True or false?
Points: 1985 [2000]
Description
True or false, we can log in as admin easily.
Please view this Document for download instructions.
This challenge:
- Unlocks other challenge(s)
- Is eligible for Awesome Write-ups Award
- Prerequisite for Mastery Award - Mobile Ace
Solution
- Similar to how we solved mobile/Welcome to Korovax Mobile!, we first will take a look at the
sg.gov.tech.ctf.mobile.Admin.AdminAuthenticationActivity.java
. From theonCreate
method, we can see that they are also setting the same tab layouts assg.gov.tech.ctf.mobile.User.AuthenticationActivity.java
.@Override // androidx.activity.ComponentActivity, a.h.d.d, a.k.a.d, a.b.k.d public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); getWindow().setFlags(8192, 8192); getWindow().setFlags(1024, 1024); getWindow().setSoftInputMode(32); setContentView(R.layout.admin_authentication_activity); this.f2923b = (TabLayout) findViewById(R.id.tab_layout); this.f2924c = (ViewPager) findViewById(R.id.view_pager); this.f2925d = (FloatingActionButton) findViewById(R.id.fab_facebook); this.f2927f = (FloatingActionButton) findViewById(R.id.fab_twitter); this.f2926e = (FloatingActionButton) findViewById(R.id.fab_google); TabLayout tabLayout = this.f2923b; TabLayout.f w = tabLayout.w(); w.o("Login"); tabLayout.c(w); TabLayout tabLayout2 = this.f2923b; TabLayout.f w2 = tabLayout2.w(); w2.o("Sign up"); tabLayout2.c(w2); this.f2923b.setTabGravity(0); this.f2924c.setAdapter(new b(this, getSupportFragmentManager())); this.f2924c.g(new TabLayout.g(this.f2923b)); // Truncated some animation stuff between these two lines this.f2923b.b(new a()); }
- We can first focus on the
this.f2924c.setAdapter(new b(this, getSupportFragmentManager()))
to see what are the layout contents in each tab. As we can see, it is also creating a new object inf.a.a.a.a.a.a
.public class b extends n { public b(AdminAuthenticationActivity adminAuthenticationActivity, i fm) { super(fm); } @Override // a.k.a.n public Fragment getItem(int position) { if (position == 0) { return new f.a.a.a.a.a.a(); } if (position != 1) { return null; } return new c(); } @Override // a.u.a.a public int getCount() { return 2; } }
- When we open
f.a.a.a.a.a.a
, we see another whole lot of magic numbers…// ... // Line 39 - 45 SQLiteDatabase db = dbHelperAdmin.getWritableDatabase(c.a.a.a.a(-221070041546832L)); if (!dbHelperAdmin.b(c.a.a.a.a(-221323444617296L), db)) { dbHelperAdmin.a(db); } EditText editText = (EditText) root.findViewById(R.id.username_input); this.f2850b = editText; editText.setText(c.a.a.a.a(-221280494944336L)); // ... // Line 76 - 78 public void onClick(View arg0) { Toast.makeText(this.f2854b.getContext(), c.a.a.a.a(-220168098414672L), 0).show(); } // ... // Line 94 - 111 public void onClick(View v) { if (a.this.f2851c.getText().toString().contains(c.a.a.a.a(-220945487495248L))) { c.a builder = new c.a(this.f2855b.getContext()); View view = LayoutInflater.from(this.f2855b.getContext()).inflate(R.layout.custom_alert, (ViewGroup) null); ((TextView) view.findViewById(R.id.title)).setText(c.a.a.a.a(-220786573705296L)); ((TextView) view.findViewById(R.id.alert_detail)).setText(c.a.a.a.a(-220760803901520L)); builder.h(c.a.a.a.a(-221155940892752L), new DialogInterface$OnClickListenerC0061a()); builder.f(c.a.a.a.a(-221121581154384L), new