Challenges

Clear
All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Mobile Easy

Android Backup Extraction

An Android backup file (backup.ab) is provided. The backup format is: AES-256 encrypted header if a password was set, or raw zlib if not. This one has no password. Decompress the backup, navigate the tar-like structure, and find the flag in a SharedPreferences XML file.

150 pts
Mobile Easy

Exposed Android Component

AcmeVault declares SecretActivity with android:exported='true' and no permission requirement. Any app or adb command can launch it directly to retrieve the access token.

100 pts
2 solves 🩸
Mobile Easy

Hardcoded Secrets in APK

A developer left test credentials hardcoded in BuildConfig.java and an encoded string in strings.xml. Decompile the APK and decode the hidden value.

150 pts
1 solve 🩸
Mobile Easy

Insecure SQLite Storage

The Notes app stores private admin data in an unencrypted SQLite database. On a rooted device or via adb backup, the DB can be extracted and read directly.

150 pts
1 solve 🩸
Mobile Medium

Deep Link Token Weakness

AcmeCorp Portal's deep link handler validates session tokens only by prefix ('SES-') and length (16 chars) — no cryptographic check. Craft a valid URL and launch it.

250 pts
1 solve 🩸
Mobile Medium

React Native Bundle Reversing

An Android APK built with React Native contains a JavaScript bundle at assets/index.android.bundle. The bundle is minified but not encrypted. Find the hardcoded API secret and the flag validation logic in the JS, then compute the correct flag from the validation function.

300 pts
Mobile Medium

Root Detection Bypass

SecureApp checks for su binaries, test-keys, and Magisk via RootGuard.isRooted(). Hook the method with Frida to return false, then call getAccessToken().

250 pts
1 solve 🩸
Mobile Medium

SSL Certificate Pinning Bypass

AcmeShopping implements OkHttp3 certificate pinning. Bypass it with Frida to proxy HTTPS traffic through Burp Suite. The flag is hidden in a response header.

250 pts
Mobile Hard

AES-ECB Hardcoded Key

CryptoStore derives an AES key from a hardcoded password via MD5 and uses ECB mode. The ciphertext is a constant in the class. Recover the password, derive the key, and decrypt.

350 pts
Mobile Hard

iOS IPA Decryption + Class-dump

A decrypted iOS IPA is provided (App Store binaries are encrypted — this one has been dumped from a jailbroken device). Use class-dump or dsdump to reconstruct ObjC class headers. Find the FlagManager class, identify its -generateSecretToken method, and trace the token generation algorithm to compute the flag.

400 pts
Mobile Hard

iOS NSUserDefaults Insecurity

The iOS app stores a sensitive internal config in NSUserDefaults (a plain plist file) instead of the Keychain. The value is encoded using another field in the same file as the key.

350 pts
Mobile Insane

Dynamic DEX Malware Analysis

DropperActivity decrypts a DEX payload from assets/ using a rolling XOR key and loads it via DexClassLoader. Decrypt it statically or dump it at runtime with Frida, then decompile.

500 pts
Mobile Insane

Flutter Binary Reversing

A Flutter app's libapp.so contains compiled Dart AOT code. The flag is validated inside the Dart VM. Use blutter (Flutter/Dart AOT reverse engineering tool) to reconstruct class/method information, identify the flag checker, and reverse the obfuscated Dart bytecode to find the correct input.

500 pts
Mobile Insane

Native Anti-Tamper Bypass

libguard.so uses ptrace(PTRACE_TRACEME) to detect debuggers. Hook ptrace in libc via Frida's native Interceptor to always return 0, then call getProtectedToken().

450 pts