On app load, a request is sening to server and got an flag link.
However, the result shows invalid request
It is a practice to modify all the HTTP parameters you can reach.
It seems always send the same link no matter what parameter I send in request.
But the second request needs more data.
After adding the parameter hash, it shows a diffeerent response.
As we have the apk file, we may check inside of it.
Use dex2jar to convert to jar.
d2j-dex2jar.bat -f ./level13.apkSo we got level13-dex2jar.jar now.
Use jd-gui to chek inside of the jar.
The full source can be found at MainActivity.java
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
messageDigest.update("s00p3rs3cr3tk3y".getBytes(StandardCharsets.UTF_8));
messageDigest.update(str3.getBytes(StandardCharsets.UTF_8));
byte[] arrayOfByte = messageDigest.digest();The request hash is generated with the secret key s00p3rs3cr3tk3y and the message payload str3 with SHA-256
However, the first request hash is just the secret key without any payload.
SHA-256(s00p3rs3cr3tk3y) = 61f4518d844a9bd27bb971e55a23cd6cf3a9f5ef7f46285461cf6cf135918a1a
There is another piece of code shows the hint.
Uri uri = getIntent().getData();
str3 = uri.toString().substring(28);and
<data
android:scheme="http"
android:host="level13.hacker101.com"
/>So the payload string after the index of 28 should be
"http://level13.hacker101.com".substring(28);| uri | payload |
|---|---|
| /appRoot | null |
| /appRoot/flagBeare | /flagBearer |
So we need to encrypt /flagBearer with secret key s00p3rs3cr3tk3y for this hash.
Try use this online tool.
SHA-256(s00p3rs3cr3tk3y/flagBearer) = 8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e
Create a new get request with the new generated hash. The server will send back FLAG.
