APKey

Technical Walkthrough

Writeup

Challenge

• Name: APKey
• Category: Mobile
• Difficulty: Easy
• Mode: file

Summary

The APK contains a simple login screen, but the protected value is generated entirely client-side. MainActivity checks for username admin and a hardcoded MD5 digest, then displays the result of decrypting an obfuscated Base64 string. Static decompilation with jadx was enough to reconstruct the AES algorithm, key, and ciphertext without running the APK.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• files/a12c738d-36f8-4c14-863a-e6c3bc924bdf.zip: <password redacted> HTB ZIP containing APKey.apk.
• analysis/extracted/APKey.apk: extracted Android APK.
• analysis/jadx/: Java/resources decompiled with jadx.
• analysis/jadx/sources/com/example/apkey/MainActivity.java: login and success path.
• analysis/jadx/sources/c/b/a/*.java: obfuscated fragments used to build the AES mode, key, and ciphertext.

Analysis

1. activity_main.xml shows a basic login form with username and password fields.
2. MainActivity.java requires username admin.
3. The password is checked by MD5, but the digest rendering omits zero padding; this is only a gate to display the decrypted value.
4. On success, MainActivity calls c.b.a.b.a(c.b.a.g.a()).
5. g.b() resolves to AES, so Android uses the default AES transformation.
6. b.a() constructs a 16-byte AES key from character indexes across helper classes a, c, e, f, h, and i.
7. g.a() concatenates obfuscated string fragments into the Base64 ciphertext.
8. solve/solve.py reproduces the same key/ciphertext construction and decrypts the flag offline.

Solve

Run:

python3 Mobile/APKey/solve/solve.py

The script reconstructs the APK's AES key and ciphertext from the decompiled helper classes, decrypts the ciphertext with AES/ECB and PKCS padding, and prints the flag for harness capture.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For Easy mobile APKs, decompile first and follow the success path before setting up emulator/runtime tooling.
• Android Cipher.getInstance("AES") maps to the platform default AES transformation, which is normally ECB with PKCS padding.
• Obfuscated string-fragment classes are often just static data assembly; reconstructing them in a short script is faster and more reliable than running the app.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: APKey
• Category: Mobile
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-10T10:25:28Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• ZIP contains one APK: APKey.apk.
• jadx recovered the relevant app logic despite a few decompiler errors.
• MainActivity requires username admin and compares a hardcoded non-padded MD5 digest for the password.
• The success path calls c.b.a.b.a(c.b.a.g.a()).
• g.b() resolves to AES; b.a() builds the AES key from obfuscated helper-class string fragments.
• g.a() builds the Base64 ciphertext from the same helper-class fragments.
• solve/solve.py reproduces the static AES decryption and the harness captured the flag into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Mobile
• Challenge: APKey
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the HTB ZIP with the standard archive password and decompile the APK with jadx.
2. Inspect MainActivity; the app accepts username admin, checks a hardcoded MD5 digest, and then displays a decrypted value.
3. Follow the success path to c.b.a.b.a(c.b.a.g.a()).
4. Resolve g.b() as AES.
5. Reconstruct the AES key from the helper classes' selected character positions.
6. Reconstruct the Base64 ciphertext from g.a().
7. Decrypt offline with AES/ECB and PKCS padding.

Reusable Lessons

• For local-only Easy Android challenges, start with jadx and inspect the app package before considering emulator, ADB, Frida, or Objection.
• Android Cipher.getInstance("AES") generally means provider-default AES/ECB with PKCS padding.
• A password gate does not always need to be bypassed if the protected value is decryptable from static code.
• Be careful with handwritten hex rendering in Java; missing zero padding can make digest strings shorter than canonical MD5 hex.

Dead Ends

• No emulator/runtime instrumentation was needed.
• Cracking or entering the login password was unnecessary because the decrypt routine is fully static.

Tool Quirks

• jadx reported a few decompiler errors but still recovered the relevant app classes.
• apktool, adb, frida, objection, and ghidra were unavailable locally; jadx was sufficient.

Evidence Paths

• analysis/jadx/sources/com/example/apkey/MainActivity.java
• analysis/jadx/sources/c/b/a/b.java
• analysis/jadx/sources/c/b/a/g.java
• analysis/checkpoint-analysis-20260610T102748968704Z-d74c55f1.md
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Mobile
• Challenge: APKey
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the HTB ZIP with the standard archive password and decompile the APK with jadx.
2. Inspect MainActivity; the app accepts username admin, checks a hardcoded MD5 digest, and then displays a decrypted value.
3. Follow the success path to c.b.a.b.a(c.b.a.g.a()).
4. Resolve g.b() as AES.
5. Reconstruct the AES key from the helper classes' selected character positions.
6. Reconstruct the Base64 ciphertext from g.a().
7. Decrypt offline with AES/ECB and PKCS padding.

Reusable Lessons

• For local-only Easy Android challenges, start with jadx and inspect the app package before considering emulator, ADB, Frida, or Objection.
• Android Cipher.getInstance("AES") generally means provider-default AES/ECB with PKCS padding.
• A password gate does not always need to be bypassed if the protected value is decryptable from static code.
• Be careful with handwritten hex rendering in Java; missing zero padding can make digest strings shorter than canonical MD5 hex.

Dead Ends

• No emulator/runtime instrumentation was needed.
• Cracking or entering the login password was unnecessary because the decrypt routine is fully static.

Tool Quirks

• jadx reported a few decompiler errors but still recovered the relevant app classes.
• apktool, adb, frida, objection, and ghidra were unavailable locally; jadx was sufficient.

Evidence Paths

• analysis/jadx/sources/com/example/apkey/MainActivity.java
• analysis/jadx/sources/c/b/a/b.java
• analysis/jadx/sources/c/b/a/g.java
• analysis/checkpoint-analysis-20260610T102748968704Z-d74c55f1.md
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: APKey
• Category: Mobile
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-10T10:25:28Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• ZIP contains one APK: APKey.apk.
• jadx recovered the relevant app logic despite a few decompiler errors.
• MainActivity requires username admin and compares a hardcoded non-padded MD5 digest for the password.
• The success path calls c.b.a.b.a(c.b.a.g.a()).
• g.b() resolves to AES; b.a() builds the AES key from obfuscated helper-class string fragments.
• g.a() builds the Base64 ciphertext from the same helper-class fragments.
• solve/solve.py reproduces the static AES decryption and the harness captured the flag into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.