Scribd
Upload
53 views20 pages

Pinned

Uploaded by

Jose Bonzini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views20 pages

Pinned

Uploaded by

Jose Bonzini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Pinned

Description

This app has stored my credentials and I can only login automatically. I tried to intercept
the login request and restore my password, but this seems to be a secure connection.
Can you help bypass this security restriction and get back my password?

Objective

Perform SSL Pinning Bypass to intercept the login request and get the
flag.

Difficulty

Medium

Flag

HTB{trust_n0_1_n0t_3v3n_@_c3rt!}

Release:

/release/pinned.zip
( f75b6eb5295e50b994bd360d7fa9fbe9ab01c07a1d69de6b7832a6cf6013d2d8 )

Prerequisites

A virtual Android image like Android-x86 running on Virtual Box or VMware or another
Android emulator, running with the Developer mode on.

Alternatively, a real android device connected via USB, running with the Developer
mode on.
Challenge:

Unzipping the pinned.zip file reveals the file pinned.apk . In order to run the
pinned.apk file, we have to set up an Android emulator. To achieve this, we are going to
use Android Studio IDE.

wget https://redirector.gvt1.com/edgedl/android/studio/ide-
zips/4.2.1.0/android-studio-ide-202.7351085-linux.tar.gz
tar xvzf android-studio-ide-202.7351085-linux.tar.gz
sh android-studio/bin/studio.sh

On the setup wizard we click OK , then we click on Next , and finally click on Finish .
Next, we wait for the Android Studio to download the components.

Once it's done, we click Finish once again.


Then we click Next and finally we click on Finish . Now that we have create a new
project, we wait for some more files to get downloaded automatically from the IDE. When
that's done, click on the top centre of the IDE and select AVD Manager .

On the AVD Manager menu, click on the green "play" button to start the emulator.
Once the device is started, It should be looking like this.
Then, we install adb so we can communicate with it.

sudo apt install adb

In our Android device terminal we type ifconfig to get the device's IP. Once we get the IP,
we type the following to establish the connection.

adb connect 192.168.232.2:5555

Next, we can list the devices that are connected by typing the following command.

adb devices
The connected devices might be displayed either with the format of name-port or ip-
port . In this case the device is displayed as emulator-5554 . Now that we are connected
to the device, let's go on and install the pinned.apk file.

adb install pinned.apk

According to the challenge description, before we go on and run the application, we have to
add the following domain name into the /system/etc/hosts file.

adb root
adb shell
mount -o rw,remount /system
echo "10.10.10.112 pinned.com" >> /system/etc/hosts
mount -o ro,remount /system
cat /system/etc/hosts
reboot
We can now run the application on the Android device.
This is a login screen asking for username and password. The credentials are stored and as
the message indicates, we can successfully login. Let's try to intercept the request and see
if we can get the password in plaintext. In order to setup Burp, type the following on the
host machine to get the ip address.

ifconfig

On the Burp Suit Proxy tab, go on Options and press the Add button under the Proxy
Listeners section.

On the pop up window type the port 8090 and select the host's IP from the drop down
menu.
Click OK and make sure the new proxy listener is selected.

Back to the Android emulator, click the three dots from the vertical menu near the device.
On the Extended Controls pop up window, click on settings. Then, uncheck the Use
Android Studio HTTP proxy settings , and check the Manual proxy configuration .
On the Host name field, add the host IP address, and on the Port number add 8090 .
Finally click APPLY .
The Proxy status should say Success . Then, go back on the Intercept tab on Burp,
and make sure the Intercept is on button is toggled. Finally, on the Android device click
the LOGIN . The request should now be intercepted on Burp.
As we can see, it failed to intercept the request and the tab Dashboard is now toggled on.
Navigating to the Dashboard tab, we can see that the alert Received fatal alert:
certificate_uknown . has been raised.
This means that SSL Pinning might be used. In order to bypass SSL Pinning, we first need
to run frida-server on the Android emulator device. Once we download the file, we type the
following to upload it to the device.

adb root
adb push frida-server-14.2.18-android-x86_64 /data/local/tmp/frida-
server

Next, we generate a new certificate on Burp, rename it to cert-der.crt , and we place it


to the same directory with frida-server on the emulator so frida-server can read it.
On the Proxy -> Options tab on Burp, we click Regenerate CA Certificate .

On the confirmation dialog, press Yes . Then, we click on Import / export CA


certificate . On export section on the popup window, select Certificate in DER
format and click Next .
Next, click on select file .

Name it cert-der.crt and save it to Downloads directory.


Then click on Next once again and then Close .

To upload the certificate to the emulator, type the following.

adb push cert-der.crt /data/local/tmp/


Once both the certificate and frida server have been pushed to the emulator, we also
need to setup some more things to the host machine. Type the following to install frida-
tool .

pip install frida-tools

In order to bypass SSL Pinning using frida , we also need to download the script frida-
android-repinning. Once we copy and paste the code into a file and name it frida-
android-repinning.js , we start the frida-server on the emulator by executing the
following command. First, make sure you are in root mode by executing the adb root
command.

adb root
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

Then, locate the app Pinned in the emulator and tap on it to start. Once the app is started
type the following on the terminal to locate the full name of the application.

frida-ps -U | grep pinned


Now that we have the full name of the app, we can go on and start it using frida . This
way, we will be able to intercept the request with Burp. The following command starts the
application.

frida -U -f com.example.pinned -l frida-android-repinning.js --no-paus

The app is now started via frida .


Now let's try to catch the request. Make sure the Intercept is on button is toggled on,
on the Proxy -> Intercept tab in Burp. Finally we tap the LOGIN button in the app, and
check Burp.
The request is intercepted successfully and the flag is revealed in the pass parameter.

You might also like