APKey
After we have downloaded the necessary files from HackTheBox, and unzipped the files we need the following tools
android emulator, I'm using genymotion https://www.genymotion.com/
APKtools: great blog for how to download APKtools to Windows https://nikhil-gandla777.medium.com/how-to-install-the-apk-tool-in-your-windows-machine-69937034e670
jadx-gui: https://sourceforge.net/projects/jadx.mirror/files/latest/download dont forget to download the JDK DEV kit https://www.oracle.com/java/technologies/downloads/#jdk21-windows
Dont forget to move both apktool.bat and apktools.jar to C:\Windows directory so they are on PATH
alright now that we have everything downloaded lets get into this challenge
Lets open genymotion, if you haven't use it before you will have to add a virtual device
I noticed using the 'custom phone' virtual device running android 10 works with the apk file, so just keep that in mind
Boot your virtual device, and drag and drop the APK file onto the virtual device
should look something like this
Trying default credentials doesn't seem to work
Let's use jadx-gui and dig into the source code
Once you have the program up its as simple as 'open file` -> click on the apk file
you should see something similar
Now looking through the 'source code' -> 'example.apkey' -> 'MainActivity' we can see an interesting function
Looks like we have a md5 hash of the admin's password, but trying to crack the hash i had problems, couldnt crack it
What we can do is change the hash to our own known hash, for this we will utilize apktools 1
Let's de-compile the .apk file
apktool.bat d .\APKey.apk
we should have a New directory
cd .\APKey\Now we need to find the
MainActivity(what we saw in jadex-gui) so
cd .\smali\com\example\apkey\
Now lets open the file in VSCODE
we want to replace this hash
Lets generate our own md5 hash, we can use the following website to do so
we have our md5 hash
feb4151417d34e5d13a816110dcc292eNow we can replace the hash
Dont forget to save the file
Now lets recompile the apk file
apktool.bat b .\APKey\ -o apk.apk
Now lets drop our new apk file into our virtual device and see if we have access
trying to download the apk.apk file on the virtual device did not work, possible compatibility issues tried android version 12, 11 and 10
Lets downgrade our apktools version to 2.6.0 we can find it here
Lets see if we can compile it now
java -jar .\apktool_2.6.0.jar b .\APKey -o mod_APKey.apk
Now we just need to sign the apk to verify that it is indeed from a vendor, otherwise it may not be installed on other devices, for this we can use the keytool and jarsigner
The keytool is used to create a RSA key and jarsigner to sign the apk using RSA key
first lets generate our key
'C:\Program Files\Java\jdk-21\bin\keytool.exe' -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000assigning our key to mod_APKey.apk using jarsigner
& 'C:\Program Files\Java\jdk-21\bin\jarsigner.exe' -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore .\my-release-key.keystore .\mod_APKey.apk alias_nameNow lets download the new apk file onto the virtual device and see if it works
No luck
Lets look at the code again
from what we can see
if string == hash; auth
#can we change it to something like
if string != hash; authWe can try and change it
How do we do this, looking at
we do find this which specifies
if-eqz: means equal to zero meaning equal to
if-nez: means not equal to zero meaning not equal to
So we just need to change the equal to to not equals to in the code
back in VS CODE (MainActivity$a.smali) file
dont forget to save the file
Now we just need to recompile the apk file
apktool.bat b .\APKey -o new.apk
#sign it
& 'C:\Program Files\Java\jdk-21\bin\jarsigner.exe' -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore .\my-release-key.keystore .\new.apk alias_nameNow when we upload it to our virtual device and give it any password we should get the flag
Last updated