ICMTC CTF — DFIR Challenge Writeup “Mega Mind”

Ebrahim Mustafa
3 min readJul 31, 2023

--

First, this was my first time analyzing an APK file.

When I searched how to analyze it I found that I can use apktool, jadx, or frida for hooking the app. I will go with jadx GUI.

These are the challenge files:

Challenge Description:

` While analyzing one of the phones of an arrested cybercriminal group I found an interesting app called “MEGA”, Unfortunately the suspects locked the app with a pattern, and I believe they used it to spread malicious files

Anyway, I pulled the application and its database files, in case you can help to find the name of the file the suspect uploaded. `

We have database files and APK

Let’s start with the database. I will use sqlite browser to show what it contains.

After some search, I found megapreferences have table name ’compltedtransfers’. Let’s show it:

We have base64 encoded text. Let’s try to decode it :

We got noting. Let’s search what is that or how megastore stores tokens or data in megapreferences.

I found a good article in this link:

https://askclees.com/2022/05/10/decrypting-megas-megaprefences-sqlite-database/

Now, I know where I will search in the APK file, for encryption and decryption functions. Let’s go to jadx:

I will search for an AES Key, because in the article you will find encryption is with AES-ECB mode:

The key is:

And I found it more than 32 bytes.

Let’s write a python script for decryption:

This is the script:

from Cryptodome.Cipher import AES

import base64

def decrypt_aes_ecb(ciphertext, key):

cipher = AES.new(key, AES.MODE_ECB)

return cipher.decrypt(ciphertext).decode()

# Base64 encoded ciphertext

encoded_ciphertext = ‘bDYn7kAniulcMw5N9PyQ3XQ5kjZpkrKdOD6ID+S2Mdo=’

# AES-ECB key (256 bits / 32 bytes)

key = b’4ndr0!d_3gc3rt8 w4y*(Nc$G*(G($*GG*(#)*huio13337$G’

# Decode the Base64 ciphertext

decoded_ciphertext = base64.b64decode(encoded_ciphertext)

# Decrypt using AES-ECB

decrypted_text = decrypt_aes_ecb(decoded_ciphertext, key[0:32])

print(“Decrypted Text:”)

print(decrypted_text)

I am slicing the key to 32 bytes to decrypt the text, and the result is:

The flag is:

EGCERT{W3ll_D0n3_M3g4_M!nd}

Lessons learned:

Trying to know how things work and the search can help you to almost achieve anything.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Ebrahim Mustafa
Ebrahim Mustafa

Written by Ebrahim Mustafa

Cyber Security Pentester ,Bug hunter ,CTF player and Coder

No responses yet

Write a response