Writeup – pinlock (BSides San Francisco)

Posted on February 14, 2017 by

This past weekend, I participated to some degree in the BSides San Francisco CTF, the HackIM CTF and Codegate Qualifier CTF. Due to the baleful glare of the Day Star pushing temperatures to above 40 degrees in Australia, my participation in these events was limited.

That said, I was able to participate in a good portion of the BSides San Francisco CTF. While a number of challenges was solved, I will present my writeup of the “pinlock” challenge, which I solved with some assistance from our friends at Capture The Swag (who pointed me to the README file, after I missed it initially).

Pinlock

This challenge was presented as an Android application file, which you can download here.

Our initial steps are to unpack the challenge (unzip the APK), attempt to convert the classes.dex file to a JAR file, and then decompile the JAR. This process works quickly, and we are able to begin source code review of the application in jd-gui:

1

From this viewpoint, we can immediately see some interesting code, in the SecretDisplay class, and the releated CryptoUtilities class. We can see the application works in the following logical manner:

2

From here, we should note the README file in the “assets” directory, indicating a switch to “v2” of the database (while the code indicates “v1” is in use, code for what is presumably “v2” is also present).

Our next stop is the “pinlock.db” database: we note that we can extract a secret from both secretsDBv1 and secretsDBv2, which is presumably the flag:

4_fetchdata

At this point, we have both the decryption algorithm, as well as the secret to be decrypted – we are only missing the key, which is derived from a user’s PIN. The PIN is 4 digits long, so this is an easily brute-forceable problem, but we note the presence of the “fetchPin” function within the code:

3_fetchpin

One more trip in to the database, and we can grab the PIN:

5_fetchpin

This looks suspiciously hash-like, so we pass it through crackstation.net, to derive the correct PIN of “7489”.

From here, we have all we need to build our own decryption app, copying and pasting code from the challenge application itself to make our lives easier. A few moments of Java later:

6_flag

You can download the Java solution file here – please forgive my shitty Java, it’s been a while.

I would like to thank the organisers of all three CTF’s this weekend – thankyou for putting together these events for everyone to enjoy, and while I was not able to participate in much of these events, I enjoyed the challenges presented.

See you all in the Boston Key Party Qualifier and VolgaCTF Qualifier in two weeks time!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s