APKey
After we have downloaded the necessary files from HackTheBox, and unzipped the files we need the following tools
android emulator, I'm using genymotion https://www.genymotion.com/
APKtools: great blog for how to download APKtools to Windows https://nikhil-gandla777.medium.com/how-to-install-the-apk-tool-in-your-windows-machine-69937034e670
jadx-gui: https://sourceforge.net/projects/jadx.mirror/files/latest/download dont forget to download the JDK DEV kit https://www.oracle.com/java/technologies/downloads/#jdk21-windows
Dont forget to move both apktool.bat and apktools.jar to C:\Windows directory so they are on PATH
alright now that we have everything downloaded lets get into this challenge
Lets open genymotion, if you haven't use it before you will have to add a virtual device
I noticed using the 'custom phone' virtual device running android 10 works with the apk file, so just keep that in mind
Boot your virtual device, and drag and drop the APK file onto the virtual device
should look something like this
Trying default credentials doesn't seem to work
Let's use jadx-gui and dig into the source code
Once you have the program up its as simple as 'open file` -> click on the apk file
you should see something similar
Now looking through the 'source code' -> 'example.apkey' -> 'MainActivity' we can see an interesting function
Looks like we have a md5 hash of the admin's password, but trying to crack the hash i had problems, couldnt crack it
What we can do is change the hash to our own known hash, for this we will utilize apktools 1
Let's de-compile the .apk file
we should have a New directory
Now we need to find the
MainActivity(what we saw in jadex-gui) so
Now lets open the file in VSCODE
we want to replace this hash
Lets generate our own md5 hash, we can use the following website to do so
we have our md5 hash
Now we can replace the hash
Dont forget to save the file
Now lets recompile the apk file
Now lets drop our new apk file into our virtual device and see if we have access
trying to download the apk.apk file on the virtual device did not work, possible compatibility issues tried android version 12, 11 and 10
Lets downgrade our apktools version to 2.6.0 we can find it here
Lets see if we can compile it now
Now we just need to sign the apk to verify that it is indeed from a vendor, otherwise it may not be installed on other devices, for this we can use the keytool and jarsigner
The keytool is used to create a RSA key and jarsigner to sign the apk using RSA key
first lets generate our key
assigning our key to mod_APKey.apk using jarsigner
Now lets download the new apk file onto the virtual device and see if it works
No luck
Lets look at the code again
from what we can see
We can try and change it
How do we do this, looking at
we do find this which specifies
if-eqz: means equal to zero meaning equal to
if-nez: means not equal to zero meaning not equal to
So we just need to change the equal to to not equals to in the code
back in VS CODE (MainActivity$a.smali) file
dont forget to save the file
Now we just need to recompile the apk file
Now when we upload it to our virtual device and give it any password we should get the flag
Last updated