HackTheBox Pinned Challenge

https://app.hackthebox.com/challenges/282

Description

This app has stored my credentials and I can only login automatically. I tried to intercept the login request and restore my password, but this seems to be a secure connection. Can you help bypass this security restriction and intercept the password in plaintext?

Exploitation

Use jadx-gui to decompile and look at the code.

apktool d <apk>

bnavarro
1234567890987654

unzip pinned.apk -d pinned_extracted

cd pinned_extracted
zipalign -v 4 pinned.apk aligned-pinned.apk
adb install aligned-pinned.apk

We need to mitm or use frida to read the internal values

Frida

Java.perform(function() {
  var StringBuilder = Java.use('java.lang.StringBuilder');
  StringBuilder.toString.implementation = function() {
      const result = this.toString();
      console.log('[+] StringBuilder result:', result);
      return result;
  };
  var Base64 = Java.use('android.util.Base64');
  Base64.decode.overload('java.lang.String', 'int').implementation = function(str, flags) {
      console.log('[+] Base64 string to decode:', str);
      return this.decode(str, flags);
  };
  var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
  SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(key, algorithm) {
      console.log('[+] SecretKeySpec created:');
      console.log('    Key (string):', Java.use('java.lang.String').$new(key));
      console.log('    Algorithm:', algorithm);
      return this.$init(key, algorithm);
  };
  var Cipher = Java.use('javax.crypto.Cipher');
  Cipher.getInstance.overload('java.lang.String').implementation = function(algorithm) {
      console.log('[+] Cipher.getInstance:', algorithm);
      return this.getInstance(algorithm);
  };
  console.log('[*] Hooks installed. Login with bnavarro/1234567890987654');
});

frida -U -f com.example.pinned -l poc.js

SSL pinning intended mitm

Use an andoid-emulator like android-studio.

adb root
adb shell
mount -o rw,remount /system
echo "10.10.10.112 pinned.com" >> /system/etc/hosts
mount -o ro,remount /system
cat /system/etc/hosts
reboot

ip a

open burp and in proxy > option > listeners enable bind with <ip>:8090

in the emulator android set the proxy to <ip>:8090

Push and Run frida-servers in the emulator

adb root
adb push frida-server-14.2.18-android-x86_64 /data/local/tmp/frida-
server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

In burp make the cert in DER format cert-der.crt

adb push cert-der.crt /data/local/tmp/

https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

frida -U -f com.example.pinned --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida

Summary

Pinned: hook the mobile app with Frida, bypass the check, and recover the flag.