HackerOne CTF- Thermostat
I wasn't sure what to expect with this one. The Thermostat. Android CTF... I didn't have a readily accessible android device... so initially downloaded the file. Thermostat.apk well, ok. I started downloading nox from https://www.bignox.com/
However, while waiting for nox, I opened the apk using 7-zip. I poked around to see if the flag was in plaintext in one of the files. I eventually found 'classes.dex' and opened it just in notepad.exe on windows. I searched for flag (forgot the ^flag^ or $flag$ just flag) and found a ton of them. Eventually I cycled through and found both flags right next to each other. Boom. Easy squeezy.
From the hints, I'm guessing I was supposed to approach this a bit differently. I never did get the APK opened.
Flag0 -- Found
- Communication is key
- Have you looked at what the app is sending to the server?
Flag1 -- Found
- Doesn't the MAC seem interesting?
- Access to the source code would help
- Check out the Android Quickstart video from Hacker101