HackTheBox Mobile Challenge : Cryptohorrific

HackTheBox Mobile Challenge : Cryptohorrific

Today we will be looking at the hackthebox mobile challenge “Cryptohorrific”. I won’t be using any mobile to solve this challenge and will try to find some other way out.

Since this is an iOS application, we can use Hopper to disassemble the file and try to have a look at the code.

Functions

The application consists of the above functions which Hopper identified for us. The interesting functions here are “CCCrypt” and “SecretManager” functions which suggests that the application has most probably some encryption/decryption going on.

I will be dissecting some of the above functions below to understand how does this application works

viewDidLoad

This method is called after the view controller has loaded its view hierarchy into memory. This method is called regardless of whether the view hierarchy was loaded from a nib file or created programmatically in the loadView() method. You usually override this method to perform additional initialization on views that were loaded from nib files.

Apple

We are going to inspect the “viewDidLoad” function since it is the first function that’s initialized after the main view

Decompiled viewDidLoad function
  1. Open and read the file “challenge.plist”
  2. Read the value of key “flag” from the above file
  3. Call SecretManager(0x1, key, iv, data)

SecretManager

Decompiled SecretManager function

As we’ve seen above, the SecretManager function accepts 4 arguments

  1. Int value (this decides whether to encrypt or decrypt)
  2. Key: “!A%D*G-KaPdSgVkY”
  3. IV (Initialization Vector): “QfTjWnZq4t7w!z%C”
  4. Data: Data to decrypt or encrypt

The above the arguments are then passed to another function “CCCrypt” with some more arguments. We will try to identify what the rest of the arguments has to do with “CCCrypt”

CCCrypt

Stateless, one-shot encrypt or decrypt operation.

CCCrypt

Since we have access to Apple’s developer manual, we can identify what each of the passed arguments meant

On the basis of above function docstring, we can conclude that following will be the values of respective argument

op0x1 (kCCDecrypt)
alg0x0 (kCCAlgorithmAES128)
options0x3 (kCCOptionPKCS7Padding + kCCOptionECBMode)
*key“!A%D*G-KaPdSgVkY”
keyLength0x10
*iv“QfTjWnZq4t7w!z%C”

If we have to summarize this application on the basis of above static analysis, we can conclude that this application decrypts a cipher text value obtained from challenge.plist using AES-128 cipher with ECB mode and PKCS7 padding?

This sounds doable without running the iOS application. We will try to achieve the same through Python.

The above code sums up the CCCrypt functionality and can be used to solve this challenge.

Leave a Reply

Your email address will not be published. Required fields are marked *