[CTF WRITEUP] Garage4Hackers Reverse Engineering (JS)

A binary file was provided with the name JSut_try_f1ba52638224a83866f103ee79a95c4d with JS in caps hinting towards something related to JavaScript . strings revealed some obfuscated code consisting of a very small charset. It was found to be JSFUCK. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]] ... more blah here ... () Running it on https://js.do alerted us with the flag. [Read More]

[CTF Writeup] Garage4hackers Android (Broken Angel)

There was an Android challenge in the Garage4Hackers CTF. The apk was provided with the name brokenangel.apk Installing the apk in the device and running it shows a simple screen where we are supposed to enter a password and click submit. (You will have to sign the apk to install, even though this specific challege doesn't require you to install the app in order to get the flag.) Upon [Read More]

Bypassing Android SSL Pinning

I was testing a certain app, using Burp setup using a proxy in the Android Device.I could see the other requests being made but not even a single request could be seen belonging to the domain of the app. Switching to static analysis mode, I quickly decompiled the app using Dex2Jar and searched for the string x.509 which yielded a result. It was referring to a raw resource. [Read More]

Android Hacking --the-very-basics

There is a plethora of material available revolving around Web Application hacking as well as Network hacking and Reverse Engineering PC software but when it comes to Mobile Application Hacking, not only the number of resources are less but they are scattered.This post attempts to serve as the guide to the basics of Android Application Hacking. We can roughly divide the application into two segments: The one which contains [Read More]

Nmap --the-very-basics

Nmap is one of the most important and frequently used tool by hackers as well as system administrators. Although the offical documentation does a good job at explaining, this acts more like a cheat sheet for all the options as well as a few tips for effective nmaping. Default Scan : nmap target-ip-here To check if the host is alive use the -sn flag (Ping requests) If the -Pn flag can [Read More]