OTP Vault
I created my own vault application to store my secrets. It uses OTP to unlock the vault so no one can steal my password!
Challenge
TL;DR: React native mobile app, can further decompile
index.android.bundle
to get app source.
Examining the source code of the APK with JADX
, we can see multiple references to com.facebook.react
indicating that this is a mobile app built with the React Framework.
Unzip the APK file and extract the assets/index.android.bundle
file. We can further decompile this file using react-native-decompiler to retrieve the source code of the app.
After decompiling, navigate to the output folder and we can see many .js
files being generated. The file of interest here is 396.js
, containg our OTP secret and getFlag
function:
function O() {
let n;
module7.default(this, O);
(n = b.call(this, ...args)).state = {
output: 'Insert your OTP to unlock your vault',
text: '',
};
n.s = 'JJ2XG5CIMFRWW2LOM4';
n.url = 'http://congon4tor.com:7777';
n.token = '652W8NxdsHFTorqLXgo=';
n.getFlag = function () {
let module7;
let o;
return regeneratorRuntime.default.async(
(u) => {
for (;;) {
switch ((u.prev = u.next)) {
case 0:
u.prev = 0;
module7 = {
headers: {
Authorization: 'Bearer KMGQ0YTYgIMTk5Mjc2NzZY4OMjJlNzAC0WU2DgiYzE41ZDwN',
},
};
u.next = 4;
return regeneratorRuntime.default.awrap(module400.default.get(`${n.url}/flag`, module7));
Now, to get the flag we can either input the OTP secret to any MFA app and generate the OTP and key it into the app, or simply send a request to the server:
curl -H "Authorization: Bearer KMGQ0YTYgIMTk5Mjc2NzZY4OMjJlNzAC0WU2DgiYzE41ZDwN" http://congon4tor.com:7777/flag
Flag: flag{5450384e093a0444e6d3d39795dd7ddd}