What do you do if they have sandbox escapes you don't know about? The kind of person that runs it in a VM is someone they'd probably want to be looking at.
Oh, come on. You have to have an old phone lying around to factory reset for shits and giggles. Not like they'd burn good zero days on a publicity stunt.
Remember, this thing'll be getting picked apart by everybody considering the source.
Unless you're afraid of getting black bagged that i...<SIGNAL LOST>
If I need to read the source code of a fucking website for it to be useful, then it's either a really special edge-case or the designer is a moron. Guess which case this is.
Why not upload a plain text file in the first place?
Yes, and those people might visit a website, which asks for...shudder...cookies. If you can show that the cookies do something nefarious, I'd be interested. Do you think they general population would even get to the point of installing an APK?
"Consider what that means for Mossad"
At this point, you can't even prove that the APK does anything nefarious - and it would be dangerous for the Mossad if it did, because the challenge is literally to decompile the APK.
Level 5: You've downloaded Droid4X extra because of it, installed Java and everything and then you come back on HN to look if somebody is already on the next challenge (in order to save time) and then you start again, but with the new challenge :)
THIS IS LEGITIMATE.
The Israeli Mossad had a ad today, https://www.algemeiner.com/2019/05/09/mossad-marks-israeli-i...
with a picture.
The picture has 4 rows of trophies, which should be converted to 4 numbers using binary --> decimal.
Those four numbers are 35, 246, 158, 51.
As an ip address, 35.246.158.51 leads to the site OP posted.
jQuery is still a valid way to manipulate the DOM. There’s nothing wrong with doing that, especially if you already need to load jQuery for something else. I don’t think this is what the comment was referring to.
The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.
You're close, but that first endpoint is just to retrieve the auth URL, no need to post anything to it. It then passes the seed and password to the returned URL, so:
"http://35.246.158.51:8070/auth/v2" gets '{"Seed": "xxx", "Password": "xxx"}' of some kind
I haven't yet figured out what those are though...
See:
Future<Token> login(String seed, String password) {
var headers = new Map<String,String>();
return _netUtil.get(LOGIN_URL, headers:headers).then((dynamic authUrl) {
try {
if (authUrl == null) {
return Future<Token>.sync(() => new Token("", false, 0));
}
var loginUrl = BASE_URL + AuthURL.map(json.decode(authUrl.body)).url;
So reading about flutter, there's quick reload information in debug mode[0]
This leads me to believe that the seed and password entered in development / in the cookie jar from a previous attempt are somewhere in the `isolate_snapshot_data` file
replacing the original url with http://35.246.158.51:8070/auth/v2 and then sending a json like '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' with "Content-Type: application/json" returns {"IsValid":false,"LockURL":"","Time":136764}
the Time here (as per my understanding in the code) is the request duration, which somehow contradicts postman's request duration field
now one weird thing I've noticed about this app is this, if i install it on a regular device, and connect that to a proxy, then type gibberish into the fields then click Login, the following code gets invoked
void _submit() async {
final form = formKey.currentState;
if (form.validate()) {
setState(() => _isLoading = true);
form.save();
_networkActions.login(_seed, _password)
.then((result) => _loginCompleted(result))
.catchError((e) {
_loginCompleted(new Token("", false, 0));
});
}
if a loading icon appears then I assume that the code passed the condition and passed this line of code "setState(() => _isLoading = true);" now the weird part is that, I don't see any outgoing connections from the app... (I use charles to capture requests)
It's normal that you don't see any traffic using Charles, since Charles can only intercept traffic made by HttpUrlConnection or OkHttp, since flutter is not using any of those two..you can't see anything in Charles.
on page 397 there is entry in index:
iWalk, v2 71
on the same page there are interesting terms like
islamic terrorism, jihad via internet, judism...
also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...
