Wargames.my 2017 - Chal6 - Kalau Aku Kaya

November 19, 2017

I dont remember the question, but we were given this APK - http://files.wargames.my/6/250.apk

TL;DR

Use IPv6, craft the request so that the server will send an email to you, check the email header and you'll find something juicy. Also you need to know the IPv4 address of the server pointed by that domain.

Writeup

Note: The web server only listen to its IPv6 address, which is part of the challenge. I was VERY lucky to have IPv6 enabled.

We decompiled the APK and found that this APK is sending request to https://skimcepatkaya.wargames.my/register/reg.php. At first I tried to intercept the traffic by signing and installing the APK and let it run through some intercept proxy but failed due to certificate pinning.

Then my teammate suggest me to just manually craft the request based on what I understand from the code. I did tried sending some request but the server just replied with error code, which I was too lazy to figure out what they were.

Towards the end of the competition, my teammate discovered that the server now returned a more verbose logging and it has helped me a lot in solving this.

Below is the code that helped us to build our request

registerDownline.add(new StringRequest(1, "https://skimcepatkaya.wargames.my/register/reg.php", c02781, new ErrorListener() {
            public void onErrorResponse(VolleyError error) {
                textView.setText("Error, try again!");
            }
        }) {
            protected Map<String, String> getParams() throws AuthFailureError {
                Map<String, String> params = new HashMap();
                params.put("name", name);
                params.put("phone", phone);
                params.put("address", address);
                params.put(NotificationCompat.CATEGORY_EMAIL, email);
                params.put("upline", "[email protected]");
                params.put("check", checks);
                return params;
            }
        });

I'm using Postman to send the request because the laptop I'm using doesnt have curl installed (and it is Windows, eww)

Integrity fail? Probably something to do with the check param. Let see what variable checks is from the decompiled APK source code.

final String checks = md5(name + phone + address + email + "[email protected]");

OK, lets use Postman pre-request script to automate the MD5 process

var ayam   = request.data["name"] + request.data["phone"]  + request.data["address"]  + request.data["email"]  + request.data["upline"];
var hash = CryptoJS.MD5(ayam).toString();
postman.setGlobalVariable('hash', hash);

Lets send our request again

Uh oh, still fail. The server detected that this request is not sent via their mobile application. I changed the user agent and able to fool the server.

Hmm, 'follow up with you upline so that he didn't missed the email'. That means the server is sending email to the upline! Lets change the upline email to something within our control so we can see what the server sent. Initially I used my Gmail but never received anything, maybe blocked by Gmail. Then I send the email to my own server and able to receive it.

