Challenge: Every year Santa is using his own Weather App to check if he can deliver presents all around the globe. It’s a very secret and reliable app! Or is it? is it /xams or is it /flag
Attached file: SantasWeatherAlert.apk This was a tough one. I solved it first after 4 days. They first added the hint to the text about /xmas (intentional typo?) and later also a whole hint “And there it comes the magic cloud called Google cloud =O Reindeers aren’t used to this kind of clouds. Is this some kind of global warming effect? =O https://cloud.google.com/firestore/docs/reference/rest/".
But lets start at the beginning.
First we de-compile the file again and have a look at it. This thing has all the bells and whistles of a real App! Crashlytics, Fabric, Firebase, a bunch of .so files… And it looks like a React-Native app or something that compiles down to javascript. There is one huge index.android.bundle file with uglyfied JS code.
When running the app it actually shows some country and region selection tools and some notification settings. Attaching the phone to ADB would also reveal some network communication. And upon at least partially re-formatting the JS code with js-beautify we found the following endpoints that could be interesting.
- https://ewa.ssrd.io/api/Country/Countries
- https://ewa.ssrd.io/api/Region/GetRegions?countryCode=
- https://ewa.ssrd.io/api/Country/CountryAlerts?countryCode=
- https://us-central1-ewa-ctf.cloudfunctions.net/setNewRegionId
- https://us-central1-ewa-ctf.cloudfunctions.net/setEnableNotifications
We also found a, perhaps interesting, path: C:\Users\BlazKocbek\GIT\extreme-weather-alert-release\extreme-weather-alert-application
At that point they updated the challenge text and added the /xmas, /flag hint. Now we were trying all sorts of combinations of this on our currently known API endpoints. At this point I was confident the flag was hiding somewhere outside the app.
Some time (days) later I tired to Google (eh, sorry… OSINT) about the app and found that SSRD actually made EWA app! Ok, that could be useful. Download that with APK Downloader, decompile with apktool and look at the difference.
The only significant things that changed were:
- cloudfunctions links (from ewa-ssrd to swa-ctf)
- firebase, google and crashlytics ids in values.xml
So, what were our options?
- Flag hidden in ewa.ssrd.io? Unlikely.
- Flag hidden in crashlytics? The challenge mentions “reliable”. The opposite of reliable app is an app that crashes. And sends crash reports?
- Some hidden cloudfunction on google infrastructure? Perhaps you could send yourself a notification with the flag?
- Firebase… something?
At that time they released the next hint that confirmed my suspicions, that the flag is hiding somewhere on Googles infrastructure.
After a lot of research how to talk to firebase database (I do Android development, but do not interact a lot with firebase) and finding another peace of code:
firestore().collection(‘users’)
I ended up realizing the firebase database was wide open. For example, opening https://firestore.googleapis.com/v1/projects/ewa-ctf/databases/(default)/documents/users would show all users that opened the app and set a region and notification.
Then it was just a matter of guessing the right document collection, to find the flag. https://firestore.googleapis.com/v1/projects/ewa-ctf/databases/(default)/documents/xmas
Now, I don’t know if this was initially locked down more, and one had to somehow use one of the stored keys (google_api_key) but…
Flag: xmas{JinG1efLaGS}
What did I learn: A few things about Firebase database…