Sekai CTF Rev Challenge: Crack Me
Decompiling the app and running rg "sekai"
I found
admin@sekai.team
Confirmed that admin@sekai.team
is a real user, just need to find the password.
I found 03afaa672ff078c63d5bdb0ea08be12b09ea53ea822cd2acef36da5b279b9524
in the same code/configuration block as the admin user, and this seems to be a an AES encrypted string.
At the end of the same code block from resources
I found the key, IV, and the AES encrypted password:
key = "react_native_expo_version_47.0.0"
iv = "__sekaictf2023__"
encrypt_pswd = "03afaa672ff078c63d5bdb0ea08be12b09ea53ea822cd2acef36da5b279b9524"
length: 17
Using the magic of cyberchef we get the admin password s3cr3t_SEKAI_P@ss
If we try and use that to log into the app, it gives us this:
Which is not super helpful, but we do know this is a Firebase application, so we can begin grepping the resources folder for the API key of the project, to see if we can get any additional information.
Firebase API keys all start with AIz
, so I tried rg "AIz"
, and would you look at that, we got the API key AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk
Next we need to get some additional information about the project, if you look at the output from the grep to find the API key, directly after it is the rest of the configurations that we need:
# Firebase project configuration
config = {
"apiKey": "AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk",
"authDomain": "crackme-1b52a.firebaseapp.com",
"databaseURL": "https://crackme-1b52a-default-rtdb.firebaseio.com",
"projectId": "crackme-1b52a",
"storageBucket": "crackme-1b52a.appspot.com",
"messagingSenderId": "544041293350",
"appId": "1:544041293350:web:2abc55a6bb408e4ff838e7",
"measurementId": "https://crackme-1b52a-default-rtdb.firebaseio.com"
}
Final code to get the flag
import requests
api_key = "AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk"
email = "admin@sekai.team"
password = "s3cr3t_SEKAI_P@ss"
auth_url = f"https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key={api_key}"
payload = {
"email": email,
"password": password,
"returnSecureToken": True
}
auth_response = requests.post(auth_url, data=payload)
if auth_response.status_code == 200:
auth_data = auth_response.json()
id_token = auth_data['idToken'] # This is your authentication token
uid = auth_data['localId'] # This is the user's UID
db_url = f"https://crackme-1b52a-default-rtdb.firebaseio.com/users/{uid}/flag.json?auth={id_token}"
db_response = requests.get(db_url)
if db_response.status_code == 200:
flag = db_response.json()
if flag:
print("Flag:", flag)
else:
print("No flag found.")
else:
print("Failed to retrieve data from the database:", db_response.json())
else:
print("Failed to authenticate:", auth_response.json())
All that's left to do is run it, and would you look at that, flag acquired:Flag: SEKAI{15_React_N@71v3_R3v3rs3_H@RD???}