Winja CTF, Quiz #2 — WriteUp

Tweet challenge
  • we can run strings command on it and analyze the complete mess of strings
  • Fire up Ghidra or IDA.
  1. Run the app in the emulator. We see the only input and it requires a correct password.
  2. Then I looked into AndoridManifest and discovered activity which is basically a web view but which is not exported 😢 From this guess I expect to find anything related to URLs as well.
  3. Save the output and scavenge anything related to password because the validator in the app displayed “Incorrect Password Detected”. Start from this.
save the output to .txt file
Search result
Secret in Ghidra
I won

--

--

--

Android GDE, Software Engineer with 8 years of experience, specializing in Android development. Chapter Lead @ TBC Bank. Amateur cyclist and runner

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Simulating 404 HTTP status code in Blinkit Search API

Mock Server

Full Stack Software Design 101

Bitspawn x CATO partnership is official!

Algorithm Practice: Merge Sorted Array

Download In @PDF Computer Science: An Overview (12th Edition) Read *book #ePub

Selenium automations that can run “headless”

Realtime Temperature Analytics using Kafka Streams

Create Jenkins Pipeline for automating Docker image creation and push docker image into Docker Hub…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Merab Tato Kutalia

Merab Tato Kutalia

Android GDE, Software Engineer with 8 years of experience, specializing in Android development. Chapter Lead @ TBC Bank. Amateur cyclist and runner

More from Medium

Jumping in Headfirst

HTTP VERB TAMPERING:

IDOR: A BEGINNER’S GUIDE

Writeup: CSRF where Referer validation depends on header being present @ PortSwigger Academy