M 301: Qark (15 pts)

What You Need for This Project

Purpose

To practice using Qark, an Android vulnerability scanner from LinkedIn.

Installing Qark

On Kali, in a Terminal, execute these commands:
git clone https://github.com/linkedin/qark
cd qark
pip install -r requirements.txt
pip install . 
qark --help
You see a Qark help message, as shown below.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Pulling the GenieMD APK from the Phone

You should already have the GenieMD app installed. If you don't, get it from Google Play, as shown below.

To see the complete package name, on Kali, execute this command:

adb shell pm list packages | grep genie
The reply shiows the package name, as shown below. Use that package name in the next command to get the APK path:
adb shell pm path com.geniemd.geniemd.harvard
The reply shiows the full path to the APK. Use that path in the next command to pull the APK file:
adb pull /data/app/com.geniemd.geniemd.harvard-A0xnv6wdqwqLoAAgXh3GqA==/base.apk
The file downloads into Kali, as shown below.

Scanning the APK with Quark

On Kali, execute this command:
qark --apk base.apk
Qark takes about 10 minutes to unpack all the code and scan it, ending with the path to a report file, as shown below.

After the report is generated, move it to a more convenient location and name with this command:

mv /usr/local/lib/python2.7/dist-packages/qark/report/report.html genie.html

Viewing the Report

On your Kali desktop, on the left side, click the folder icon.

Navigate to the genie.htm file, as shown below, and double-click it.

The report opens in Firefox, as shown below.

Type Ctrl+F and search for cert to find the SSL certificate validation error, as shown below.


M 301: Unsafe implementation (15 pts)

Find the text covered by a green box in the image above. That's the flag.


Sources

Qark
Android Penetration Tools Walkthrough Series: QARK

Posted 1-24-19 by Sam Bowne
Converted to a CTF 2-28-19