Repository for practicing a Capture-The-Flag session.
- Do static analysis.
- Do dynamic analysis.
- Inject code through recompiling.
Mostly reverse engineering related...
Grab the latest practice-CTF.apk
file from the releases page.
- Emulator Android's version must be 8.0 or higher.
- DO NOT make use of the source code,
/src
. Pretend you have no access to the source code, but you may decompile the APK. - Do whatever else you want, use ChatGPT if you want, overcook and insert a malware into the APK...
- There are 2 questions as of now, each with various hints and their own rules.
The solutions are in SOLUTIONS.md
Question: In the application, what is the actual username used to login?
Rules: None.
Question: In the application, do a proper, successful login into a page that displays WIN
.
Rules: Regardless of how you modify the APK or inject new code, you must do a proper login,
Requiring you to input a username and password into a field, then clicking the Login
button,
bringing you into a page that displays WIN
.
Although the password seems to be randomly generated, they are actually consistently generated in a fixed set.
Ie. it is not true random, but just pseudo random.
Pseudo Random means a predictable random.
Imagine a rigged dice, that is programmed to roll6
on every other roll.
Or a haunted coin, that lands on head during the night, and lands on tails during the day.
Log the password and attempt to authenticate a few times (~11 times). Everything will make sense after, hopefully...
For another issues or suggestions, post them in the Issue Tracker of the repository
I will accept Pull Requests as well.