~$ Dissecting the KnightCTF Reverse Engineering challenges!

Posted on Jan. 30th, 2022. | Est. reading time: 5 minutes

Tags:CTFWrite Up


Write-ups


Baby Shark (50 points)

During my holiday in Bahamas, I met a baby shark. The shark wanted to sing me something but couldn't. Can you sing that for me?

Flag Format: KCTF{SomE_T3xT_h3r3}


Once the JAR is downloaded, go to javadecompilers.com, and upload it there.

We obtain a ZIP which we then unpack, revealing the following file structure:

File tree

We can see a few interesting Java files, which we'll get into quickly.

The first is Flag.java, it is not very interesting:

A few false flags.

In Strings.java we can see what resembles strings that are Base64 encoded:

The various base64 codes

If we throw these in a Base64 decoder, the last gives us the flag: KCTF{7H15_W@5_345Y_R16H7?}



Droid Flag (100 points)

One needs to decompile the provided APK, and understand what the decompiled code does, to retrieve the flag.

Once the ZIP is downloaded, extract the APK contained within, then go to javadecompilers.com, and upload it there.

We obtain a ZIP which we then unpack, revealing the following file structure:

The various base64 codes

We can see a few interesting Java files, which we'll get into quickly.

The first is MainActivity.java, it contains a few interesting lines:

The various base64 codes

We can see that this code calls a number of functions in the StringHandler class from the StringHandler.java file, in the following order:

$(S1){$(S3)_$(S2)_$(S4)}

The various base64 codes
  • S1 gets a value defined in class C074SR where the identifier is f112s5
  • S2 gets a value defined in class C074SR where the identifier is f113s6
  • S3 gets a value defined in class C074SR where the identifier is f114s7
  • S4 gets a value defined in class C074SR where the identifier is f115s8

Those values are:

The various base64 codes

We look for any identifier with those numbers (grep is useful), and find some in public.xml:

The various base64 codes

We then look for the names provided in strings.xml:

The various base64 codes

In StringHandler.java we see that the values for S2, S3 and S4 are then reversed, which makes the final flag: $(S1){$(S3)_$(S2)_$(S4)} -> KCTF{aNdR01D_s1MpL3_r3V3rS3}.