Hacker101 CTF Android挑战解析与解题思路<\/h1>

1. H1 Thermostat挑战<\/h2>

1.1 应用概述<\/h3>

这是一个温度计应用，包含温度显示面板和调节功能<\/li>

提示有两处flag需要发现<\/li> <\/ul>

1.2 静态分析<\/h3>

Activity分析<\/strong>：<\/p>

唯一Activity：ThermostatActivity<\/li>
关键代码位于com.hacker101.level11包下<\/li> <\/ul> <\/li>

Flag发现<\/strong>：<\/p>

搜索flag关键词发现两处关键代码：
\/\/ Flag 1 <\/span><\/span><\/span><\/span>messageDigest.<\/span>update<\/span>(<\/span>"^FLAG^911074676b0d1ed58ba09ca5755930daf7266886bbcf32ca8f785f6e5c631eb9$FLAG$"<\/span>.<\/span>getBytes<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ Flag 2 <\/span><\/span><\/span><\/span>this<\/span>.<\/span>mHeaders<\/span>.<\/span>put<\/span>(<\/span>"X-Flag"<\/span>,<\/span> "^FLAG^ab34de7822af3f9f75b311e0dcca2d1db34b5e63aa4fbb7386696a547405405a$FLAG$"<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 网络请求分析<\/strong>：<\/p> PayloadRequest类处理网络请求<\/li> 请求URL：https:\/\/d7299d*****4704859cc2cc8382.ctf.hacker101.com\/<\/code><\/li> 请求参数： "d"：buildPayload(JSONObject)的结果<\/li> "X-MAC"：MD5("^FLAG^...$FLAG$<\/span>" + buildPayload)的Base64编码<\/li> "X-Flag"：明文flag<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 1.3 动态分析<\/h3> 请求流程<\/strong>：<\/p> setDefaults()方法初始化温度并发送请求<\/li> 请求成功后回调更新温度值<\/li> <\/ul> <\/li> 抓包发现<\/strong>：<\/p> 可以直接从X-Flag头获取第二个flag<\/li> 第一个flag需要从代码中获取MD5前的原始值<\/li> <\/ul> <\/li> <\/ol> 1.4 解题步骤<\/h3> 直接查看代码中的两处flag定义<\/li> 验证flag： 911074676b0d1ed58ba09ca5755930daf7266886bbcf32ca8f785f6e5c631eb9<\/li> ab34de7822af3f9f75b311e0dcca2d1db34b5e63aa4fbb7386696a547405405a<\/li> <\/ul> <\/li> <\/ol> 2. Intentional Exercise挑战<\/h2> 2.1 应用概述<\/h3> 单一界面应用，包含一个"Flag"按钮<\/li> 点击按钮显示"Invalid request"<\/li> <\/ul> 2.2 静态分析<\/h3> 关键代码<\/strong>：<\/p> Uri data =<\/span> getIntent().<\/span>getData<\/span>();<\/span> <\/span><\/span>String str =<\/span> "https:\/\/09f0e1735ea21fef3ae3c1578d677f09.ctf.hacker101.com\/appRoot"<\/span>;<\/span> <\/span><\/span>String str2 =<\/span> BuildConfig.<\/span>FLAVOR<\/span>;<\/span> <\/span><\/span> <\/span><\/span>if<\/span> (<\/span>data !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> str2 =<\/span> data.<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>28<\/span>);<\/span> <\/span><\/span> str =<\/span> str +<\/span> str2;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>if<\/span> (!<\/span>str.<\/span>contains<\/span>(<\/span>"?"<\/span>))<\/span> {<\/span> <\/span><\/span> str =<\/span> str +<\/span> "?"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>MessageDigest messageDigest =<\/span> MessageDigest.<\/span>getInstance<\/span>(<\/span>"SHA-256"<\/span>);<\/span> <\/span><\/span>messageDigest.<\/span>update<\/span>(<\/span>"s00p3rs3cr3tk3y"<\/span>.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>));<\/span> <\/span><\/span>messageDigest.<\/span>update<\/span>(<\/span>str2.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>));<\/span> <\/span><\/span>webView.<\/span>loadUrl<\/span>(<\/span>str +<\/span> "&hash="<\/span> +<\/span> String.<\/span>format<\/span>(<\/span>"%064x"<\/span>,<\/span> new<\/span> BigInteger(<\/span>1<\/span>,<\/span> messageDigest.