Sign up, as shown below.
Only 60 Minutes
As of Jan 28, 2020, the free trial
period has been reduced to 60 minutes.
You can make another account to get another
60 minutes, with a different email address.
Open your email and click the link Geny.io sent you.
Log in. The Genymotion cloud main page appears, as shown below.
Click the "CLICK TO DISPLAY" message to see the Android home screen, as shown below.
https://apkcombo.com/apk-downloader/?q=com.yieldnotion.equitypandit
Click the green "Download APK" bar, as shown below.
Save the file on your local computer.
A progress indicator will appear in the upper left of the device screen. In the image below, the upload is 48% completed.
When the upload is done, the app installs and launches, as shown below.
On your Google Cloud Debian server, in an SSH session, execute these commands:
sudo apt update
sudo apt install android-sdk -y
sudo apt install python3-pip -y
pip3 install gmsaas
Execute this command:
nano ~/.bashrc
Add this line at the end
export PATH="$PATH:/home/$USER/.local/bin"
Save the file with Ctrl+X,
Y, Enter.
Execute this command:
source ~/.bashrc
On your Debian cloud server,
execute these commands, replacing
the email address with the
email address you used to log in
to Genymotion Cloud:
gmsaas config set android-sdk-path /usr/lib/android-sdk/
gmsaas auth login sam@mailinator.com
Enter your Genymotion Cloud password
when you are prompted to.
As a point of interest, your password is saved locally with Base64 encoding, as shown below, an outrageously insecure practice.
gmsaas instances list
You see your running instance,
as shown below.
On your Debian cloud server, execute these commands:
gmsaas instances list -q | xargs -n1 gmsaas instances adbconnect
adb devices -l
Your device is attached, as shown below.
Note: the first time I ran the "gmsaas adbconnect" command, it
put out several pages of messages. If that happens,
don't worry about it.)
adb logcat
A lot of messages scroll by,
as shown below.
Press Ctrl+C to stop the scrolling.
adb logcat | grep password
The screen is quiet, waiting for
log lines including the string
"password",
as shown below.
flagme@aol.com
In the Password field, hit several random numbers and letters, as shown below. Click the green Go button.
Flag M110.1: Exposed Password (15 pts extra)
On your Debian cloud server, that account's password appears. It contains the flag, which is covered by a green box in the image below.
Capturing a Screen Image
Capture a WHOLE-DESKTOP image showing the flag.Save the image as "Proj W 200 from YOUR NAME".
https://portswigger.net/burp/communitydownload
Click the "Download for Linux (64-bit)" button, as shown below.
Save the file.
On your Debian server, in an SSH window, execute this command:
sudo bash ./snap/firefox/common/Downloads/burpsuite_community_lin
ux_v2_1_04.sh
Press Enter to accept the default for
each question.
On your Linux desktop,
right-click and click
Applications,
Other,
"Burp Suite Community Edition",
as shown below.
Click "I Acceept". Click Next. Click "Start Burp".
Click the Options sub-tab.
In the "Proxy Listeners" section, click 127.0.0.1:8080 and click the Edit button.
In the "Edit proxy listener" box, click the "All interfaces" button.
Click OK. Click Yes.
The "Proxy Listeners" section should now show an Interface of click *:8080, as shown below.
Click the "HTTP history" sub-tab.
Scroll down to the "NETWORKING" section.
Point to "VPC network" and click "Firewall rules".
At the top center, click "CREATE FIREWALL RULE".
Enter these values, as shown below:
In the Google Cloud Console, at the top left, click the three-bar "hamburger" icon.
Point to "Compute Engine" and click "VM instances".
Find your Linux server's public IP address, as shown below:
Click the Home Button again and drag it up to see all apps.
Click Settings. Click "Network & internet". Click Wi-Fi.
In the "AndroidWifi" line, click the gear icon.
At the top right, click the pencil icon.
In the AndroidWifi box, click the arrow to expand "Advanced options".
Set the Proxy to Manual. Enter your Debian Cloud Server's IP address and a port of 8080, as shown below.
Click SAVE.
Click the Home Button again and drag it up to see all apps.
Click EquityPandit.
Change the username to
flagme2@aol.com
Click Go.
Flag M110.2: Transmitted Password (10 pts extra)
In Burp, click the second HTTP POST request and click the Response sub-tab to see the flag, which is covered by a green box in the image below.
Capturing a Screen Image
Capture a WHOLE-DESKTOP image showing the flag.Save the image as "Proj M 110 from YOUR NAME".