Open in app

Sign in

Write

Sign in

Challenge writer POV: BSidesSF 2021 CTF (Mobile)

its C0rg1
3 min readMar 27, 2021

Here is this year’s write-up for my mobile challenges from BsidesSF CTF 2021. This year I wrote two mobile challenges — Charge Tracker and Message Store. As always, I tried to make them fun and applicable in the real world. With that let’s dive into the challenge writer PoV for these challenges.

Charge tracker

This is a 101 Android reversing challenge which will print the flag to the debug log stream when the battery is 49% (In reference to the 49ers).

Here is the pertinent code block:

Log.d("Battery update:",levelStr);
if(level == 49){
    Log.d("Flag:", getResources().getString(R.string.part1) + part2 + "1tN0w}");
}

The flag is divided into three parts -

  • “part1” was in the res/values/strings.xml — CTF{
  • “part2” was a variable in MainActivity.java — R3charg3
  • “part3” was inline in MainActivity.java — 1tN0w}

Players can reversing and decompiling the app using — apktool, dex2jar, jd-gui — to determine that the flag is printed in the debug log when the battery percentage is 49. They could collect all three parts through reversing or change the battery percentage using adb,

adb shell dumpsys battery set level 49

Which would result in the flag being printed to the log,

2021–02–06 12:41:44.904 7286–7286/com.bsdiessf.chargetracker D/Flag:: CTF{R3charg31tN0w}

Message Store

This was the 201 Android challenge that drew inspiration from real world examples of Android application vulnerabilities. Players were given a simple Android application that would display the user’s message and were asked to view the Admin’s message.

For simplicity, I kept this as a single message that was stored and retrieved from the Firebase backend,

Most players were quick to figure out that the app used Firebase either by reversing the application or viewing the HTTP requests made by the application. The most straightforward way to solve this would be to decompile the app using apktool and viewing the res/values/strings.xml file findings and navigating to the database URI to read all the entries.

<string name=”firebase_database_url”>https://bsides-sf-ctf-2021-default-rtdb.firebaseio.com</string>

Some players reached out to ask for the admin’s user-id / email and others attempted to bruteforce the id. I reassured them that they didn’t need the admin’s id, this is due to the way the database was configured (or mis-configured depending on how you look at it).

Fortunately, most players realized they didn’t need the identifiers and managed to solve this challenge by navigating to https://bsides-sf-ctf-2021-default-rtdb.firebaseio.com/users.json to view the flag,

{“email”:”admin@bsidessfctf.com”,”msg”:”CTF{ch3ck_Y0ur_ACLs}”}
Security
Ctf
Ctf Writeup

--

--

its C0rg1

Written by its C0rg1

98 Followers

Security Engineer in silicon valley, foodie, gamer and serial doodler. Specialize in red teaming and application security.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams