APKey

After we have downloaded the necessary files from HackTheBox, and unzipped the files we need the following tools

Dont forget to move both apktool.bat and apktools.jar to C:\Windows directory so they are on PATH

alright now that we have everything downloaded lets get into this challenge

Lets open genymotion, if you haven't use it before you will have to add a virtual device

I noticed using the 'custom phone' virtual device running android 10 works with the apk file, so just keep that in mind

Boot your virtual device, and drag and drop the APK file onto the virtual device

should look something like this

Trying default credentials doesn't seem to work

Let's use jadx-gui and dig into the source code

Once you have the program up its as simple as 'open file` -> click on the apk file

you should see something similar

Now looking through the 'source code' -> 'example.apkey' -> 'MainActivity' we can see an interesting function

Looks like we have a md5 hash of the admin's password, but trying to crack the hash i had problems, couldnt crack it

What we can do is change the hash to our own known hash, for this we will utilize apktools 1

  1. Let's de-compile the .apk file

 apktool.bat d .\APKey.apk

  1. we should have a New directory

cd .\APKey\
  1. Now we need to find the MainActivity (what we saw in jadex-gui) so

cd .\smali\com\example\apkey\
  1. Now lets open the file in VSCODE

  • we want to replace this hash

  1. Lets generate our own md5 hash, we can use the following website to do so

we have our md5 hash

feb4151417d34e5d13a816110dcc292e
  1. Now we can replace the hash

  • Dont forget to save the file

  1. Now lets recompile the apk file

apktool.bat b .\APKey\ -o apk.apk

Now lets drop our new apk file into our virtual device and see if we have access

trying to download the apk.apk file on the virtual device did not work, possible compatibility issues tried android version 12, 11 and 10

Lets downgrade our apktools version to 2.6.0 we can find it here

Lets see if we can compile it now

java -jar .\apktool_2.6.0.jar b .\APKey -o mod_APKey.apk

Now we just need to sign the apk to verify that it is indeed from a vendor, otherwise it may not be installed on other devices, for this we can use the keytool and jarsigner

The keytool is used to create a RSA key and jarsigner to sign the apk using RSA key

first lets generate our key

'C:\Program Files\Java\jdk-21\bin\keytool.exe' -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

assigning our key to mod_APKey.apk using jarsigner

 & 'C:\Program Files\Java\jdk-21\bin\jarsigner.exe' -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore .\my-release-key.keystore .\mod_APKey.apk alias_name

Now lets download the new apk file onto the virtual device and see if it works

  • No luck

Lets look at the code again

from what we can see

if string == hash; auth
#can we change it to something like
if string != hash; auth

We can try and change it

How do we do this, looking at

we do find this which specifies

  • if-eqz: means equal to zero meaning equal to

  • if-nez: means not equal to zero meaning not equal to

So we just need to change the equal to to not equals to in the code

back in VS CODE (MainActivity$a.smali) file

after code change
  • dont forget to save the file

Now we just need to recompile the apk file

apktool.bat b .\APKey -o new.apk
#sign it
 & 'C:\Program Files\Java\jdk-21\bin\jarsigner.exe' -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore .\my-release-key.keystore .\new.apk alias_name

Now when we upload it to our virtual device and give it any password we should get the flag

Last updated