Digital Pakistan Cybersecurity Hackathon — 2023 Finals Writeup

Abdul Wassay (HotPlugin)
4 min readDec 29, 2023

Rooted — Android

You have to bypass first before you do anything, what to bypass? you need to figure out
Flag Format: Flag{}

An APK file is given. Installed it in emulator and following screen is shown when app is opened

Open the APK in Jadx GUI. In the AndroidManifest.xml file, it can be seen that there are two activities. One is Main Activity and the other is FLAGbox.

In the Main Activity, it checks if the device is rooted then it prints the message Try Harder which we have already seen. Else it sets other message using the stringFromJNI native method.

We can bypass this root detection by changing the implementation of IsDeviceRooted method and make it return False. It can be done using the following frida script.

Java.perform(() => {
let IsRooted = Java.use("com.cybertalents.ohmyroot.IsRooted");
IsRooted["IsDeviceRooted"].implementation = function () {
console.log(`IsRooted.IsDeviceRooted is called`);
console.log(`Root Bypassed!`);
return false;

Start the frida server and hook it using the following command. Now after root bypass, the message is different and there’s no flag.

frida -U -f com.cybertalents.ohmyroot -l .\hook.js

Let’s see the FLAGbox activity. Here, we see another native method DoSomeMagic. But the problem is that this activity is not being called.

What we can do is that we can create an instance of FLAGbox class and directly call the DoSomeMagic method using the following frida script.

Java.perform(() => {
let FLAGbox = Java.use("com.cybertalents.ohmyroot.FLAGbox");
var instance = FLAGbox.$new();
var flag = instance["DoSomeMagic"]();
console.log("Flag: " + flag);

Executing the above script, we get the flag.

ORZ Notes — Machine

Get the highest privilege on the system

Flag Format: Flag{}

Starting the challenge, we are provided with following ttyd web shell. Checking the process, we find a node js application running with root user privileges. Check the source code at /app directory, we find the that static-server version 2.2.1 is used which is vulnerable to path traversal (CVE-2023–26152).

To exploit this CVE, we need a writeable directory. Upon checking permission, it can be seen that notes-archive directory has write permissions.

Using the POC provided in above advisory, we exploit this CVE and read the flag by creating a symlink.

Notes — Web

You need to get admin access

Flag Format: Flag{}

Starting the challenge, we are provided with a login page. There’s also a registration page. After logging in we can create notes. We can also pop XSS but that’s not the way here as we also wasted our time. Checking the cookies, we see a Flask JWT. Using the flask-unsign, brutforce the secret and forge a new admin cookie.

Now using the forged cookie, we get access to admin dashboard and the flag.