https://app.hackthebox.com/challenges/284

Description

A client asked me to check if I can intercept the https request and get the value of the secret parameter that is passed along with the user’s email. The application is intended to run in a non-rooted device. Can you help me find a way to intercept this value in plain text.

Exploitation

Use jadx-gui to decompile and look at the code or decompiled using www.javadecompilers.com, reveals MainActivity.java from the com.example.anchored package. It utilizes native methods (frf(), prp(), mrm()) linked to libanchored.so to construct HTTP request parameters.

The Java_com_example_anchored_MainActivity_frf function in libanchored.so applies XOR encryption using specific byte constants (e.g., 0x0012d0c9 for t and 0x0012d0cb for u). Decryption can be performed using the known XOR keys (local_e8) and encrypted data (local_198), which can be simulated with a Python script.

#!/usr/bin/python3
from pwn import xor

def xor(data, key):
    return bytes([data[i] ^ key[i % len(key)] for i in range(len(data))])

ct = b't%u9t8?M/~bx&uz-ebtux8'
key = b'!K!K!KK~K!!KT!KKT!@!KK'
decrypted_text = xor(ct, key)
print("Decrypted Text: HTB{" + decrypted_text.decode() + "}")

Summary

Ancored: inspect the Android app, trace the validation path, and recover the flag.