Nahamcon CTF 2024 Writeup — Mobile Category
Last week, I participated in the Nahamcon CTF 2024 for fun and solved all mobile challenges with my team. Below are the write-ups for the challenges:
Table of Content
· Table of Content
· Kitty Kitty Bang Bang
∘ Description
∘ Solution
· Guitar
∘ Description
∘ Solution
· Buggy Jumper 1
∘ Description
∘ Solution
· Buggy Jumper 2
∘ Description
∘ Solution
· Fly Away! 1
∘ Description
∘ Solution
· Fly Away! 2
∘ Description
∘ Solution
Kitty Kitty Bang Bang
Description
The application loads a library named `kittykittybangbang`.
This library is used in a function named `stringFromJNI` that is called when `motion.GetAction == 0`.
Solution
In this challenge, there are various ways to solve it. In this write-up, I used the simplest method, which is to directly call the function itself because the function does not require any dependencies.
Below is the Frida script to do this:Below is frida script to do this
Run the script, and the flag will be in the output.
Guitar
Description
This app is a simple mobile application without any indication of a flag. The flag exists in the string resources.
Solution
Inspecting the source code reveals a `secret_string` in the resources. Extract the string, and the flag will be obtained.
Buggy Jumper 1
Description
This app is a game provided as an APK.
Inspecting the source code shows that the game is built using the Godot engine (https://github.com/godotengine/godot).
Solution
Several Godot decompilers can be used. Below is the one I used in this write-up:
Run the decompiler, and the flag will be obtained from the `flag.gd` script.
Buggy Jumper 2
Description
Using the same APK from Buggy Jumper 1, we need to directly retrieve the flag from the server.
Solution
Inspecting the source code reveals HTTP requests executed by the game. The program first registers the data; after retrieving several points, it saves the points to our token. To buy a flag, the program verifies on the server that we have sufficient points.
Here is a simplified example of the endpoint calls used to buy the flag: `register -> save → verify`
During the save operation, we can store a large number of points. Then, we fetch the flag by verifying these points.
Register to retrieve the token. However, we found an issue where the server requires the correct User-Agent.
By exploring the Godot source code, we discovered that Godot uses the format `User-Agent: GodotEngine/<version>`.
Adding this User-Agent allows us to retrieve the token.
Use the token to call the save points endpoint and finally retrieve the flag.
Fly Away! 1
Description
The application retrieves song lyrics.
Inspecting the code shows it is built using Flutter.
Solution
Flutter apps can be intercepted using Reflutter. I used the Reflutter code that can be installed in Zygisk from Pak Yohanes. Below is the tool:
Don’t forget to set up the proxy to view the application’s traffic.
Select the app and enable all the libraries (we will need them later).
Run the app, and clicking “Get Lyrics” will retrieve the flag.
Fly Away! 2
Description
Using the same APK from Fly Away, we need to inspect Flutter function calls.
Solution
Enabling Dart dump from Reflutter will retrieve `dump.dart` files.
Inspecting the Dart dump reveals a `decryptIntegrityCheck` function.
We can dump this flag using an argument call from Reflutter with the Frida script provided by Reflutter: https://github.com/Impact-I/reFlutter/blob/main/frida.js
Download the script and modify the offset based on the `dartIsolateSnapshot` instruction and code offset.
Run the script, and the flag will be retrieved.
