APKey
After we have downloaded the necessary files from HackTheBox, and unzipped the files we need the following tools
android emulator, I'm using genymotion https://www.genymotion.com/
APKtools: great blog for how to download APKtools to Windows https://nikhil-gandla777.medium.com/how-to-install-the-apk-tool-in-your-windows-machine-69937034e670
jadx-gui: https://sourceforge.net/projects/jadx.mirror/files/latest/download dont forget to download the JDK DEV kit https://www.oracle.com/java/technologies/downloads/#jdk21-windows
Dont forget to move both apktool.bat
and apktools.jar
to C:\Windows
directory so they are on PATH
alright now that we have everything downloaded lets get into this challenge
Lets open genymotion, if you haven't use it before you will have to add a virtual device

I noticed using the 'custom phone' virtual device running android 10 works with the apk file, so just keep that in mind
Boot your virtual device, and drag and drop the APK file onto the virtual device
should look something like this

Trying default credentials doesn't seem to work
Let's use jadx-gui and dig into the source code
Once you have the program up its as simple as 'open file` -> click on the apk file
you should see something similar

Now looking through the 'source code' -> 'example.apkey' -> 'MainActivity' we can see an interesting function

Looks like we have a md5 hash of the admin's password, but trying to crack the hash i had problems, couldnt crack it
What we can do is change the hash to our own known hash, for this we will utilize apktools
1
Let's de-compile the .apk file
apktool.bat d .\APKey.apk

we should have a New directory
cd .\APKey\
Now we need to find the
MainActivity
(what we saw in jadex-gui) so
cd .\smali\com\example\apkey\

Now lets open the file in VSCODE

we want to replace this hash
Lets generate our own md5 hash, we can use the following website to do so

we have our md5 hash
feb4151417d34e5d13a816110dcc292e
Now we can replace the hash

Dont forget to save the file
Now lets recompile the apk file
apktool.bat b .\APKey\ -o apk.apk

Now lets drop our new apk file into our virtual device and see if we have access
trying to download the apk.apk
file on the virtual device did not work, possible compatibility issues tried android version 12, 11 and 10
Lets downgrade our apktools version to 2.6.0 we can find it here
Lets see if we can compile it now
java -jar .\apktool_2.6.0.jar b .\APKey -o mod_APKey.apk

Now we just need to sign the apk to verify that it is indeed from a vendor, otherwise it may not be installed on other devices, for this we can use the keytool
and jarsigner
The keytool
is used to create a RSA key and jarsigner
to sign the apk using RSA key
first lets generate our key
'C:\Program Files\Java\jdk-21\bin\keytool.exe' -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
assigning our key to mod_APKey.apk
using jarsigner
& 'C:\Program Files\Java\jdk-21\bin\jarsigner.exe' -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore .\my-release-key.keystore .\mod_APKey.apk alias_name
Now lets download the new apk file onto the virtual device and see if it works

No luck
Lets look at the code again

from what we can see
if string == hash; auth
#can we change it to something like
if string != hash; auth
We can try and change it
How do we do this, looking at

we do find this which specifies
if-eqz: means equal to zero meaning equal to
if-nez: means not equal to zero meaning not equal to
So we just need to change the equal to to not equals to in the code
back in VS CODE (MainActivity$a.smali) file

dont forget to save the file
Now we just need to recompile the apk file
apktool.bat b .\APKey -o new.apk
#sign it
& 'C:\Program Files\Java\jdk-21\bin\jarsigner.exe' -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore .\my-release-key.keystore .\new.apk alias_name
Now when we upload it to our virtual device and give it any password we should get the flag

Last updated