Challenges

Clear
All 96 Web 10 Pwn 7 Crypto 7 Forensics 7 Rev 6 Misc 7 OSINT 6 network 7 Mobile 10 Cloud 10 web3 10 Linux 9
Mobile Easy

Exposed Android Component

AcmeVault declares SecretActivity with android:exported='true' and no permission requirement. Any app or adb command can launch it directly to retrieve the access token.

100 pts
2 solves 🩸
Mobile Easy

Hardcoded Secrets in APK

A developer left test credentials hardcoded in BuildConfig.java and an encoded string in strings.xml. Decompile the APK and decode the hidden value.

150 pts
1 solve 🩸
Mobile Easy

Insecure SQLite Storage

The Notes app stores private admin data in an unencrypted SQLite database. On a rooted device or via adb backup, the DB can be extracted and read directly.

150 pts
1 solve 🩸
Mobile Medium

Deep Link Token Weakness

AcmeCorp Portal's deep link handler validates session tokens only by prefix ('SES-') and length (16 chars) — no cryptographic check. Craft a valid URL and launch it.

250 pts
1 solve 🩸
Mobile Medium

Root Detection Bypass

SecureApp checks for su binaries, test-keys, and Magisk via RootGuard.isRooted(). Hook the method with Frida to return false, then call getAccessToken().

250 pts
1 solve 🩸
Mobile Medium

SSL Certificate Pinning Bypass

AcmeShopping implements OkHttp3 certificate pinning. Bypass it with Frida to proxy HTTPS traffic through Burp Suite. The flag is hidden in a response header.

250 pts
Mobile Hard

AES-ECB Hardcoded Key

CryptoStore derives an AES key from a hardcoded password via MD5 and uses ECB mode. The ciphertext is a constant in the class. Recover the password, derive the key, and decrypt.

350 pts
Mobile Hard

iOS NSUserDefaults Insecurity

The iOS app stores a sensitive internal config in NSUserDefaults (a plain plist file) instead of the Keychain. The value is encoded using another field in the same file as the key.

350 pts
Mobile Insane

Dynamic DEX Malware Analysis

DropperActivity decrypts a DEX payload from assets/ using a rolling XOR key and loads it via DexClassLoader. Decrypt it statically or dump it at runtime with Frida, then decompile.

500 pts
Mobile Insane

Native Anti-Tamper Bypass

libguard.so uses ptrace(PTRACE_TRACEME) to detect debuggers. Hook ptrace in libc via Frida's native Interceptor to always return 0, then call getProtectedToken().

450 pts