In this post, I’ll walk through the solutions to the network manipulation challenges I was able to solve. Unlike my other posts, I couldn’t complete all the challenges this time, so I’ll only be sharing the ones I managed to crack.

Before we begin, let’s set up the Burp Suite proxy for our Android environment.

First, export the Burp certificate and push it to the emulator.

00 - Setup Proxy

01 - certificate

03 - Proxy

Next, access a rooted shell and run the script created by Tim Perry from HTTP Toolkit. This script installs the certificate as a trusted root, allowing us to intercept HTTPS traffic.

04 - Inject root cert

HTTP(s)

1 - Description

00 - Description

2 - Obtaining 1st Flag

The first HTTPS challenge was straightforward. I simply set up the proxy and captured the HTTP response.

01 - Get the flag

02 - LEsson Learned

3 - Obtaining 2nd Flag

The second flag was also easy to obtain, thanks to the system certificate we had already set up. Although the traffic was over HTTPS, it didn’t matter since we could intercept it. The only trick was modifying a boolean value in the request to true to reveal the flag.

04 - Flag

05 - Lesson Learned

4 - Obtaining 3rd Flag

For the third flag, I intercepted the server response and modified the log_flag boolean to true. This triggered the client-side app to log the flag in logcat.

06 - intercept response

07 - Lesson LEarned

WebSocket

1 - Description

00 - Description

2 - Obtaining Flag

The WebSocket challenge was easy, thanks to Burp’s built-in WebSocket support. I simply opened the WebSocket tab and found the flag in the messages.

01 - Socket

02 - lesson learned

MQTT

1 - Description

00 - Description

2 - Obtaining 1st Flag

I was only able to capture the first flag in the MQTT challenge, which was fairly straightforward. While the proxy was running, I opened Wireshark and monitored all outgoing connections from my machine. One of them was using the MQTT protocol, and I found the flag in that traffic.

01 - Flag

02 - lesson learned

3 - Trying for 2nd Flag

The second part of the challenge required modifying the topic from /flag_22 to /flag_2 which was a typo. I attempted to recreate the MQTT message using Scapy, but couldn’t get it to work. I believe I was close to solving it, but I’m not yet confident enough with crafting MQTT packets manually.

03 - wireshark dump

Sharks on the Wire

1 - Description

00 - Description

2 - Obtaining 1st Flag

I was only able to retrieve the first flag in the Sharks on the Wire challenge. It was exposed through an unencrypted DNS request, which clearly revealed the flag.

01 - First flag

02 - lesson learned

The second flag was more challenging—it involved an encrypted request, and I wasn’t sure how to proceed from there.

I gave my best effort but couldn’t solve the remaining challenges, such as Certificate Pinning and the DNS-related one.

<
Previous Post
Juicy Bar CTF - Dynamic Code Analysis
>
Next Post
Loly - OffSec Proving Grounds