CTF - Scream [Android]
Solution for Scream apk
Description
You’ve come across a mysterious application. It appears that a secret lies within, hidden yet in plain sight. But if you can listen to the silent scream, the secret will be yours.
File
Solution
When I opened the apk with Jadx, I noticed that the apk uses intentfilter to listen to
broadcast messages. As you can see below:
We need to send broadcast messages to be.cscbe.scream.OPEN_SESAME.
Here we can see: When BroadcastReceiver receives a broadcast message, it checks if secret intentStringExtra is equal to secret passed through method called deobfuscateString.
So to get secret decrypted we can pass the string : MturA+s7EREp into deobfuscateString method.
it’s Tigrou007
If they are the same, it sends the flag. I created an APK to send broadcast messages with deobfuscated message to intent. And listen to “be.cscbe.scream.SENDING_FLAG”.
See the source code of my application on my GitHub.
My Apk logs flag so we have to use logcat to get the flag
Flag
CSC{Screaming_hurts_my_throat}
Issue
I lost time getting the flag: I tried to run my apk without running scream.apk first, so my logging wasn’t triggered. I retried and ran scream first and after my apk and got flag.