First Challenge Solution:
Mossad 2019 Challenge Start: https://r-u-ready-4.it/ Every line in the image is binary 8-bit number that will give you an ip address : 35.246.158.51
Download app.apk from http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will user it as "Seeder" property in the app //////////////////////////////////////////////////////////////////////////////////////////////// using WireShark (or any other packet snipper) we can see that the login button does this:
POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json; charset=utf-8 accept-encoding: gzip content-length: 29 host: 35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-Length: 47
Using http://www.javadecompilers.com/, i Decompiled the apk, and got a lock at the Manifest < <xml version="1.0" encoding="utf-8" ....... <activity android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize" android:hardwareAccelerated="true" android:launchMode="singleTop" android:name="com.iwalk.locksmither.MainActivity" .... .....
The line "look for us on github.com" got my attention, so i looked for iwalk.locksmither in github and found "iwalk-locksmithers" linke: https://github.com/iwalk-locksmithers-app the server source code was there. In the code, there are a few comments that can help
the part of "for currentIndex < len(lock.Password) && currentIndex < len(loginData.Password) { if lock.Password[currentIndex] != loginData.Password[currentIndex] { break } //OG: securing against bruteforce attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"
the securing aginst bruteforce (tyring all combinations) is the weeknes. The idea behind for hacking the password is to try only one char at first. if we get a 30ms dealy, it means we got the 1st char right, so then we can check the next one, so we will t...
Not sure I understand the bruthforce code.
I'm trying to get the first char.
I've written something along
import requests
import string
#a-zA-Z!@#$%^&*()_-=
printables_chars = string.printable
agent = 'ed9ae2c0-9b15-4556-a393-23d500675d4b'
for i, char in enumerate(printables_chars):
print('run {}. char {}'.format(i,char))
result = requests.post('http://35.246.158.51:8070/auth/v1_1',
data={"Seed": "d14236b60e0f4aef94499cb648a5f522", "Password": char})
if(result.json()['Time'] > 100000000):
# This prints randomly for some cases and others doesn't
print(result.json()['Time'])
res = check(CHARACTERS)
for i in range(10):
res = check(res)
print(res)
DISCOVERED_PASSWORD += res[0]
print("FOUND ONE MORE! {}".format(DISCOVERED_PASSWORD))
But I got some progress:
1. Image leads to subdomain: http://dev.missilesys.com/
2. It generates p12 certificate for login to admin-panel. You should enter username/password, submit the form and click download. (It there is no download button just try something like this: refresh the page, change method from POST to GET, enter credentials and press Submit, after that press submit again it'll appear)
3. Add certificate to KeyChain (on macOS) and go to missilesys.com.
4. You're got into admin-panel, but you have no permissions to shutdown it. You need to be an administrator.
5. You should get .p12 certificate for administrator, but you can't because "User alreay exists!". This's place where I'm stuck.
It would be great if you have an idea how to handle with it :)
As I check:You need to input administrator inside login without pass in browser Preserve log mode and jAvAsCrIpT generate it by login name check Headers Form Data private key .I think I am on the way but now I need password from cert of Admin now:))
I have an idea, but don't have the time to check :-/
Using online CSR generator I succeeded to sign a CA certificate.. So maybe we can use the signed certificate to sign another certificate for admin user on behalf of the root certificate?
Can you explain step by step how you have done it? :)
If you change to CSR and key in the request to self-generated, it still says username already exists.
on the other side, if I create my own certificate using custom CSR and key, I still cannot sign it with website CA (taken from original p12 file) since I do not have the private key.
1. I created CSR with CA:TRUE and send it to the server.
2. The server signed it and returned me a certificate.
3. I use the given certificated with CA:TRUE from the server and sign a new certificate with the username administrator.
4. I install the certificate on my browser and should get in.
All of the above sounds great. however, it is still(!!!) not working for me.
Where am I going wrong
120 comments
[ 8.7 ms ] story [ 274 ms ] thread"Welcome Agent.
A team of field operatives is currently on-site in enemy territory, working to retrieve intel on an imminent terrorist attack.
The intel is contained in a safe, the plans for which are available to authorized clients via an app [0].
