h@cktivitycon 2021 CTF writeup: Reactor Android Challenge

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Hey there, HackerOne hosted h@activitycon 2021 CTF a few weeks back. I got time to play around with a few challenges. Here is the write-up about the Reactor challenge.

The challenge

The challenge says “We built this app to protect the reactor codes” & the flag format is flag{xxxxxx}

Let’s download & install the reactor.apk

The application is expecting 4 digits numeric code.

I entered 1111 pin to observe the output. The app responded with some unreadable characters. So, 1111 is not the correct pin.

We’ll have to look at the source code to understand the logic. Our next step is to open the APK using jadx-gui.

Let’s navigate to com > reactor > MainActivity

There is only one method(not usual) which returns the string “Reactor”. If we look at the imported packages we can conclude that the app is built with React Native technology.

The presence of React Native libraries suggests that the application logic should have been written in the javascript files.

The location of the JS file is at assets/index.android.bundle

index.android.bundle file was both obfuscated

Read the article