This is how the challenge started: https://cloudsek.com/challenges/bsides-2021/
We were presented with BeVigil, an app of CloudSEK, which is a free mobile application security testing tool. It can identify vulnerabilities or secrets in apps by deep analysis using an Android app scanner. We were given a sample AppID as well:
Another hint was that their codebase has been breached. This indicated we have to look for sensitive paths/secrets inside the application. Clicking on
Enter Challenge took us to Bevigil’s website.
First step naturally was to search for the AppID we were given in the description of the challenge:
The next step was to click on View Report which led to https://bevigil.com/report/com.shadowd – the result of the APK scan. I was just going through all issues when a firebase database caught my attention:
https://shadowdating-80017-default-rtdb.firebaseio.com/.json gave us the contents of the firebase database as it was open. We just found out an S3 bucket:
Turns out the S3 bucket(
https://s3.ap-south-1.amazonaws.com/cloudsek.bsides) was public and listing was enabled as well. This is a common misconfiguration by developers as they sometimes keep the whole S3 bucket open without realizing it may give out any sensitive files which are not intended to be public! In this case, we discover a
CodeBackup.tar.xz file there:
Upon extracting it, and opening it in a text editor (Sorry VS Code, can’t call you an IDE!), we find this file
build_app.sh along with a full Android App Project:
We find the credentials for cloning the repository we downloaded. I downloaded it and looked but couldn’t find anything except for Facebook and CleverTap keys which turned out to be a rabbit hole. Wasted quite some time on that. I took a break at this point and roamed around.
After some time, again back to the CTF, an idea struck me: could we use these GitHub credentials on the API as well? The same key could have multiple usages(for cloning and API). Visited https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/ to verify it:
Turns out it was just a personal access token and not a deploy token which I had assumed earlier. Moral: Never assume anything!
curl -s -u "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:x-oauth-basic" https://api.github.com/user
curl -s -u "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:x-oauth-basic" https://api.github.com/user/repos
We get another repo which we can then clone:
git clone https://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:[email protected]/shadow0x7/internal_mvp_com.aphrodite.beta cd internal_mvp_com.aphrodite.beta
Browsing this repo, we get several files, and in the
Todo.md file, we have a reference to
Going back to the start of the challenge, I tried searching for this app on BeVigil again, and good enough found a result:
Going to the report and to Strings section, we get the flag:
At this point, the battery in my laptop was around 7%! Lucky enough, thanks to my typing speed :P, I was able to submit the crisp and small writeup along with the flag.