PowerBI DirectQuery - Part1
PowerBI DirectQuery - Part2

Writeup of two Android challenges from CTF HacktivityCon2020

Pinocchio Mobile Challenge

This challenge had only 94 solves.

I downloaded the APK and opened it with Android Studio. No obvious 'flag{' text blocks in the code or string resources found.

I put wireshark running in the background to capture network traffic and built the mobile_one.apk so I could execute it in the Android Studio emulator.

Every time I pressed 'submit' the application made a http POST call to http://jh2i.com:50029. The body was json formatted. So I tried to obvious one manually to see where it ended up.

{"pin":"1234"}

The maximum amount of pin digits the application allowed was 4 digits.

For that PIN bruteforcing of 4 digits I made a small shell script.

The script tried all combinations from 0000 to 9999 and put the status into pin.log.

From the 10.000 calls there were api call failures and timeouts. Maybe too many people trying the endpoint. (I should have built-in more waiting time and error handling...) After all 2 extra iterations were made for the pin number requests that had no real status.

$ for i in `grep -v Invalid pin.log|awk '{print $1}'`; do echo "$i : "`curl -X POST http://jh2i.com:50029 -d'{"pin":"'$i'"}' -H 'User-Agent: Android' -H "Content-Type: application/json" `; done > pin1.log

And one more iteration

$ for i in `grep -v Invalid pin1.log|awk '{print $1}'`; do echo "$i : "`curl -X POST http://jh2i.com:50029 -d'{"pin":"'$i'"}' -H 'User-Agent: Android' -H "Content-Type: application/json" `; done > pin2.log

And then the pin code was found and the flag appeared from the API.

6402 : flag{lied_about_this_being_secure}

Of course from the Android emulator I typed the pin code and it worked there too. :-)

As a bonus, an easy one.

The Mobile One Challenge.

Opening the apk mobile_one.apk with vi and searching for 'flag{' revealed the flag within seconds. No need for any tools. Of course with more and grep this flag would also be found. This challenge had 521 solves.

More CTF writeups


They can be found on this GitHup repository: CTF HacktivityCon 2020 writeups

Published: 31.7.2020

Updated with the link to GitHub: 21.9.2021


PowerBI DirectQuery - Part1-----> Zyxel WRE6505 Wifi extender CVE-2017-7964