Globant CTF 2022 — Not Again: Android Challenges Write-up
A Beginner’s Journey through Globant CTF 2022’s Android Challenges
This article is the first part of a series of three articles where I show how I got the flags of all Android challenges of the Globant CTF 2022, which consisted of 5 challenges to get 900 points! Before we delve into the details, let’s take a moment to understand what a CTF is and the motivation behind this article.
Capture The Flag (CTF) is a competition that challenges the participants to solve tasks and get a specific piece of text that could be hidden somewhere or split and hidden in several places. This text is called the flag, and the flag will prove that you were able to solve the tasks to get it and reward you with some points.
My motivation for writing this article is to teach others the use of simple tools within everyone’s reach, allowing us to learn more about mobile application security (Android). Also, to change the mentality of those who believe that capture the flag (CTF) events are only for Cybersecurity experts and to motivate them to step forward and participate in the next CTF.
Like any competition, to get more points you have to solve more tasks, and the number of points will depend on the difficulty of the tasks. Some challenges do not require programming knowledge or special skills; most are a matter of problem-solving and creative thinking.
There are three types of CTF:
- Jeopardy: We must solve some tasks by applying information or skills to get the flag. When we solve the task, new ones will unlock. Some common topics that we can find out in Jeopardy CTF are cryptography, web exploitation, reverse engineering, and forensics.
- Attack-Defense: In this type of CTF, we will find two groups competing against each other; we will have to secure our flag, protect our host against the other team, and identify the vulnerabilities in the other team’s system.
- Mixed: This type of CTF involves attack-defense and jeopardy styles, so we will have to attack and defend some systems while we solve some challenges.
The most common CTFs are Jeopardy type, so it is important to review the following topics deeply:
- Cryptography: We must convert strings or decrypt text, audio, or even images to get the flag.
- Web Exploitation: These challenges involve skills in exploring web vulnerabilities such as SQL injection, cross-site scripting, buffer overflow, path traversal, etc.
- Reverse engineering: In these challenges, we will have to convert a compiled code into a decompiled code that is easier to read.
- Forensics: Involves hidden flags in different types of files such as images, memory logs, network packet captures, etc.
OK, now what?
Now let’s try to solve a few challenges from the Globant 2022 CTF. This CTF was Jeopardy-style. Here we solved some challenges related to an Android APK file, and we applied some techniques to solve cryptography, reversing, and forensic tasks.
Let’s get it on!
Android1 (100) — Android2 (100) — Android3(200)
In our first challenge, we were given a clue from the start, the task was to search for sensitive information that had been hard-coded in strings:
For the second challenge, we received a helpful tip regarding information hidden within the application layouts:
In the third challenge, we were informed that the message could be inside an object and wouldn’t be easily detectable through human inspection. This concept reminded us of steganography, a technique frequently associated with hiding information.
We were a bit lucky, as we were able to solve our first three challenges quickly and easily with just two commands.
We started by downloading the APK file, which worked for all the challenges. We then used the following two Unix commands:
- Strings: to read the characters that are inside our APK.
- Grep: to search for our flag among those characters.
First, we had to remember the flag format. Thanks to the initial CTF instructions we knew that our flags followed the format globant{foo_bar}, so we used strings and grep as follows:
$ strings ctf2022_v1.0.apk | grep 'globant{'
The output gave us three flags. The first on the list told us about steganography. We were right that this flag had to be the third challenge flag. The second flag told us that it was the 2021 CTF flag and that we were on the right path. The third flag was about strings, so it had to be related to the flag of the first challenge.
OK, but were we right?
We were confident that we were right about the flag from the first challenge. To check the flag from the third challenge and follow the path of our flag from the previous year, we extracted the contents of our APK into a folder as if it were a compressed file. Once there, we saw several folders, including a “res” folder. This folder contains the resources of our application. Among them, we saw interesting folders such as “layout,” mentioned in the second challenge, and “drawable,” mentioned in the third challenge.
We used grep again, but this time with the -r, -n, and -aflags:
$ grep -rna 'globant{'About the grep parameters:
- r: search the text recursively within all subdirectories.
- n: detail the line and the file where it found the match.
- a: search inside the contents of binary files.
As a result, we had a match in 3 files. Let’s take a look:
We found the second challenge flag; what else did we have?
We confirmed that our third challenge flag was correct; it was inside a “flag3.png” image file inside the drawable directory. Finally, we saw that the CTF 2021 flag was on the correct path and gave us the clue for the third challenge flag:
We were amazed that we already had three flags and 400 points with only two commands. The next two flags (challenges 4 and 5) were not impossible but they required more effort, so we will see them in parts 2 and 3 of this article.
Conclusion
We managed to break our first three challenges with just two commands. We did not need advanced knowledge in cybersecurity, and we only used commands available in the OS.
The last two challenges required us to step up our knowledge about Android a little bit, but nothing that a few minutes of reading and understanding the documentation could not solve.
Thanks for reading, and see you in parts 2 and 3. Happy hacking!
