https://app.hackthebox.com/challenges/285

Description

Can you get the ticket without the VIP code?

Exploitation

Use jadx-gui to decompile and look at the code.

apktool d <apk>

import hashlib
from base64 import b64decode
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

def md5_hash(text):
    md5 = hashlib.md5()
    md5.update(text.encode())
    return ''.join(hex(x)[2:] for x in md5.digest())

def decrypt_aes(encrypted_str):
    key = b'Dgu8Trf6Ge4Ki9Lb'
    encrypted_bytes = b64decode(encrypted_str)
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted = unpad(cipher.decrypt(encrypted_bytes), AES.block_size)
    return decrypted.decode('utf-8')

def main():
    target_hash = "735c3628699822c4c1c09219f317a8e9"    
    encrypted = "k+RLD5J86JRYnluaZLF3Zs/yJrVdVfGo1CQy5k0+tCZDJZTozBWPn2lExQYDHH1l"
    print("Decrypting AES string...")
    try:
        decrypted = decrypt_aes(encrypted)
        print(f"Decrypted string: {decrypted}")
    except Exception as e:
        print(f"Error decrypting: {e}")

if __name__ == "__main__":
    main()

Summary

APKrypt: inspect the Android app, trace the validation path, and recover the flag.