DialogInterface$OnClickListenerC0062b()); builder.k(view); builder.l(); return; } try { new Thread(new c(new Handler())).start(); } catch (Exception e2) { Toast.makeText(this.f2855b.getContext(), c.a.a.a.a(-221078631481424L), 0).show(); } } // ... // Line 128 - 130 public void onClick(DialogInterface dialogInterface, int i) { Toast.makeText(b.this.f2855b.getContext(), c.a.a.a.a(-220249702793296L), 0).show(); } // ... // Line 147 - 149 public void run() { Toast.makeText(b.this.f2855b.getContext(), Boolean.valueOf(b.this.f2856c.d(a.this.b(a.this.f2851c.getText().toString()), b.this.f2856c.getWritableDatabase(c.a.a.a.a(-220692084424784L)))).toString(), 0).show(); } // ... // Line 158 - 160 public final String b(String query) { return query.replaceAll(c.a.a.a.a(-221748646379600L), c.a.a.a.a(-221709991673936L)).replaceAll(c.a.a.a.a(-221718581608528L), c.a.a.a.a(-221671336968272L)).replaceAll(c.a.a.a.a(-221645567164496L), c.a.a.a.a(-221615502393424L)).replaceAll(c.a.a.a.a(-221589732589648L), c.a.a.a.a(-221563962785872L)).replaceAll(c.a.a.a.a(-222087948795984L), c.a.a.a.a(-222062178992208L)); }
- … so we decoded every single magic number using the code from
mobile/Contact Us!
… which gives us the flag!// ... // Line 39 - 45 SQLiteDatabase db = dbHelperAdmin.getWritableDatabase("kjhfkafkhlasfhsldfkasdfkasjdfbmnbzbc124914814298iewhrohfjdjksabvbdvs"); if (!dbHelperAdmin.b("admin", db)) { dbHelperAdmin.a(db); } EditText editText = (EditText) root.findViewById(R.id.username_input); this.f2850b = editText; editText.setText("Find the password!"); // ... // Line 76 - 78 public void onClick(View arg0) { Toast.makeText(this.f2854b.getContext(), "Hint: 32 characters with special characters and spaces. TABLE name: Users, password column: you know it! :) ", 0).show(); } // ... // Line 94 - 111 public void onClick(View v) { if (a.this.f2851c.getText().toString().contains("My_P@s5w0Rd_iS-L34k3d_AG41n! T_T") { c.a builder = new c.a(this.f2855b.getContext()); View view = LayoutInflater.from(this.f2855b.getContext()).inflate(R.layout.custom_alert, (ViewGroup) null); ((TextView) view.findViewById(R.id.title)).setText("Congrats!"); ((TextView) view.findViewById(R.id.alert_detail)).setText("govtech-csg{I_RLy_W3nT_1n_BL1nD...}"); builder.h("-221155940892752", new DialogInterface$OnClickListenerC0061a()); builder.f("Close", new DialogInterface$OnClickListenerC0062b()); builder.k(view); builder.l(); return; } try { new Thread(new c(new Handler())).start(); } catch (Exception e2) { Toast.makeText(this.f2855b.getContext(), "False", 0).show(); } } // ... // Line 128 - 130 public void onClick(DialogInterface dialogInterface, int i) { Toast.makeText(b.this.f2855b.getContext(), "Do what you need to do here!", 0).show(); } // ... // Line 147 - 149 public void run() { Toast.makeText(b.this.f2855b.getContext(), Boolean.valueOf(b.this.f2856c.d(a.this.b(a.this.f2851c.getText().toString()), b.this.f2856c.getWritableDatabase("kjhfkafkhlasfhsldfkasdfkasjdfbmnbzbc124914814298iewhrohfjdjksabvbdvs").toString(), 0).show(); } // ... // Line 158 - 160 public final String b(String query) { return query.replaceAll("(?i)drop", "").replaceAll("(?i)delete", "").replaceAll("(?i)insert", "").replaceAll("(?i)while", "").replaceAll("(?i)sleep", ""); }
Flag
govtech-csg{I_RLy_W3nT_1n_BL1nD...}