Challenge Description

As the Lunar New Year is approaching, Rabbit wants to send Fridaz the dragon a special message to convey her well wishes. Being ever security conscious, Rabbit created an Android application to send her special message to Fridaz so that it cannot be intercepted by anyone.

Fridaz tried using the Android application to access the message but was unable to do so. He also could not contact his furry friend for help. Thus, Fridaz decided to analyse the application himself to find out what the message is.

Can you help Fridaz to figre out Rabbit's special message?

Challenge Instructions

Download the Android application (.apk file) provided in the link below.

Install the application in a rooted Android emulator or device that is running on Android 8 or above.

Explore the application and use dynamic and/or static analysis to figure out what the special message is.

Find the flag embedded in the special message and submit it below to receive a digital badge!

Download challenge file here!

Do verify the md5sum of the .apk file before proceeding with challenge.

md5sum of "cny_challenge.apk" is: 532849eb9c76b9fdbbda991168295d0f

Resources that might help you!

Android Emulator

Android Studio Emulator setup instructions can be found here.

If you are using Android Studio AVD, choose the OS without Playstore as we need root access to tackle this challenge.

What is SSL Pinning?

SSL Pinning is a security measure that ensures an application connects only to a specific server by verifying the server's SSL certificate or public key against a known, trusted version hard-coded in the application. It helps prevent man-in-the-middle attacks by rejecting connections to servers with unexpected certificates, even if those certificates are otherwise valid.

What is SSL Unpinning?

SSL Unpinning is a method used to disable SSL Pinning. This enables analysis of an application's encrypted network traffic by allowing connections to servers regardless of their SSL certificate's match to the application's stored version.

Introduction to Frida

Frida is a dynamic instrumentation toolkit that allows developers and security researchers to inject custom scripts into applications. This enables real-time debugging, modification, and analysis of their behavior without needing source code access.

More details on how to setup Frida and use Frida scripts can be found here.

Introduction to Burp Suite

Burp Suite Community Edition is a free version of the Burp Suite, providing essential tools for application security testing. It includes key features for manual testing, such as intercepting proxy and basic web vulnerability scanning.

More details on Burp Suite and the link to the community edition can be found here.

How to setup Burp Suite certificate

  1. Export Burp cert as DER format
  2. Run the following cmds to prep Burp cert:
openssl x509 -inform DER -in burp-latest -out burp-latest.pem 
openssl x509 -inform PEM -subject_hash_old -in burp-latest.pem | head -n –1 #should produce a hash value
mv burp-latest.pem <cert_hash>.0
  1. Turn on emulator (Make sure developers options are enabled)
  2. Run the following cmds to prep device/emulator:
adb root
adb push <cert_hash>.0 /sdcard/
adb disable-verity 
adb reboot
  • Wait for device to reboot, then run the following cmds:
adb root
adb shell mount -o rw,remount /sys
adb shell

# While inside emulator or device
mkdir -m 700 /storage/emulated/0/<folder> 
cp /system/etc/security/cacerts/* /storage/emulated/0/<folder> 
mount -t tmpfs tmpfs /system/etc/security/cacerts 
mv /storage/emulated/0/<folder>/* /system/etc/security/cacerts/ 
mv /sdcard/<cert_hash>.0 /system/etc/security/cacerts/<cert_hash>.0 
chown root:root /system/etc/security/cacerts/* 
chmod 644 /system/etc/security/cacerts/* 
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
  • Do not reboot your device/emulator after this step.
  • If all steps are done correctly, you should see Portswigger CA in the emulator/ device's Trusted Certificates list.
Submit flag here!