Sharing is Caring - CyberSci Nationals 2024

First seen on July 1, 2024

Author of this writeup : Ch0ufleur

About the challenge

I had the chance to participate in the nationals finals of the CyberSci competition, a Canada-wide challenge where the best teams from each region get to represent their home university to compete against Canada’s best. Spanning 2 days, this competition first makes the participants face a defence challenge, where the teams have to defend against automatic attack launched by bots. The next day, it is more of a classical jeopardy-like CTF that goes on for 8 hours. The challenge presented here was one of those from the “Reversing” category, on that second day of the competition.

Description

Here is what the challenge description was:

Sharing Is Caring

What have we here? A ticketing app for the C-Sides conference? My default assumption is that users have nothing to see in there. If you like the app, please share your thoughts and give us a 5-star review in the Play Store!

Note: When running the app in an emulator, if you wish to connect the app to our backend servers (optional), you will have to run the following command. Make sure to run this command on the same machine that is running the android emulator (the machine also has to be connected to the CyberSci VPN):

socat tcp-listen:8001,reuseaddr,fork tcp:10.0.2.20:443

10.0.2.20

Tools

• Android Studio Virtual Device Manager.
• adb.exe (Usually situated at C:\Users\ username\AppData\Local\Android\Sdk\platform-tools on Windows, being installed alongside Android Studio)

Setting up the emulator

Although I had brought a Pixel 2 phone especially for testing, since a VPN was needed to access the backend API, I figured I was better off with using an Android Emulator directly from my laptop. Plus, my test phone not being rooted, it would not have been ideal to explore the content that is generated at runtime by the application, dynamically.

The title of the challenge, “Sharing is Caring”, tells me a hint that something most likely will have to do with the shared preferences file, a place where Android Applications often write secrets, thinking that it would not be recoverable.

A common problem that first-time Android Emulator users face (at least, in Android Studio) is that they don’t select the appropriate OS image, and subsequentially are unable to easily access the device’s console as root through ADB.

When creating the emulated phone, it is important that the image selected does not mention "(Google Play)", because these are the production builds that will prevent you from having easy root access. The appropriate OS images are the ones shown in the below screenshot, is categories labeled “x86 images” or Other Images (1). For myself, I went with one from the rectangle labeled (2).

Installing the application

The Android Emulator, once powered up, allows from drag-and-drop installing of the APK file. I could also have achieved that from the command line or a few other ways, but I thought that was the most convenient. The following screenshot shows the installed “C-SIDES” application.

Once installed, we can launch the application a first time so that it initialises whatever it has to initialize: databases, files, downloads, updates, name it.

Accessing the file system

Connecting to the emulator’s file system can be done directly via Android Studio, or via the adb command-line tool referenced earlier in this post. The adb daemon must be running, and will usually be launched when executing the adb tool. To access the device as root, one must issue the following command in the directory where adb is.

adb root

Looking for the flag

Then, using adb shell, it is possible to access the internal system of the emulated phone. Navigating to the path /data/data/com.cybersci.csides/ brings us to where the installed application could store secret information. Exploring the folder with ls reveals, as expected considering the name of the challenge, a shared_prefs folder containing a XML file (c-sides.xml).

Note: If you were unable to access directories in /data/data, it might be because you are not successfully root. Review the steps above to ensure that you are.

Using cat to see the contents of the file, we see the flag that is revealed as the value for “default-user”.

Afterthoughts

The one thing I would say regarding this challenge and the others from the competition is that they do not adopt flag formats, so I did think that the value was a hash at first, and lost some time trying to decrypt it. I even put together a whole setup to use BurpSuite Community with the emulator, trying to see what requests the app made to the API behind the competition’s VPN. None of this ended up being useful, as the flag was the hexadecimal value hiding in plain sight.

Having a flag format for the competition in following years, even if that does not reflect the real life, would help to prevent this kind of hurdle.