Challenge Description

Who doesn't love reverse engineering Android APKs! I'm kidding, not everyone does :D

But, you will have to get your hands dirty for this one as the only way to reach the flag is to break the APK open.

Do your RE and you will find your way!

Solution

Download and reverse the apk with apktool

apktool d photodrive.apk

I manually enumerated the application and found this comment

Vieweing the github repo commits, I found one that says add security fixes which remove the misconfigured server.

Performing further enumeration on the github repo shows a branch with commit that remove misconfigured server which contains a s3 bucket link.

Using aws cli, I am able to list out the file and install them

However, I received an error denied when installing the account.txt. As I have did a similar challenge in Flaws.cloud before, I imported my own key with aws configure and is able to install the account.txt file.

You can refer to the level 2 writeup for more details.

The Account.txt contains a set of credential for AWS.

Access key ID: AKIAYX67JAH5N5WJIXRC
Secret access key: 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

Login with the set of credential using aws configure and get more information using the get-caller-identity command.

The usernameis a base64 encoded value, and upon decoding I retrieved the flag.

Flag: flag-{GaW6NW8vzwIhh8qU643AV3ohh4gwDByw}