Below is the received email

Received: by ubuntu (Postfix, from userid 33)id 5C4254047D; Sun, 19 Nov 2017 15:23:28 +0800 (+08)
To: [email protected][redacted].com
Subject: Registration
X-PHP-Originating-Script: 0:reg.php
From: [email protected]
'NotRelay': [
'N3q8ryccAAS2A9kAbQUAAAAAAABKAAAAAAAAAOY/wnTgBo4FZV0AFukMiKSEe51MZnu6nGHS2c1n1qQwKgNq1qtlj84Z45j+DIuomUguMzymAqb6j/w+BmOr3Ck2dHWFcjTr0mfd8kkGgSxvI/L09M4tte5lwMVSIDHuBW3guUQYvJBwBaP3EgZBgT7qITXNkIW8CS40kJybVNr/lyQTs5vgApH2WiHsBivIv0xDso9tlSC1YtKlQ7Xhf9BBATBpaWVDfzp+kv1X5qok3swYOwu/4CL1RiJRnIudmCorkbPt2Qdpk3b0lfLh8OvNPd/YHlNXrOqOImcGzxtzUH4CEJWgfpulIV2CmgXkTTQKiGyPPN3tHxhfklh9CzJj8UL6rPFmqGlo1IdwoEC3LTLARaRLg4pSFlW78zVSbid2OdOLB1HNQbJqvqY1sUr1ELGvOpHuGCThbf3Q85o/qPS+Xc9dHq/Kf03SzZWw/yWoMYt6a849zYVeM/Xcj+UvToopBcyDEA4rS4LIKuUKqTiu/QR1tE8tI4iJtH/BqOSI7IMLX2hWA/TZSF3uoGqSzMoLUs64V9geG+AeOSzrQUPVxqXbMVk8naYUTbdC5t9doDh4Nz+6IlFdLuCGvlY1VpwbHuW4LlV1w21qRlb59RC/GUlgkQyMS3K0YnuQ8F4YzkK/GIKlcFU7tdTiNOzCCNcKjdwuhHudGtrCJp0aYn2r37tkeBQ3lkgVsGTyCD9pomrW+PZPzrPwoWf5ajXd97PryUgtYiBnyYHdTpd0F6m0BD5wtjnKn3Z0Sv0yPgwOeO26h24kQH0eHNq49rHAKE1LMuCvbkzqc9BYo98Tnu7imut7IQXiwPV5FrQmShW2QCWZTrqGIrUJ+JwKXKPcGpHLWvPZObIjjlTqGJ/ztbRODcKkAyOjr7b9DnXuh9RKbIpS+XTABFXXmEjZoBM9/xYamNYeBXrwkOUTQK9VlZHX95RPH
W5hRZiJsCKp18V0cXgNuwxsMluvJ6C/5vKrDbuGUnyRDLV6a87LkTdW68WQ5xGTWgjjGwZBsnAMA6frwwRptveq9Cnt5mGH6Q8Q9MCfcmBcyNuKxLDN1dHIynixRKS6G6VQdQbyWv2AfNKF012I05hnO3aFTDFrG6FVkwhNSrMcQC/xu7dz5CVAXh1cQYbZEQL4qiDr5yul8/wBPAaKl6459mQbYGUE9b4yvlMrc9e99AxdICQsfKCtDktFbEzNaQynV65VyQu17PL7yQcdNWqT3l/54ZxuJZ8tlA5ODIe82sYxds348JXabSSumF72h3jIjfjvTLuXjzxs3URhDL0E+0coqoLEg+YR4/mt9RnuDDA8P0x57uDsX4gWhX2H6oARjMX/OHHrmu8kc803+IHrsd0ZeGTfIYx/KCniPpZi1tR90wd6UN/RPyui5NHw2aK7RayxxdM+Fuqm2mUBx8sgruL0RGroxFZRTbWIfwMM64rjops0SoWB1XBvozOwNhJtdZRj5PHCNzgBR3yKQjVDWwByxTN6h34WzdQeORiWwPRS9mkFbnQGibW0mopcdvVmEQEpSSGobCluJ0Eq0knq3zS9Gv/XD1w42keOOHXpTx1LcGqoAERUc++P43nIgDesMKJRzQMhC7Npp4I7jACVdFFe9mN/qmomBojgd5GyRCTzuaGOUumyZxz95qLLfCY0Jd0VTMP8fTwveqyj7kCXj773O05xwY6CEbrMHNcCw4uChRl4cSIXkbCYeNp1j7s6mGx4VP8rB4pQtRYqeUcku7QCWvvLQ0CWr6VLgD45UNG4QYMOOa73zWs52+tY18/Wk0rdW1MBrTn0aYIc9Y1Tr9DIFHfOuUXrkVJFmJYnRnquCPrgESXSqTtiiv2vtO28SyP9DorsAAABBAYAAQmFbQAHCwEAASEhAQAMho8ACAoBA5+A+wAABQEZCgAAAAAAAAAAAAARBQBhAAAAFAoBAAA9eQBiXdMBFQ
YBACAAAAAAAA=='
],
Message-Id: <[email protected]>
Date: Sun, 19 Nov 2017 15:23:28 +0800 (+08)

asdasd downlined!

Hmm that base64 thingy looks juicy. Decoding that will result in an 7zip archive, which contains a private key. I didn't mention above that during the recon phase, I did check this domain on PassiveTotal and discovered its IPv4 address; 138.68.154.78. I nmapped that IP and discovered port 22 SSH opened so maybe this key is used to SSH to the server!

I tried few users to SSH as and finally found one

{ kaya }  » ssh [email protected] -i a
wrgm:{OldGuardGoldGuard}
Connection to 138.68.154.78 closed.

Flag is wrgm:{OldGuardGoldGuard}