<\/span>digest<\/span>())));<\/span> <\/span><\/span><\/code><\/pre><\/li> 哈希生成逻辑<\/strong>：<\/p> 使用SHA-256算法<\/li> 哈希输入："s00p3rs3cr3tk3y" + str2<\/li> str2为URL路径部分（去除前28个字符）<\/li> <\/ul> <\/li> <\/ol> 2.3 动态分析<\/h3> 正常流程<\/strong>：<\/p> 点击Flag按钮请求URL：ctf.hacker101.com\/appRoot\/flagBearer<\/code><\/li> 响应："Invalid request"<\/li> <\/ul> <\/li> 抓包发现<\/strong>：<\/p> 需要正确的hash参数才能获取flag<\/li> hash = SHA256("s00p3rs3cr3tk3y\/flagBearer")<\/li> <\/ul> <\/li> <\/ol> 2.4 解题方法<\/h3> 方法1：计算正确hash<\/h4> 计算字符串"s00p3rs3cr3tk3y\/flagBearer"的SHA256哈希<\/li> 将结果作为hash参数附加到URL https:\/\/...\/appRoot\/flagBearer?&hash=<calculated_hash> <\/code><\/pre> <\/li> <\/ol> 方法2：使用ADB命令<\/h4> 通过ADB命令直接启动带有正确路径的Activity： adb shell am start -W -a "android.intent.action.VIEW"<\/span> -d "http:\/\/level13.hacker101.com\/flagBearer"<\/span> com.hacker101.level13 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. Oauthbreaker挑战<\/h2> 3.1 应用概述<\/h3> 单一界面，包含"认证"按钮<\/li> 点击后跳转浏览器进行OAuth认证<\/li> 认证成功后返回应用显示"成功验证"<\/li> <\/ul> 3.2 静态分析<\/h3> MainActivity关键代码：<\/h4> onCreate方法<\/strong>：<\/p> public<\/span> void<\/span> onCreate<\/span>(<\/span>Bundle bundle)<\/span> {<\/span> <\/span><\/span> super<\/span>.<\/span>onCreate<\/span>(<\/span>bundle);<\/span> <\/span><\/span> setContentView(<\/span>R.<\/span>layout<\/span>.<\/span>activity_main<\/span>);<\/span> <\/span><\/span> this<\/span>.<\/span>authRedirectUri<\/span> =<\/span> "oauth:\/\/final\/"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Uri data =<\/span> getIntent().<\/span>getData<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>data !=<\/span> null<\/span> &&<\/span> data.<\/span>getQueryParameter<\/span>(<\/span>"redirect_uri"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>authRedirectUri<\/span> =<\/span> data.<\/span>getQueryParameter<\/span>(<\/span>"redirect_uri"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception unused)<\/span> {<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> this<\/span>.<\/span>button<\/span> =<\/span> (<\/span>Button)<\/span> findViewById(<\/span>R.<\/span>id<\/span>.<\/span>button<\/span>);<\/span> <\/span><\/span> this<\/span>.<\/span>button<\/span>.<\/span>setOnClickListener<\/span>(<\/span>this<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> onClick方法<\/strong>：<\/p> public<\/span> void<\/span> onClick<\/span>(<\/span>View view)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>view.<\/span>getId<\/span>()<\/span> !=<\/span> R.<\/span>id<\/span>.<\/span>button<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> String str =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> str =<\/span> "https:\/\/0b6**ded40f29af68fb3b108c.ctf.hacker101.com\/oauth?redirect_url="<\/span> +<\/span> <\/span><\/span> URLEncoder.<\/span>encode<\/span>(<\/span>this<\/span>.<\/span>authRedirectUri<\/span>,<\/span> StandardCharsets.<\/span>UTF_8<\/span>.<\/span>toString<\/span>())<\/span> +<\/span> <\/span><\/span> "login&response_type=token&scope=all"<\/span>;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>UnsupportedEncodingException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> Intent intent =<\/span> new<\/span> Intent(<\/span>"android.intent.action.VIEW"<\/span>);<\/span> <\/span><\/span> intent.<\/span>setData<\/span>(<\/span>Uri.<\/span>parse<\/span>(<\/span>str));<\/span> <\/span><\/span> startActivity(<\/span>intent);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> BrowserActivity关键代码：<\/h4> public<\/span> void<\/span> onCreate<\/span>(<\/span>Bundle bundle)<\/span> {<\/span> <\/span><\/span> super<\/span>.