Post

HackTheBox Pinned Challenge

Posted
By x3ric
2 min read

Explore the basics of cybersecurity in the Pinned Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/282

Description

This app has stored my credentials and I can only login automatically. I tried to intercept the login request and restore my password, but this seems to be a secure connection. Can you help bypass this security restriction and intercept the password in plaintext?

Exploitation

Use jadx-gui to decompile and look at the code.

1

apktool d <apk>

1
2

bnavarro
1234567890987654

1

unzip pinned.apk -d pinned_extracted

1
2
3

cd pinned_extracted
zipalign -v 4 pinned.apk aligned-pinned.apk
adb install aligned-pinned.apk

We need to mitm or use frida to read the internal values

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

Java.perform(function() {
  var StringBuilder = Java.use('java.lang.StringBuilder');
  StringBuilder.toString.implementation = function() {
      const result = this.toString();
      console.log('[+] StringBuilder result:', result);
      return result;
  };
  var Base64 = Java.use('android.util.Base64');
  Base64.decode.overload('java.lang.String', 'int').implementation = function(str, flags) {
      console.log('[+] Base64 string to decode:', str);
      return this.decode(str, flags);
  };
  var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
  SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(key, algorithm) {
      console.log('[+] SecretKeySpec created:');
      console.log('    Key (string):', Java.use('java.lang.String').$new(key));
      console.log('    Algorithm:', algorithm);
      return this.$init(key, algorithm);
  };
  var Cipher = Java.use('javax.crypto.Cipher');
  Cipher.getInstance.overload('java.lang.String').implementation = function(algorithm) {
      console.log('[+] Cipher.getInstance:', algorithm);
      return this.getInstance(algorithm);
  };
  console.log('[*] Hooks installed. Login with bnavarro/1234567890987654');
});

1

frida -U -f com.example.pinned -l poc.js

SSL pinning intended mitm

Use an andoid-emulator like android-studio.

1
2
3
4
5
6
7

adb root
adb shell
mount -o rw,remount /system
echo "10.10.10.112 pinned.com" >> /system/etc/hosts
mount -o ro,remount /system
cat /system/etc/hosts
reboot

1

ip a

open burp and in proxy > option > listeners enable bind with <ip>:8090

in the emulator android set the proxy to <ip>:8090

Push and Run frida-servers in the emulator

1
2
3
4
5

adb root
adb push frida-server-14.2.18-android-x86_64 /data/local/tmp/frida-
server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

In burp make the cert in DER format cert-der.crt

1

adb push cert-der.crt /data/local/tmp/

https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

1

frida -U -f com.example.pinned --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida

Summary

The Pinned Challenge on Hack The Box is an easy-level challenge designed to help beginners learn about encryption reversal and file handling. In this challenge, participants are tasked with bypassing security restrictions to intercept a stored password in plaintext within an Android application. The challenge involves reverse engineering the APK, using tools like apktool to decompile the app, and frida to hook into the app’s internal methods. By inspecting function calls related to string handling, Base64 decoding, and cryptographic operations, participants can reveal the plaintext password and bypass the app’s security measures.

challenge
htb challenge writeup linux mobile android apk java
This post is licensed under CC BY 4.0 by the author.