# ALICTF 2016 - ColorOverflow

Points: 100
Category: Reversing
Description
ctf=Capture The traFfic? (attachment)
HINT: port 5555

I only looked at this challenge after some time and by the time I started looking at it, quite a few teams have solved it already and the organizers has given out additional hint to look at port 5555.

The packet capture provided has quite a bit of HTTP traffic as well as traffic on port 5555. If you are familiar with Android debugging, port 5555 is often use for adb traffic. Looking at the conversation it is obvious that an apk is uploaded and installed onto the device.

Using a python script with scapy, we can easily obtain the apk from the packet capture.

The APK file can be obtain here if you’re interested to take a look.

The APK application appears to be a real game available on the playstore. After decompiling the APK with apktool, we see that within the assets folder, there is a HTML file with a GitHub link to the original game.

Comparing the original application with this, we see that most of the application is similar. Going back to the pcap file, we see that some HTTP requests are made to this URL:

http://www.bing.com/search?q=alictf%7BFlagIsHere%7D&go=Submit&qs=n&form=QBRE&
pq=alictf%7Bflagishere%7D&sc=8-7&sp=-1&sk=&setmkt=zh-CN


Looking further, none of the requests seems to be suspicious, except one:

Following this lead, I used a proxy to look for traffic from the APK and indeed, everytime we win the game and enter a highscore, a POST request would be made that is similar to the one above. However, the message seems be to encrypted in a certain way by the APK.

With this, now it’s clear that what we have to do is to reverse the logic that is responsible for the encryption and to decrypt the data to get our flag. We first search for the URL in the request and trace the code. It starts here:

We traced the code to this particular function that seems to be invoking the encryption:

We found that the encryption performed is AES in CBC mode. You can easily tell from the constants, and can verify by checking the values.

Following that further, we found a class that describes the final representation of the data:

And that class was used here:

With this class, we are able to further understand what the data is representing:

12 10 62623339623037303630646561626435 => android_id with length 0x10
15 b9e8f3d3ca2a => current_time
18 10 46514bf9f2b3cd3bf580b7cd9bae4514 => SHA1PRNG with length 0x10
18 20 da2990bf15b7fd98a4e73ef766cd714f6f63b2e7f270c55f0caf7e704ca7702f => highScoreDataPlusMessage with length 0x20


Compiling and running the decompiled Java code gives us the IV required for the AES decryption.

Using a simple python script to run the AES decryption with the key and IV.

And we got our flag! alictf{A11IsInTraff1c}.