If you aren’t familiar with Hack the Box, it is a great resource to learn and get practice hacking lots of different types of targets in a lab environment. It has several servers and machines that you can hack into, but it also has a Challenges section that is broken down into different categories with more focused challenges.
I have solved several of the Mobile challenges, so I’m planning on doing a writeup of some of the retired challenges that I have solved. The first of these challenges is going to be Anchored, which is an Easy-rated challenge. For this challenge, we are given an APK file, and the description says:
A client asked me to check if I can intercept the https request and get the value of the secret parameter that is passed along with the user’s email. The application is intended to run in a non-rooted device. Can you help me find a way to intercept this value in plain text.
Running the Application
Since the description says that the app is intended to run on a non-rooted device, I am going to spin up a non-rooted Android Studio emulator to use as my testing device. I have posted a previous walkthrough for setting up an Android emulator, and the only main difference is that when selecting the hardware profile, I will select one with the Play Store enabled since that version will not be rooted by default.
Once I have my emulator up and running, I install the APK with ADB and launch the app. This shows me a screen with a field for an email address and a button to request access. According to the description, we were asked to “intercept the https requests and get the value of the secret parameter.” To intercept the requests, I’m going to boot up Burp Suite and attempt to proxy the traffic. Unfortunately, in order to proxy the traffic, I need to install the CA certificate from Burp Suite, and in modern Android versions, that requires root.
Decompiling the APK
Since this app doesn’t run on root, we need to figure out how to use Burp Suite without needing root. To do this, I’m going to start by decompiling the APK with Apktool.
Once I have decompiled the APK, I’m going to first look at the AndroidManifest.xml file. Looking at this file, I find the attribute android:networkSecurityConfig, which points to the network_security_config.xml file. Opening this file, I see that it is pointing to a certificate file at raw/certificate.pem.
Since this APK has a certificate packaged in the application files, I can replace this certificate with my own Burp Suite certificate, which should let me intercept traffic from the app.
Replacing the Certificate
To replace the certificate, I first need to export the certificate from Burp Suite. To do this, open Burp Suite, go to the Proxy settings, and export the certificate in DER format.
Now I have a certificate file in DER format, but the certificate.pem file from the Anchored APK is in PEM format. Fortunately, there is a simple command to convert a certificate from DER to PEM format:
openssl x509 -inform der -in filename.der -out filename.pemSince the filename that is listed in the config file was certificate.pem, I’m also going to make sure that this new file has that same name.
Once I have this certificate file in the proper format, I need to delete the old certificate and replace it with my new certificate. Next, I need to repackage the APK with another command using Apktool.
Signing the APK
I now have a repackaged APK, but trying to install this APK will fail because it needs to be re-signed. To re-sign the APK, I first need to create a keystore with the following command:
keytool -genkey -v -keystore keystore-name -keyalg RSA -keysize 2048 -validity 1000 -alias alias-name
Note: Make sure you remember the password, the keystore name, and the alias you created when generating the keystore.
Now that I have a keystore, I can sign my APK using that keystore and a tool called apksigner with the following command:
apksigner sign –ks-key-alias alias-name –ks keystore-name apk-name
Installing the APK and Intercepting the Traffic
Now that I have edited, re-packaged, and re-signed the APK, I can install it with ADB. After the APK is installed on my emulator, I can launch Burp Suite and enable the proxy settings in the emulator.
Once the proxy is enabled, I just launch the app and click the “Request Access” button, and now I see the POST request to https://anchored.com being captured by Burp Suite. When I inspect this request, I see the hidden message, which is the flag.
If you want to sign up for Hack the Box, please consider using my affiliate link at https://hacktheboxltd.sjv.io/VmGgeE.
If you’re interested in more content about security, hacking, making, and tech, check out my YouTube channel at https://youtube.com/@CorSecure.
