RC3 CTF 2016: My Lil Droid (100 points)


Sometimes not all files are needed.

Download Link: https://drive.google.com/file/d/0Bw7N3lAmY5PCOFNQZFgtSVlFZ3M/view?usp=sharing


First step, of course, is downloading the files. Turned out it was only an apk file called youtube.apk. APKs are just an archive, and can thus be extracted easily. Let’s try that:

As the description of the challenge said that not all files would be required, my first try was to do a recursive grep (I’m still surprised each time this approach just shows the flag immediately 🙂 ).

That yielded no results. Maybe not the entire flag is present in the file in plaintext, but only part of it:

Let’s have a look in these files (of which the first one, youtube.apk, is of course the original file). As the others are part of youtube.apk, let’s just use that one from now on again.

Those four strings indeed contain the string rc3 (not considering case-sensitivity), but how much of a coincidence is that?

There seem to be 276.637 strings in total, so let’s skip it for now. It might be that these occurrences are just a coincidence.

What if we try and look for the second part we know each flag consists of, namely “2016”?

As expected, there are a lot of occurrences here as 2016 is a year, and many of the metadata and additional information of software probably includes it. Still, we can have a look at the exact occurrences:

Well, that looks interesting. Let’s take a closer look at the last result:

As the last part of the string gives away, it is probably base64-encoded. Let’s therefore assume the string above has the following form:

First, decode the first part of the string:

That already looks like it! Now, we need the last part of the string as well:

If we reconstruct the full string now, we got our flag: RC3-2016-GOTEM21.





Leave a Comment

Your email address will not be published.