├── .gitmodules ├── Dockerfile ├── README.md ├── challenge.apk ├── flag.txt └── main.sh /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "ws-scrcpy"] 2 | path = ws-scrcpy 3 | url = https://github.com/NetrisTV/ws-scrcpy 4 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # FROM budtmo2/docker-android-pro:emulator_headless_10.0 2 | FROM budtmo/docker-android:emulator_10.0 3 | 4 | USER root 5 | 6 | RUN apt update 7 | RUN apt install -y --fix-missing build-essential 8 | 9 | WORKDIR /app 10 | COPY . . 11 | 12 | WORKDIR /app/ws-scrcpy 13 | RUN npm install 14 | 15 | WORKDIR /app 16 | RUN chmod +x main.sh 17 | RUN chown -R androidusr:androidusr /app/ws-scrcpy 18 | 19 | EXPOSE 8000 20 | 21 | USER androidusr 22 | ENTRYPOINT ["/app/main.sh"] -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF Mobile Exploitation 2 | The setup being used for mobile exploitation in the TCP1P CTF 2023. 3 | -------------------------------------------------------------------------------- /challenge.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/CTF-Mobile-Exploitation/fef8912a924faa221a1435e04aac77e66fe3be91/challenge.apk -------------------------------------------------------------------------------- /flag.txt: -------------------------------------------------------------------------------- 1 | TCP1P{M4l1c1ou5_Int3nti0ns} -------------------------------------------------------------------------------- /main.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | (cd /home/androidusr; nohup /home/androidusr/docker-android/mixins/scripts/run.sh &) 4 | 5 | function wait_for_device() { 6 | echo "Waiting for device..." 7 | adb wait-for-device 8 | 9 | while [ "$(adb get-state)" == "offline" ]; do 10 | sleep 1 11 | done 12 | }; 13 | 14 | function setup_device() { 15 | echo "Setting up device..." 16 | 17 | adb root 18 | sleep 5 19 | 20 | adb shell avbctl disable-verification 21 | adb disable-verity 22 | adb reboot 23 | }; 24 | 25 | function init_device() { 26 | echo "Initializing device..." 27 | 28 | adb root 29 | sleep 5 30 | 31 | adb remount 32 | 33 | adb install challenge.apk 34 | 35 | package_name='com.kuro.intention' 36 | adb push flag.txt /data/data/$package_name/files/flag.txt 37 | 38 | app_uid=$(adb shell dumpsys package $package_name | grep userId= | cut -d "=" -f 2) 39 | adb shell chown -R $app_uid:$app_uid /data/data/$package_name/files 40 | 41 | adb shell rm -f /system/xbin/su 42 | adb reboot 43 | }; 44 | 45 | adb start-server 46 | 47 | wait_for_device 48 | setup_device 49 | 50 | wait_for_device 51 | init_device 52 | 53 | wait_for_device 54 | while true; do 55 | result=$(adb shell getprop sys.boot_completed 2>&1) 56 | 57 | if [ "$result" == "1" ]; then 58 | break 59 | fi 60 | 61 | sleep 1 62 | done 63 | 64 | adb shell pm grant com.android.chrome android.permission.READ_EXTERNAL_STORAGE 65 | adb shell pm grant com.android.chrome android.permission.WRITE_EXTERNAL_STORAGE 66 | 67 | cd ./ws-scrcpy 68 | npm start 69 | --------------------------------------------------------------------------------