Flag 1 - Login Activity
This flag was quite simple. After loading the APK into JADX and viewing the source code for the activity, the flag is revealed.
Flag 2 - Exported Activity
Looking at the manifest.xml, there is an exported activity that is directly above the flag2 activity.
Drop into an ADB shell and run the exported activity.
Flag 3 - Resources
Viewing flag 3 login activity.
Checking strings.xml for the reference reveals the flag.
Flag 4 - Login 2
Viewing the activity for login2.
Viewing the method g().a()
Base64 decode the value to reveal the flag.
Flag 5 - Exported Broadcast Receiver
This one was straight forward, open the level 3 times to get the flag.
Flag 6 - Login 3
Viewing the login activity.
Viewing the method k.a
It shows that the key is generated from f1917a.
Decode the value to find the flag.
Flag 7 - SQLite
The database only exists while the activity is open.
Connect via adb.
View the tables.
Viewing the flag7 activity class.
Decode the value to reveal 'f1ag-pa55'.
The other value needs to be ROT47 decoded
There was a mention of AWS in the strings.xml file.
Used cloud_enum to search for any cloud resources. Found an open S3 bucket.
Flag 9 - Firebase
There is a Firebase URL referenced in strings.xml
Base64 decode the value.
Access the endpoint using the .json trick.