<\/span>onCreate<\/span>(<\/span>bundle);<\/span> <\/span><\/span> setContentView(<\/span>R.<\/span>layout<\/span>.<\/span>activity_browser<\/span>);<\/span> <\/span><\/span> <\/span><\/span> String str =<\/span> "https:\/\/0b65afadf874ded40f29af68fb3b108c.ctf.hacker101.com\/authed"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Uri data =<\/span> getIntent().<\/span>getData<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>data !=<\/span> null<\/span> &&<\/span> data.<\/span>getQueryParameter<\/span>(<\/span>"uri"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> str =<\/span> data.<\/span>getQueryParameter<\/span>(<\/span>"uri"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception unused)<\/span> {<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> WebView webView =<\/span> (<\/span>WebView)<\/span> findViewById(<\/span>R.<\/span>id<\/span>.<\/span>webview<\/span>);<\/span> <\/span><\/span> webView.<\/span>setWebViewClient<\/span>(<\/span>new<\/span> SSLTolerentWebViewClient(<\/span>webView));<\/span> <\/span><\/span> webView.<\/span>getSettings<\/span>().<\/span>setJavaScriptEnabled<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> webView.<\/span>addJavascriptInterface<\/span>(<\/span>new<\/span> WebAppInterface(<\/span>getApplicationContext()),<\/span> "iface"<\/span>);<\/span> <\/span><\/span> webView.<\/span>loadUrl<\/span>(<\/span>str);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>WebAppInterface关键方法：<\/h4> @JavascriptInterface<\/span> <\/span><\/span>public<\/span> String getFlagPath<\/span>()<\/span> {<\/span> <\/span><\/span> String str =<\/span> ""<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> bArr =<\/span> new<\/span> byte<\/span>[<\/span>32<\/span>];<\/span> <\/span><\/span> new<\/span> SecureRandom().<\/span>nextBytes<\/span>(<\/span>bArr);<\/span> <\/span><\/span> MessageDigest messageDigest =<\/span> MessageDigest.<\/span>getInstance<\/span>(<\/span>"SHA-256"<\/span>);<\/span> <\/span><\/span> messageDigest.<\/span>update<\/span>(<\/span>bArr);<\/span> <\/span><\/span> str =<\/span> Hex.<\/span>encodeHexString<\/span>(<\/span>messageDigest.<\/span>digest<\/span>())<\/span> +<\/span> ".html"<\/span>;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>NoSuchAlgorithmException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> str;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 解题步骤<\/h3> Flag 1获取：<\/h4> 修改redirect_url参数为"oauth:\/\/final\/login"<\/li> 访问修改后的OAuth URL<\/li> 从响应中获取token形式的flag<\/li> <\/ol> Flag 2获取：<\/h4> 利用WebView的JavaScript接口<\/li> 调用getFlagPath()方法获取flag路径<\/li> 计算得到路径：48ce217fea4529a070a9d3e3c87db512b1596d413e580f7b2e1eab65f3948ab8.html<\/li> 拼接完整URL访问获取flag<\/li> <\/ol> 4. 通用解题技巧总结<\/h2> 静态分析优先<\/strong>：<\/p> 使用Jadx等工具反编译APK<\/li> 搜索关键词如"flag"、"secret"等<\/li> 重点关注网络请求相关代码<\/li> <\/ul> <\/li> 动态分析辅助<\/strong>：<\/p> 使用抓包工具分析网络请求<\/li> 监控Intent跳转和数据传递<\/li> 观察WebView加载行为<\/li> <\/ul> <\/li> 常见漏洞点<\/strong>：<\/p> 硬编码的凭证或flag<\/li> 不安全的WebView配置（如启用JavaScript）<\/li> 不完善的输入验证<\/li> 不安全的Intent处理<\/li> <\/ul> <\/li> ADB命令使用<\/strong>：<\/p> 通过ADB命令触发特定Intent<\/li> 测试不同URI和参数组合<\/li> <\/ul> <\/li> 加密哈希分析<\/strong>：<\/p> 识别代码中的哈希算法（MD5、SHA等）<\/li> 分析哈希输入构造方式<\/li> 必要时重新实现哈希计算逻辑<\/li> <\/ul> <\/li> <\/ol>