Skip to content

Captains Kees

Jenn Janesko edited this page Apr 16, 2019 · 2 revisions

Briefing

An smartphone was found in Captain Crypto's safe house. But there is only one application on it, KeePass!!! Is it really used for storing keys or ??? Find out and you will be rewarded.

Solution

Download the file Keepass.apk with sha1 fbd930c947bfc46c019a07ef89f51b1804a6a6eb

First step is to identify the file type. File type extensions are usually not as helpful as file headers

$ file Keepass.apk
Keepass.apk: Zip archive data, at least v2.0 to extract

So, let's inspect contents of the archive with 7zip.

$ 7z l Keepass.apk

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=de_DE.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-6440HQ CPU @ 2.60GHz (506E3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 4215440 bytes (4117 KiB)

Listing archive: Keepass.apk

--
Path = Keepass.apk
Type = zip
Physical Size = 4215440

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2019-03-16 13:13:08 .....        86148        32720  META-INF/MANIFEST.MF
2019-03-16 13:13:08 .....        86310        35165  META-INF/SAMPLE.SF
2019-03-16 13:13:08 .....         1348         1090  META-INF/SAMPLE.RSA
...

Indeed, it is an Android app! Simply unpack the archive with 7z to get the contents. Most interesting things to consider with this information basis are:

  • Strings in res/
  • Files in assets/
  • Package information in Manifest
  • Decompiled Java Bytecode

Resources

In order to provide compatibility with different devices resources are organized in the project's res/ directory.

Resources are the additional files and static content that your code uses, such as bitmaps, layout definitions, user interface strings, animation instructions, and more.

Unfortunately, in this app there are no leaked strings present in the resources.

Assets

Numerous keepass files are present! Looks like somebody forgot to delete his password database for the build.

$ file assets/*
Keepass/assets/accent.kdb:               Keepass password database 1.x KDB, 2 groups, 2 entries, 1 key transformation rounds
Keepass/assets/binary.key:               data
Keepass/assets/binary-key.kdb:           Keepass password database 1.x KDB, 6 groups, 2 entries, 6000 key transformation rounds
Keepass/assets/delete.kdb:               Keepass password database 1.x KDB, 2 groups, 4 entries, 1 key transformation rounds
Keepass/assets/fonts:                    directory
Keepass/assets/kdb_with_xml_keyfile.kdb: Keepass password database 1.x KDB, 2 groups, 2 entries, 50000 key transformation rounds
Keepass/assets/keyfile-binary.kdbx:      Keepass password database 2.x KDBX
Keepass/assets/keyfile.kdbx:             Keepass password database 2.x KDBX
Keepass/assets/keyfile.key:              XML 1.0 document, ASCII text, with CRLF line terminators
Keepass/assets/key-only.kdbx:            Keepass password database 2.x KDBX
Keepass/assets/no-encrypt.kdbx:          Keepass password database 2.x KDBX
Keepass/assets/test1.kdb:                Keepass password database 1.x KDB, 3 groups, 9 entries, 5 key transformation rounds
Keepass/assets/test.kdbx:                Keepass password database 2.x KDBX
Keepass/assets/test-kdbxv4.kdbx:         Keepass password database 2.x KDBX
Keepass/assets/twofish.kdb:              Keepass password database 1.x KDB, 2 groups, 2 entries, 2 key transformation rounds

The obvious step to open the files with default passwords did not work. With some additional research it becomes obvious, that these files are part of the tests from the open source code of Keepass.

Bytecode

The compiled Java byte code is stored in classes.dex. With jadx it's possible to decompile the byte code.

$ ~/Tools/jadx/bin/jadx Keepass/classes.dex
INFO  - output directory: classes
INFO  - loading ...
INFO  - Found several 'R' class candidates: [android.arch.lifecycle.R, android.support.compat.R, com.android.keepass.R]
WARN  - Unknown 'R' class, create references to 'R'
INFO  - processing ...
...
ERROR - finished with errors

With the knowledge, that this app is based on the open source version of Keepass a few class paths can be excluded. Some custom code can for example be found in source/com/android. Grepping for crypto in that folder yields one file: sources/com/android/keepass/action/ConnectionServerThread.java

The domain resolves to 208.91.197.27, but no services are available. Further inspection of the respective code section reveals a base64 encoded ROT13 encoded text.

>>> str="JJ91pyAyL3WyqRgyrG1gqJAwqTM7ZGNjDGH5BGxlAmVlDHSQAHMTEwMRERD3AwMOZHSTBQZjEwp4BGV2ZK0="
>>> import codecs
>>> str2=codecs.encode(str, 'rot_13')
>>> import base64
>>> base64.b64decode(str2)
b'YourSecretKey=mucctf{100A59992722AAC5FFF6DDD766A1AF830F789261}'

So, the flag is simply hidden in the source code after all: mucctf{100A59992722AAC5FFF6DDD766A1AF830F789261} That escalated quickly.


Writeup submitted by Chris K.

You can’t perform that action at this time.