Our client ID is d09ff4ec651c48f89f7f7aa19160bd55
Your mission is to retrieve those plans, and allow our team to break into the safe.
Good luck!,
[0]: http://3d375032374147a7865753e4bbc92682.xyz/static/app.apkYou could always install it on a virtual phone in a sandboxed VM.
Paranoia++ :)
package com.iwalk.locksmither;
import android.os.Bundle; import io.flutter.app.FlutterActivity; import io.flutter.plugins.GeneratedPluginRegistrant;
public class MainActivity extends FlutterActivity { protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); GeneratedPluginRegistrant.registerWith(this); } }
In terms of permissions, it asks for INTERNET.
Remember, this thing'll be getting picked apart by everybody considering the source.
Unless you're afraid of getting black bagged that i...<SIGNAL LOST>
Why not upload a plain text file in the first place?
Bingo!
You need to figure out the address of the site I posted from the picture. (Not that difficult)
Does curiosity really make ya'll this dumb?
Level 2: The people who realize that the requested actions are likely unsafe, and complain about it
Level 3: People who realize that this is part of the challenge and just use a VM
Nobody on HN is "this dumb", if you want to participate in a challenge with an intelligence agency, take the proper precautions
Enjoy your challenge.
Yes, and those people might visit a website, which asks for...shudder...cookies. If you can show that the cookies do something nefarious, I'd be interested. Do you think they general population would even get to the point of installing an APK?
"Consider what that means for Mossad"
At this point, you can't even prove that the APK does anything nefarious - and it would be dangerous for the Mossad if it did, because the challenge is literally to decompile the APK.
Level 4: Ignore it.
As an ip address, 35.246.158.51 leads to the site OP posted.
1. Access $("#text1")[0].innerHTML
2. $( document ).ready() { typeWriter (); }
facepalm
The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.
Poke around and you'll find code for POSTing JSON-encoded credentials to http://35.246.158.51:8070/auth/getUrl. (Grep for the IP to find it.)
So, using the web site name as the seed and the 'client id' as the password, we get:
$ curl -X POST -H "Content-Type: application/json" -d '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' http://35.246.158.51:8070/auth/getUrl
The response is an HTTP 200 and: {"AuthURL":"/auth/v2"}
http://35.246.158.51:8070/auth/v2 is I guess the next step.
edit: The /auth/getUrl endpoint responds to any request with the same response, so that may not be the right Seed/Password combination.
I haven't yet figured out what those are though...
See:
This leads me to believe that the seed and password entered in development / in the cookie jar from a previous attempt are somewhere in the `isolate_snapshot_data` file
[0] https://github.com/flutter/flutter/wiki/Flutter-engine-opera...
first of all, as per the code, the User-Agent must be setup to "iWalk-v2"
then doing a simple get request to http://35.246.158.51:8070 will return {"AuthURL":"/auth/v2"}
replacing the original url with http://35.246.158.51:8070/auth/v2 and then sending a json like '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' with "Content-Type: application/json" returns {"IsValid":false,"LockURL":"","Time":136764}
the Time here (as per my understanding in the code) is the request duration, which somehow contradicts postman's request duration field
now one weird thing I've noticed about this app is this, if i install it on a regular device, and connect that to a proxy, then type gibberish into the fields then click Login, the following code gets invoked
if a loading icon appears then I assume that the code passed the condition and passed this line of code "setState(() => _isLoading = true);" now the weird part is that, I don't see any outgoing connections from the app... (I use charles to capture requests)https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=P...
on page 397 there is entry in index: iWalk, v2 71 on the same page there are interesting terms like islamic terrorism, jihad via internet, judism... also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...
