This is going to be a walkthrough of Pinned, which is another one of the mobile challenges from Hack the Box. This challenge is rated Easy, so I’m not expecting it to be too difficult. But first, let’s take a look at the challenge description:
This app has stored my credentials and I can only login automatically. I tried to intercept the login request and restore my password, but this seems to be a secure connection. Can you help bypass this security restriction and intercept the password in plaintext?
This tells us that we need to intercept the login request from the mobile app with a proxy in order to see the password, and there is also apparently some sort of security restriction in place that we need to bypass. Also, the challenge is named “Pinned,” so it seems likely that the security restriction that we have to bypass is going to be certificate pinning, which I have covered previously on this blog.
Launching the App
Now that we have an idea of what we need to do, let’s install the APK and get started. For this challenge, I will be using an Android Studio emulator to run the APK, and I will be using Burp Suite as my proxy. In order to use Burp Suite for this, we will need to have the Burp Suite certificate installed on our device, which I already covered in a previous blog. After installing the APK on my emulator and pointing the proxy settings to my Burp Suite listener, I can attempt to launch the application and login.
When I do that, I notice that I’m not getting any traffic in my Burp HTTP history, and when I look at the event log on the Burp Suite dashboard, I see that I am getting a TLS error when the application tries to connect to the URL pinned.com. This is the error message that tells me that we’re dealing with certificate pinning, and we’re going to need to bypass it in order to see traffic in our proxy.
Bypassing Certificate Pinning
There are several different ways to bypass this pinning mechanism, but I’m going to use Objection. I have already covered installing Frida and Objection in previous blogs, so if anyone needs a refresher course, feel free to go back to those blog entries and review the installation sections.
Once both Frida and Objection are installed, I need to make sure that the Frida server is running on my Android emulator. To do this, I am going to drop into an adb shell, navigate to the location where the frida-server is installed, and run the server.
I am going to leave this terminal tab open and open a second tab. In this tab, I am going to run a simple smoke test with Frida to find the package name for the application we are working with. To do this, I will run the command frida-ps -Uia.
Once I have the package name, I can use Objection to launch the application on the device with the command: objection -g <package name> explore. After the application launches, I can bypass SSL Pinning with Objection by running the command android sslpinning bypass.
Intercepting Traffic and Finding the Flag
Once I have bypassed SSL Pinning, I can go back to my Burp Suite proxy, and now I should be able to intercept traffic and view the contents of the requests being sent by the application. With the proxy enabled, I can attempt to login to the application. This time, I should be able to actually see traffic in the HTTP history and I can inspect the content of the login request.
If you want to sign up for Hack the Box, please consider using my affiliate link at Sign up for Hack the Box with my affiliate link:
https://hacktheboxltd.sjv.io/VmGgeE.
If you’re interested in more content about security, hacking, making, and tech, check out my YouTube channel at https://youtube.com/@CorSecure.
