.png)
6 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
FortiClient is vulnerable VPN android app .
You can create NewVpn with your username and password .
In this chalange we need to extract “password” from storage
After creating your Vpn we go to open cmd to know when this data store .
after open adb.exe shell u can see this app store data in this path
/data/data/com.fortinet.forticlient/shared_prefs
"Now, let's decompile this app."
After make decompile by Jadx go to text search from navigation tap and search ssl.resu
we can see statemant “ edit.putString(“ssl.resu”, cu.n(str));”
1- This indicates that public method called e , have tow parameter s ( SharedPreferences this parameter expects an object of type SharedPreferences and string parameter )
2- initializes a SharedPreferences.Editor object named edit by Invoking edit() method on SharedPreferences object called sharedPreferences
3- Sets a string value with the key “ssl.resu” and the value obtained by calling the cu.n(str) method.
— — -
“Now, let’s analysis cu method”
This Java class “cu” contains method named n(string str) ,which is intended to perform encryption on the provided string “str”
1- It initializes a KEY = “FoRtInEt!AnDrOiD” , initialization vector IvParameterSpec= {117, 122, 39, 67, 114, 124, 115, 44, 113, 116, 124, 123, 58, 89, 118, 94}, and a secretkeyspace object from secretkeyspace class (SecretKeySpec)for AES encryption, .
2- It initializes a cipher (Cipher) instance for AES encryption in CBC mode with PKCS5 padding.
3- It converts the input string str into bytes.
4- It encrypts the bytes using the initialized cipher and generates a byte array of encrypted data.
5-It converts the encrypted bytes into a hexadecimal representation and stores them in a StringBuffer.
for (byte b : doFinal) {String hexString = Integer.toHexString(b & 255);
if (1 == hexString.length()) {
hexString = "0" + hexString;
}
stringBuffer.append(hexString.toUpperCase(Locale.ENGLISH));
}
For each byte in the encrypted data, it converts the byte into a hexadecimal string representation.
If the hexadecimal string is a single character, it appends a ‘0’ prefix to ensure two characters are always used.
It appends the hexadecimal string to the StringBuffer.
1- It returns the final hexadecimal representation of the encrypted data as a string.
“Now, we need to proceed decrypt this encryption using python but HOW!!!
1- Importing Necessary Modules:
from Crypto.Cipher import AESfrom Crypto.Util.Padding import unpadd2- Defining Encryption Parameters:
KEY = b"FoRtInEt!AnDrOiD"IvParameterSpec = bytes([117, 122, 39, 67, 114, 124, 115, 44, 113, 116, 124, 123, 58, 89, 118, 94])
3- Decrypting the Data:
cleartext = unpad(cipher.decrypt(bytes.fromhex('CA189A907D7D90F8DE107B60E8452B311F1C1CB8C9B43DF37FD529B279F34745')), 16)This line decrypts the ciphertext provided as a hexadecimal string ('CA189A907D7D90F8DE107B60E8452B311F1C1CB8C9B43DF37FD529B279F34745').It first converts the hexadecimal string to bytes using bytes.fromhex().The decrypt() method of the AES cipher object decrypts the ciphertext.The unpad() function removes any padding from the decrypted data. The second argument (16) specifies the block size, which is used to determine the padding length.The resulting plaintext is stored in the cleartext variable.4- Printing the Decrypted Data:
print(cleartext)Final Code ya Brooooooooooooooo
from Crypto.Cipher import AESfrom Crypto.Util.Padding import unpad
KEY = b"FoRtInEt!AnDrOiD"
IvParameterSpec = bytes([117, 122, 39, 67, 114, 124, 115, 44, 113, 116, 124, 123, 58, 89, 118, 94])
cipher = AES.new(KEY, AES.MODE_CBC, IvParameterSpec)
cleartext = unpad(cipher.decrypt(bytes.fromhex('CA189A907D7D90F8DE107B60E8452B311F1C1CB8C9B43DF37FD529B279F34745')),16)
print(cleartext)
explain this code
Bengali (Bangladesh) · 
English (United States) ·