This the second and final writeup of Android challenges which was given in 8st Sharif CTF. I’ve wrote about the team and place in the previous post. The writeup begins …
Just like any other question, I’ve installed the app to look what it is like. The virtual device was a API19 Android emulator. As you see, the skeleton laughs at me!
And there is no other activity, button, request location, etc. appeared in the app. I should mention that this question was in MISC section.
Looking The Code
The app has only MainActivity and inside, it loads a Scalable Vector Graphics image into the web view. SVG images are built on vectors, therefore they can be zoomed in and zoomed out without loosing the quality.
The best editor I know for editing SVG images, is Ink Scape.
The only attack vector (if I can say) available was the SVG image. I started to investigate the SVG. Using APK Tool, I extracted the logo.svg file.
SVG images are mark up files just as HTML or XML in which vectors are defined. So, I opened the logo.svg with a text editor.
As I taught, InkScape was used to make (or edit) the Skeleton.
I investigated more on the markup and found an interesting point. There are two graphics inside the image: one with the id layer1 and the other is text4146.
But we only see one graphics: the skeleton with some paths. The other graphics text4146 is suspicious. Therefore, I opened logo.svg with InkScape.
By moving the laughing skeleton, I’ve found text4146.
Voila, by zooming the text4146, flag is visible.
The flag is: