Kali Mobile Explorer
Mobile Application Penetration Testing in Kali Linux
Description:
This CTF focuses on using Kali Linux tools to perform basic mobile application penetration testing. You will be given a vulnerable APK and will use Kali tools to find security flaws.
Scenario:
You've installed the CrawConnect APK on an Android emulator running within Kali Linux. You begin by using Apktool to decompile the APK.
Question 1:
What is used for decoding resources to nearly original form?
Scenario:
You've successfully decompiled the APK and now want to use grep to search for the string "password" within the decompiled code.
Question 2:
What is the command that is used to to search text in a file?
Scenario:
You've set up Burp Suite and configured your Android emulator to route traffic through it. You intercept an HTTP request containing sensitive user data.
Question 3:
What type of software allows you to proxying HTTP(S) traffic?
Scenario:
Using the adb (Android Debug Bridge) tool in Kali, you want to access the device's shell.
Question 4:
What terminal command allows you to directly access the Android device shell?
Scenario:
You've identified a SQLite database file within the app's data directory. You use the sqlite3 command-line tool to open and query the database.
Question 5:
What command is used to manage SQLite databases?
Scenario:
You've found a certificate pinning implementation that prevents Burp Suite from intercepting the app's traffic. You use Frida to bypass the certificate pinning.
Question 6:
What tool is used to inject snippets of JavaScript?
Scenario:
You've used dex2jar in Kali to convert the APK's DEX file to a JAR file.
Question 7:
What tool is used to convert .dex to .jar?
Scenario:
After converting the DEX file to JAR, you use JD-GUI to analyze the Java code.
Question 8:
What is Java Decompiler?
Scenario:
While performing dynamic analysis, you use Drozer to interact with the Dalvik VM.
Question 9:
Security assessment framework for Android.