I’ll give you a walkthrough of the Qropolis challenge that was part of DOME CTF 2020. Let’s break it down step by step.
So for this challenge you’re provided with an apk file and the challenge description goes like this: “Vardy received a note from one of his old friend, Jamie that says, “I’m leaving this app with you. Please make me proud.”
So, for solving this challenge you’ll have to first decompile the apk file. You can use a tool like Apk decompiler online for that.
Once you decompile the apk, you can view the files in it.
Go to androidmanifest.xml
From the manifest file it is clear that there is only one activity named CameraActivity for this app.
So, now we have an idea that the application is related to a camera related activity.
Goto function onCreate(), from there we can see onCreate is calling initViews();
From initViews() we can see that all initialization of the variable occurs here.
Then when you check button click listener, you can see that when onclick textview “txt” is read and then it is decoded from CryptUtil function.
After that if the decode string starts with “domectf”, the decoded text returns a toast notification that shows “This may look like a flag.”
And if the decoded string does not satisfy the condition, then “invalid input ” is shown as the toast notification.
Now let us search where txt, the textview is assigned a text.
This is the function where the values for txt, textview is assigned. By looking at the function, it is clear that the android app scans for barcodes, and the values are stored in textview.
From the above code, we know the application scans and decodes the code using CryptUtil class. There are no other clues about where the barcode is stored.
Let us assume the barcode is hidden inside the apk file.
Search for all images files in the apk file.
Using terminal search all imagetypes
Then you will get a list of all the images stored in the apk file.
Clearly, there are a huge number of images stored inside the apk. Opening these images and looking for a barcode is a very time consuming process. But closely watching these image names, we can see that there is a .ttf file.
All you have to do now is rename the montserrat.ttf file to .png. Then open the app again and scan the QR code present in it.
You will get the flag once you scan the QR code.
Check your website security today and
identify vulnerabilities before hackers exploit them.