Open in app

Sign in

Write

Sign in

PwnTillDawn: Juno

Penthos
3 min readJul 30, 2021

IP: 10.150.150.224
Links:
https://online.pwntilldawn.com/
https://www.wizlynxgroup.com/

Nmap (Enum phase)

PORT   STATE SERVICE
80/tcp open  http

Not much here apart from a webpage with default apache, Time for fuzzing!!

Ffuf

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt   -u http://10.150.150.224/FUZZ -mc all -fc 404,403login.php
index.html     
.                       
const.php

Login page

Going to the login page presents a pin protected login, after brute forcing I got nowhere. Then I noticed a .apk file download. Looks like we need to reverse engineer the apk.
(This was not the case but I left this here for information purposes)

Decompile and Recompile

apktool -r d app.apkd2j-dex2jar ~/scratch/android/JunoClient.apk  #jd-guiapktool -r b app.apkkeytool -genkey -v -keystore my-release-key.keystore -alias alias_name \
-keyalg RSA -keysize 2048 -validity 10000jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore JunoClient.apk alias_namejarsigner -verify -verbose -certs JunoClient.apk#Line 91 change value
  if-eqz v2, :cond_0

MobSF (nice tool)

I failed at reverse engineering manually and had to seek a nudge. I got told of software to try out next called MobSF

MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF

Instructions, Install.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.gitcd Mobile-Security-Framework-MobSF./setup.sh

To run the tool.

./run 127.0.0.1:9999

Then open a webpage to be presented with the tool's interface, where you can now upload an android file to be inspected.

Drag and drop the JunoClient.apk file onto the webpage to start the analysis.

Having already manually trying to do this, I had decompiled the apk file and already seen parts of the code I thought would be a good start.

Namely FLAG43 (seen in the codebase) and youknowhat variables.

Using search on the webpage I quickly found them both.

*Cut off on purpose

With the correct pin we can now log in to the webpage.

We are presented with the last 2 flags.

One is encoded the other is not. For the encoded one, I worked out that the ASCII shift cypher is being used so we can decompile it.
Then grab the last flag from the box!

I hope you enjoyed this one, I did!!

Pwntilldawn
Guides And Tutorials
Hacking
Pentesting
Walkthrough

--

--

Penthos

Written by Penthos

184 Followers

The Cyber War God

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams