|    |    |    | Today: 26-Jun-2017 |

[Write-up] RC3 CTF : My Lil Droid

November 22, 2016 | Posted in How to

Tittle : My Lil Droid
Category : Forensics
Point : 100
Description : Sometimes not all files are needed.


Download Link: https://drive.google.com/file/d/0Bw7N3lAmY5PCOFNQZFgtSVlFZ3M/view?usp=sharing


Hint:

- You probably don't have to run it


====================

[POC]


Given an APK we used The Unarchiver to open it up.


$ apktool d youtube.apk


I: Using Apktool 2.2.0 on youtube.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /Users/beefbabe/Library/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...


Found interesting files under "unknown" directory.

- Fastest way

Let's begin to soring using grep


$ grep -r "2016" .


... cut
./youtube/unknown/build-data.properties:build.tool=Blaze, release blaze-2016.04.14-4 (mainline @119748905)
./youtube/unknown/build-data.properties:build.time=Tue May 31 15\:02\:21 2016 (1464732141)
./youtube/unknown/build-data.properties:UkMz-2016-R09URU0yMQ==
Binary file ./youtube.apk matches


Voila, but it was base64 decoded which UkMz base64 from RC3 and R09URU0yMQ== from GOTEM21
So after decoding this base64 can submit the flag.


Flag : RC3-2016-GOTEM21


- Slowest way

Check the youtube folder then go to unknown folder, there is a file name called build-data.properties



Let's check it.



Gotcha !

Taged in: Android, APK, ctf, forensics, rc3ctf, writeup, youtube