IOT Connect

Hello everyone , In this blog post , I will try to explain my solution steps for IOT Connect challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

PreviousMobile Hacking Lab NextStrings

Last updated 4 months ago

IOT Connect

Hello everyone , In this blog post , I will try to explain my solution steps for IOT Connect challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

After we install The APK then we open it and register then login with our account
After the login we found that we can’t control all devices !!!
Our Approach to Enable the Master switch let’s try to Use It
we don’t have any pin code
Let’s Examine the AndroidManifest.xml Specific this activity com.mobilehackinglab.iotconnect.MasterSwitchActivity
- this code have some things :
  - First User cannot Control the Master Switch
  - Valid users must enter a PIN before enabling the switch.
  - THEN the app send intent to enable The Master Switch
Let’s examine the BroadcastReceiver initialize Class then we found that :
It Will work when the Pin is correct
After Search in the code i found Checker Class

Here we have the Pin OSnaALIWUkpOziVAMycaZQ== and use AES Encryption hard Coded in our application , let’s create a script to decrypt it

from Crypto.Cipher import AES
import base64

encrypted_text = 'OSnaALIWUkpOziVAMycaZQ=='  # The base64 encoded string from the Java code

def create_key_from_number(num):
    """
    Create a 16-byte key from a number by converting it to a byte array
    and padding with zeros to ensure the key length is 16 bytes.
    """
    key = str(num).encode('utf-8')  # Convert number to bytes
    key = key.ljust(16, b'\0')  # Pad the key to 16 bytes if it's shorter
    return key

def attempt_decrypt(encrypted_text, key):
    """
    Attempt to decrypt the encrypted text using the provided key.
    Returns the decrypted text if successful, or None if decryption fails.
    """
    cipher = AES.new(key, AES.MODE_ECB)
    try:
        decrypted_bytes = cipher.decrypt(base64.b64decode(encrypted_text))
        decrypted_text = decrypted_bytes.decode('utf-8').strip()
        return decrypted_text
    except (ValueError, UnicodeDecodeError):
        return None

def brute_force_decrypt(encrypted_text):
    """
    Brute-force attempt to find the correct key for AES decryption.
    Searches for a key that produces meaningful output, like "master_on".
    """
    for num in range(1000):
        key = create_key_from_number(num)
        decrypted_text = attempt_decrypt(encrypted_text, key)
        
        if decrypted_text and "master_on" in decrypted_text:
            print(f"Decrypt success and the key is {num}")
            print(f"Decrypted text: {decrypted_text}")
            return
    print("No valid key found")

# Start the brute-force decryption attempt
brute_force_decrypt(encrypted_text)

Then we will call the broadcast receiver MasterReceiver with MASTER_ON action of the broadcast intent , 345 as key : adb shell am broadcast -a MASTER_ON --ei key 345

and here we done by Macking all Devices Turned on

PreviousMobile Hacking Lab NextStrings

Last updated 4 months ago

After we install The APK then we open it and register then login with our account
After the login we found that we can’t control all devices !!!
Our Approach to Enable the Master switch let’s try to Use It
we don’t have any pin code
Let’s Examine the AndroidManifest.xml Specific this activity com.mobilehackinglab.iotconnect.MasterSwitchActivity
- this code have some things :
  - First User cannot Control the Master Switch
  - Valid users must enter a PIN before enabling the switch.
  - THEN the app send intent to enable The Master Switch
Let’s examine the BroadcastReceiver initialize Class then we found that :
It Will work when the Pin is correct
After Search in the code i found Checker Class

Here we have the Pin OSnaALIWUkpOziVAMycaZQ== and use AES Encryption hard Coded in our application , let’s create a script to decrypt it

from Crypto.Cipher import AES
import base64

encrypted_text = 'OSnaALIWUkpOziVAMycaZQ=='  # The base64 encoded string from the Java code

def create_key_from_number(num):
    """
    Create a 16-byte key from a number by converting it to a byte array
    and padding with zeros to ensure the key length is 16 bytes.
    """
    key = str(num).encode('utf-8')  # Convert number to bytes
    key = key.ljust(16, b'\0')  # Pad the key to 16 bytes if it's shorter
    return key

def attempt_decrypt(encrypted_text, key):
    """
    Attempt to decrypt the encrypted text using the provided key.
    Returns the decrypted text if successful, or None if decryption fails.
    """
    cipher = AES.new(key, AES.MODE_ECB)
    try:
        decrypted_bytes = cipher.decrypt(base64.b64decode(encrypted_text))
        decrypted_text = decrypted_bytes.decode('utf-8').strip()
        return decrypted_text
    except (ValueError, UnicodeDecodeError):
        return None

def brute_force_decrypt(encrypted_text):
    """
    Brute-force attempt to find the correct key for AES decryption.
    Searches for a key that produces meaningful output, like "master_on".
    """
    for num in range(1000):
        key = create_key_from_number(num)
        decrypted_text = attempt_decrypt(encrypted_text, key)
        
        if decrypted_text and "master_on" in decrypted_text:
            print(f"Decrypt success and the key is {num}")
            print(f"Decrypted text: {decrypted_text}")
            return
    print("No valid key found")

# Start the brute-force decryption attempt
brute_force_decrypt(encrypted_text)

Then we will call the broadcast receiver MasterReceiver with MASTER_ON action of the broadcast intent , 345 as key : adb shell am broadcast -a MASTER_ON --ei key 345

and here we done by Macking all Devices Turned on