e3V0hCNEt6OISEBwGOF8E5oP/jc5Rl0NwKJ2Ge3Q8SQEowSmdOWf82+UDjKIZLogYbY5QVMTa/NW7OTYtuTr+wg9vacu7QahBBxhJ+/vNLfmQBmVcypAro0cz+7mhalg4=</string>
.
.
.
I neglect the rest of this file.
hackzeugma-ctf-signal

So I pushed these data files to my emulator with respect to its corresponding destinations(screenshot above is from my terminal history so please ignore current working directories).

After pushing files to the emulator, I launched Signal messenger app in the emulator. Aaaand tadaa🎉🎉, I know there is no magic here. There is no messages in the app other than the screenshot below.

hackzeugma-ctf-signal

The long string(base64 decodable but irrelevant) was the password of that encrypted pdf file(super_secret_doc_enc.pdf) which I found from sdcard.7z file in the beginning. The same pdf file was also in the Note to Self message history as an attachment(I think there is no need for sdcard.7z file because it has no purpose, the same pdf can be recovered from Signal app).

hackzeugma-ctf-signal

Do you see any flag in the screenshot above? Me neither! I believe this question should have completed here and I should have seen the flag but I did not. After this part the question kind of turned into a steganography question and I think it was quite unpleasant.

Solving that stego challenge cost me so many times. After seeing first part of the flag I thought “Did they split the flag into several parts?” because it still looks like so even after solving it. Therefore, I dived into so many rabbit holes such that I even wrote a small python script to iterate through every sqlite database and search for something suspicious. I even looked in to the Signal stickers(which I guess could be better than binwalk) :(

I will cut this short, in order to capture the flag I needed to remove the password protection of super_secret_doc_enc.pdf file. I used qpdf tool.

1
2
3
# pdf password was stored in pdf.password file
# save new pdf file as unsecured.pdf
qpdf -password=$(cat pdf.password) -decrypt super_secret_doc_enc.pdf unsecured.pdf

After removing the pdf’s password, I needed to use binwalk extraction. Two image files were extracted and one of them was the flag.

hackzeugma-ctf-signal hackzeugma-ctf-signal

Signal Flag

hackzeugma-ctf-signal

Reference: