Post

Manager (Mobile) Writeup

Manager (Mobile) Writeup

Purpose

Resources

  • Challenge Link
  • We are given a zip that is password protected (password is provided on HTB)
  • We are given an IP and PORT for the service for the challenge.

Process

  • We downloaded the file and then checked the readme file. In here was instructions on what API minimum is needed to install.
  • We used adb install Manager.apk to install the app on the rooted emulator. Just in case we need to dumpster dive in the file system. first-launch
  • After this, we launch Burp and make sure that the CA cert is on the emulator and that we can intercept traffic clearly.
  • We register a new account test:test to see what is available to us in the app.
  • After logging in the with the new test account we find a /manage call that peaks our interest. registered-account
  • We enumerate for other accounts already registered and we tried admin. The response showed that admin was already taken, which we are going to assume this is the account we are tasked with finding the password for.
  • After doing this, we send the /manage to Repeater to edit the call and re-send. We edit the call to target admin instead of test account and edited the password to something we know. Huzzah! repeater-call
  • Then we logged in to the admin and found the flag in the Role field. flag
This post is licensed under CC BY 4.0 by the author.

Trending Tags