Tuesday, March 4, 2014

DEFKTHON CTF 2014 - we love it! - Web 300 Write-up

For this challenge we had an apk file! Well it was exciting at the beggining i was expecting something much more about android but... in the it was a web quest what else could it be :D

To start i get android-sdk so that i can use the emulator to run program and while it was being downloaded, I decompiled the apk package and get a code like this. It was checking if the text entered was "paswd" and sending a web request if it is with some phone data and a random pwd value -which is between [0, 300]. The problem was site kept us telling
You missed something.
Keep trying.
so i thought it must be something about pwd data i get the exact header's for the post request via wireshark and simulate it on computer -of course i got the same response :D- but this time i iterate through all possible pwd values[0, 300] and in the end i got the flag!

Flag is: w00tkitk@t

Python script and request headers:

No comments:

Post a Comment