Upar wale step se jo value mili hai, usko base64 decoder se decode kiya jata hai taaki challenge ka required flag mil sake. Iske liye jo command use hoti hai wo hai:
echo “<base64 encoded value>” | base64 -d
Phir ye flag HTB (Hack The Box) par submit karke challenge complete kiya ja sakta hai.
HackTheBox: Don’t Overreact (Write-Up/Walkthrough for Linux and Windows)
“Don’t Overreact” ek mobile (Android) challenge hai HackTheBox platform se, jo ki “very easy” category mein aata hai. Ye challenge humein batata hai ki static analysis kaafi important hoti hai jab hum kisi application ka security analysis karte hain. Agar hum is challenge ki vulnerability ko OWASP Mobile Top 10 (2016) list ke saath compare karein, to ye fall karti hai M2: Insecure Data Storage ke under.
Is challenge ko complete karne ke kai tareeke hain, jismein se do methods is walkthrough mein discuss kiye gaye hain. Pehla method Kali Linux virtual machine par perform kiya gaya hai, jabki dusra method Windows machine par, jadx-gui tool ka use karke kiya gaya hai (is tool ko [yahaan se install karo]).
First Method:
Required file ko HTB se download karke Kali Machine par save kiya jata hai aur uske baad “unzip <app_name>.apk” command ka use karke unzip kiya jata hai (see Figure 1). Jab APK file ko unzip kiya jata hai, to Android application ke multiple files aur folders usi directory mein decompiled/extracted form mein mil jaate hain.
As the application React Native framework ka use karke banayi gayi hai, isliye iska poora JavaScript code ek hi file mein compile hota hai (minified format mein), jiska naam usually “.bundle” se hota hai. Is file mein application ka core logic hota hai aur shayad kuch sensitive data bhi ho sakta hai.
Unzipped (extracted) files wali directory ko terminal mein open kiya jata hai, aur phir neeche wali command run ki jaati hai taaki “.bundle” file locate ki ja sake:
find . -print | grep -i “.bundle”
(see Figure 2)
Yahan “-i” flag ka matlab hota hai “ignore case”, jo ki search ko case-insensitive bana deta hai — yaani chhoti ya badi letters ka farak nahi karta.
Find command se jo result mila hai, wo upar wali picture mein dikhaya gaya hai jismein “index.android.bundle” file wali directory clearly visible hai.
Us directory ko access kiya jata hai jahan “index.android.bundle” file maujood hai (see Figure 3).
Figure 3
The “index.android.bundle” file ko uske baad read aur analyze kiya jata hai taaki koi sensitive information mil sake. File ko “debug” keyword ke liye check kiya jata hai using the grep command:
cat index.android.bundle | grep “debug“
“debug” ko grep karne par jo output generate hota hai, usme ek base64 mein encoded text milta hai. Clarity aur convenience ke liye, yahan “debug” ke bajay “hackthebox” keyword use kiya gaya hai (see Figure 4).
Alternative Method
Ek alternative method bhi hai jisse encoded value ko find kiya ja sakta hai (jo base64 decoder se decode karke flag milta hai). Iske liye hum jadx-gui tool ka use kar sakte hain.
Is method ko use karne ke liye, sabse pehle jadx-gui tool open karo (agar install nahi kiya hai to yaha se install kar sakte ho).
Phir “Don’t Overreact” challenge ka “app-release.apk” file (jo default name hota hai) jadx-gui tool me open karo.
Jab file load ho jaye, to resources folder ke andar jao aur fir assets folder me enter karo.
Wahan ek file milegi jiska naam hoga “index.android.bundle” — is file me saara JavaScript code compiled aur bundled form me hota hai.
Jab tum is “.bundle” file ka code analyze karoge, to line 486 pe ek encoded text value milega (refer Figure 6).
Is encoded value ko bhi upar wale method ke jaise ya kisi online base64 encoder/decoder tool ki help se decode kiya ja sakta hai taaki flag mil jaye.
