Israeli Mossad launches cyber challenge

atdt · 6 years ago

Decompile the apk, and run 'strings' on assets/flutter_assets/kernel_blob.bin.

Poke around and you'll find code for POSTing JSON-encoded credentials to http://35.246.158.51:8070/auth/getUrl. (Grep for the IP to find it.)

So, using the web site name as the seed and the 'client id' as the password, we get:

$ curl -X POST -H "Content-Type: application/json" -d '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' http://35.246.158.51:8070/auth/getUrl

The response is an HTTP 200 and: {"AuthURL":"/auth/v2"}

http://35.246.158.51:8070/auth/v2 is I guess the next step.

edit: The /auth/getUrl endpoint responds to any request with the same response, so that may not be the right Seed/Password combination.

arboroia · 6 years ago

You're close, but that first endpoint is just to retrieve the auth URL, no need to post anything to it. It then passes the seed and password to the returned URL, so: "http://35.246.158.51:8070/auth/v2" gets '{"Seed": "xxx", "Password": "xxx"}' of some kind

I haven't yet figured out what those are though...

See:

  Future<Token> login(String seed, String password) {
    var headers = new Map<String,String>();
      return _netUtil.get(LOGIN_URL, headers:headers).then((dynamic authUrl) {
      try {
        if (authUrl == null) {
          return Future<Token>.sync(() => new Token("", false, 0));
        }
        var loginUrl = BASE_URL + AuthURL.map(json.decode(authUrl.body)).url;

arboroia · 6 years ago

So reading about flutter, there's quick reload information in debug mode[0]

This leads me to believe that the seed and password entered in development / in the cookie jar from a previous attempt are somewhere in the `isolate_snapshot_data` file

[0] https://github.com/flutter/flutter/wiki/Flutter-engine-opera...

stdcall83 · 6 years ago

Got to this point by running the APK in sandbox and tracking the TCP packets...

revocheese · 6 years ago

following your steps at getting the strings, which in turn helped me get the code of the whole application

first of all, as per the code, the User-Agent must be setup to "iWalk-v2"

then doing a simple get request to http://35.246.158.51:8070 will return {"AuthURL":"/auth/v2"}

replacing the original url with http://35.246.158.51:8070/auth/v2 and then sending a json like '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' with "Content-Type: application/json" returns {"IsValid":false,"LockURL":"","Time":136764}

the Time here (as per my understanding in the code) is the request duration, which somehow contradicts postman's request duration field

now one weird thing I've noticed about this app is this, if i install it on a regular device, and connect that to a proxy, then type gibberish into the fields then click Login, the following code gets invoked

  void _submit() async {
    final form = formKey.currentState;
    if (form.validate()) {
      setState(() => _isLoading = true);
      form.save();
      _networkActions.login(_seed, _password)
                      .then((result) => _loginCompleted(result))
                      .catchError((e) { 
                        _loginCompleted(new Token("", false, 0));
                      });
    }

if a loading icon appears then I assume that the code passed the condition and passed this line of code "setState(() => _isLoading = true);" now the weird part is that, I don't see any outgoing connections from the app... (I use charles to capture requests)

andr0id · 6 years ago

It's normal that you don't see any traffic using Charles, since Charles can only intercept traffic made by HttpUrlConnection or OkHttp, since flutter is not using any of those two..you can't see anything in Charles.

stdcall83 · 6 years ago

You're missing a big hint. Go back to the apk and grep for github

mescal · 6 years ago

I think you must also fake the user agent as "iWalk-v2"

chrismeller · 6 years ago

Install a random app from Mossad on my phone? N-no, no I don’t think so.

blattimwind · 6 years ago

Challenge is obviously meant to be reversing, not installing.

mrlatinos · 6 years ago

If you deconstruct the APK, you'll find a C script that prints a message - "You really think it was the Saudis? :)" /s

chrismeller · 6 years ago

Absolutely. Still funny.

Circuits · 6 years ago

lol my thoughts exactly...

tdhoot · 6 years ago

In case you didn't want to wait for the slow-typing to load the entire message:

"Welcome Agent.

A team of field operatives is currently on-site in enemy territory, working to retrieve intel on an imminent terrorist attack.

The intel is contained in a safe, the plans for which are available to authorized clients via an app [0].

Our client ID is d09ff4ec651c48f89f7f7aa19160bd55

Your mission is to retrieve those plans, and allow our team to break into the safe.

Good luck!,

M."

[0]: http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk

ChuckNorris89 · 6 years ago

Are they seriously expecting people to sideload a mossad apk on their phones?

nickelcitymario · 6 years ago

If you're dumb enough to do that... maybe they blacklist you from their recruitment efforts moving forward.

You could always install it on a virtual phone in a sandboxed VM.

saagarjha · 6 years ago

You’re probably expected to load it into your favorite static analysis tool.

TheLoneTechNerd · 6 years ago

Of course not, it would be prohibitively difficult to deconstruct the apk from the phone itself.

dontbenebby · 6 years ago

I couldn't even get to refusing to trust an apk because their message doesn't render if you have a JS whitelisting extension such as NoScript.

Deleted Comment

jsdev93 · 6 years ago

THIS IS LEGITIMATE. The Israeli Mossad had a ad today, https://www.algemeiner.com/2019/05/09/mossad-marks-israeli-i... with a picture. The picture has 4 rows of trophies, which should be converted to 4 numbers using binary --> decimal. Those four numbers are 35, 246, 158, 51.

As an ip address, 35.246.158.51 leads to the site OP posted.

laurentl · 6 years ago

The French cyber security community has a similar challenge every year: https://www.sstic.org/2019/challenge/ (in French).

The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.

andr0id · 6 years ago

Searching for "iWalk-v2" on google gives following book as the first result:

https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=P...

on page 397 there is entry in index: iWalk, v2 71 on the same page there are interesting terms like islamic terrorism, jihad via internet, judism... also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...

hashberry · 6 years ago

This site loads the jQuery library in order to...

1. Access $("#text1")[0].innerHTML

2. $( document ).ready() { typeWriter (); }

facepalm

whoisjuan · 6 years ago

It's done like that because the typeWriter effect is actually rendering line break elements (<br>) as it shows up.

hashberry · 6 years ago

woosh, loading jQuery to access an element is not needed. document.getElementById would suffice.

lone_haxx0r · 6 years ago

I don't have time for slow-ass typing text. Next.

mfatica · 6 years ago

view page source mr hackerman

lone_haxx0r · 6 years ago

If I need to read the source code of a fucking website for it to be useful, then it's either a really special edge-case or the designer is a moron. Guess which case this is.

Why not upload a plain text file in the first place?