0xd13a

A rookie in a world of pwns

Sharif CTF 2018 Writeup: The Skeleton Key

200

The Skeleton Key

Find the flag :)

Download

Let’s open the APK with the following set of commands:

1
2
3
apktool d -s The\ Skeleton\ Key.apk 
dex2jar classes.dex 
java -jar cfr_0_113.jar --outputdir src classes_dex2jar.jar

Close inspection reveals nothing interesting - pretty much all the app does is display the picture of a skull:

1
2
3
4
        WebView webView = (WebView)this.findViewById(2131492941);
        webView.getSettings().setJavaScriptEnabled(true);
        webView.loadDataWithBaseURL("", "<p><img height=\"100%\" width=\"100%\" 
		src=\"file:///android_asset/logo.svg\" /></p>", "text/html", "utf-8", "");

skull

At first glance there is nothing special about this image. However the Google search for similar images brings up the original for this picture, which is much smaller in size: https://upload.wikimedia.org/wikipedia/commons/e/e3/Skull-Icon.svg

Let’s load the image in http://www.clker.com/inc/svgedit/svg-editor.html. We can select and delete the skull, which reveals a large black dot remaining in the image. Once we stretch it out a little bit we discover the hash value:

skull

The flag is SharifCTF{be278492ae9b998eaebe3ca54c8000de}.