Challenge-1 :Link http://3d375032374147a7865753e4bbc92682.xyz / http://35.246.158.51
Download app.apk from http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will user it as "Seeder" property in the app //////////////////////////////////////////////////////////////////////////////////////////////// using WireShark (or any other packet snipper) we can see that the login button does this:
POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json; charset=utf-8 accept-encoding: gzip content-length: 29 host: 35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-Length: 47
{"IsValid":false,"LockURL":"","Time":149646302} ///////////////////////////////////////////////////////
Using http://www.javadecompilers.com/, i Decompiled the apk, and got a lock at the Manifest < <xml version="1.0" encoding="utf-8" ....... <activity android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize" android:hardwareAccelerated="true" android:launchMode="singleTop" android:name="com.iwalk.locksmither.MainActivity" .... .....
The line "look for us on github.com" got my attention, so i looked for iwalk.locksmither in github and found "iwalk-locksmithers" linke: https://github.com/iwalk-locksmithers-app the server source code was there. In the code, there are a few comments that can help
https://github.com/iwalk-locksmithers-app/server/blob/master... link 70 points us to the auth-1 weeknes.
the part of "for currentIndex < len(lock.Password) && currentIndex < len(loginData.Password) { if lock.Password[currentIndex] != loginData.Password[currentIndex] { break } //OG: securing against bruteforce attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"
the securing aginst bruteforce (tyring all combinations) is the weeknes. The idea behind for hacking the password is to try only one char at first. if we get a 30ms dealy, it means we got the 1st char right, so then we can check the next one, so we will t...
import requests
import string
#a-zA-Z!@#$%^&*()_-=
printables_chars = string.printable
agent = 'ed9ae2c0-9b15-4556-a393-23d500675d4b'
for i, char in enumerate(printables_chars):
CHARACTERS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|\/?,.<>`~"
URL = "http://35.246.158.51:8070/auth/v1_1"
HEADERS = {'User-Agent' : 'ed9ae2c0-9b15-4556-a393-23d500675d4b', 'content-type' : 'application/json; charset=utf-8' }
PAYLOAD ={}
for i in range(len(CHARACTERS)):
But for first character I don't see really huge DELAY response, always I have few characters with big delay and not only one.import requests
CHARACTERS = "abcdefghijklmnopqrstuvwxyz0123456789"
URL = "http://35.246.158.51:8070/auth/v1_1"
HEADERS = {'User-Agent' : 'ed9ae2c0-9b15-4556-a393-23d500675d4b', 'content-type' : 'application/json; charset=utf-8' }
PAYLOAD ={}
DISCOVERED_PASSWORD = "f"
def check(chars): result_chars = [] for i in range(len(chars)): PAYLOAD['Seed'] = "d14236b60e0f4aef94499cb648a5f522"
for i in range(40): print(DISCOVERED_PASSWORD)But I got some progress: 1. Image leads to subdomain: http://dev.missilesys.com/ 2. It generates p12 certificate for login to admin-panel. You should enter username/password, submit the form and click download. (It there is no download button just try something like this: refresh the page, change method from POST to GET, enter credentials and press Submit, after that press submit again it'll appear) 3. Add certificate to KeyChain (on macOS) and go to missilesys.com. 4. You're got into admin-panel, but you have no permissions to shutdown it. You need to be an administrator. 5. You should get .p12 certificate for administrator, but you can't because "User alreay exists!". This's place where I'm stuck.
It would be great if you have an idea how to handle with it :)
on the other side, if I create my own certificate using custom CSR and key, I still cannot sign it with website CA (taken from original p12 file) since I do not have the private key.
Can anyone help me with this?
I know that if you go to dev.missilesys.com, and download the cert you see that it is signed by International Weapons Export Inc.
so i created a root ca with the same name
than i created a csr with common name administrator
than i created a cert, i used the csr and the root ca i generated
after that i created a pfx, it's the same as p12 afaik, and tried to login i'm getting error 400
i wanted to use the original ca from the web site, i decoded the file p12, but i don't have the private key
anyone can help me? thanks
1. I created CSR with CA:TRUE and send it to the server. 2. The server signed it and returned me a certificate. 3. I use the given certificated with CA:TRUE from the server and sign a new certificate with the username administrator. 4. I install the certificate on my browser and should get in.
All of the above sounds great. however, it is still(!!!) not working for me. Where am I going wrong