Weak Cryptography

Weak cryptography can be detrimental to an application's security.

If we take a look at the DVIA-v2 application we can see that there are two broken cryptography challenges and as this is a public and intentionally vulnerable application we'll use it as an example here.

We can use Frida to hook the functions and view the important information such as the password, IV, salt, encryption type, etc.

In order to do this we must first trace the functions. As frida-trace is case-sensitive we will trace for any method belonging to any class or instance of anything that matches *rypt* as this will match everything such as Crypto, crypto, etc.

$ frida-trace -U -m "*[*rypt* *]" -p $(frida-ps -Ua | awk '/DVIA/ {print $1}')

We can see that all of the matching functions have been traced but we are only concerned with those that are used when we do the challenges, therefore we need to enter some information within the application.

Now what we need to do is extract the relative information from the functions. We can do that with Frida, so open the appropriate file (__handlers__/RNCryptor/keyForPasswordsalt_settings.js) and we can tell Frida to output the password, IV and Key as a string so we can decrypt our data.

When we then go back to the application and re-enter the credentials we can see that Frida throws out the password, salt and key. There are a couple of functions that may need to be traced but as this is supposed to be treated like a CTF I won't give away all the info. Having said that it shouldn't be too difficult to figure out from here.

We can then use CyberChef to decrypt the information.

Using Objection

Frida is definitely the more granular method of achieving this goal, however, it is far easier to do the same task in Objection.

Launch the application using Objection:

$ objection -g $(frida-ps -Ua | awk '/DVIA/ {print $3}') explore

Objection has a great feature specifically designed for reading and monitoring crypto functionality.

$ ios monitor crypto

This will monitor for all of the common crypto library functions. Once this has started go back to the application and start the process again. Enter the passwords and you will see the corresponding encryption data.


Last updated