Decompile the apk, and run 'strings' on assets/flutter_assets/kernel_blob.bin.<p>Poke around and you'll find code for POSTing JSON-encoded credentials to <a href="http://35.246.158.51:8070/auth/getUrl" rel="nofollow">http://35.246.158.51:8070/auth/getUrl</a>. (Grep for the IP to find it.)<p>So, using the web site name as the seed and the 'client id' as the password, we get:<p>$ curl -X POST -H "Content-Type: application/json" -d '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' <a href="http://35.246.158.51:8070/auth/getUrl" rel="nofollow">http://35.246.158.51:8070/auth/getUrl</a><p>The response is an HTTP 200 and:
{"AuthURL":"/auth/v2"}<p><a href="http://35.246.158.51:8070/auth/v2" rel="nofollow">http://35.246.158.51:8070/auth/v2</a> is I guess the next step.<p>edit: The /auth/getUrl endpoint responds to any request with the same response, so that may not be the right Seed/Password combination.
In case you didn't want to wait for the slow-typing to load the entire message:<p>"Welcome Agent.<p>A team of field operatives is currently on-site in enemy territory, working to retrieve intel on an imminent terrorist attack.<p>The intel is contained in a safe, the plans for which are available to authorized clients via an app [0].<p>Our client ID is d09ff4ec651c48f89f7f7aa19160bd55<p>Your mission is to retrieve those plans, and allow our team to break into the safe.<p>Good luck!,<p><pre><code> M."
</code></pre>
[0]: <a href="http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk" rel="nofollow">http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk</a>
THIS IS LEGITIMATE.
The Israeli Mossad had a ad today, <a href="https://www.algemeiner.com/2019/05/09/mossad-marks-israeli-independence-day-with-facebook-riddle/" rel="nofollow">https://www.algemeiner.com/2019/05/09/mossad-marks-israeli-i...</a>
with a picture.
The picture has 4 rows of trophies, which should be converted to 4 numbers using binary --> decimal.
Those four numbers are 35, 246, 158, 51.<p>As an ip address, 35.246.158.51 leads to the site OP posted.
The French cyber security community has a similar challenge every year: <a href="https://www.sstic.org/2019/challenge/" rel="nofollow">https://www.sstic.org/2019/challenge/</a> (in French).<p>The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.
Searching for "iWalk-v2" on google gives following book as the first result:<p><a href="https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=PA397&dq=%22iwalk-v2%22&source=bl&ots=oxE7LdoK2w&sig=ACfU3U1h4H0eUFMV2u3zk9VbR_kDiVw_vA&hl=sr&sa=X&ved=2ahUKEwilp4qM94_iAhXIb1AKHXS1CWsQ6AEwBnoECAkQAQ#v=onepage&q=%22iwalk-v2%22&f=false" rel="nofollow">https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=P...</a><p>on page 397 there is entry in index:
iWalk, v2 71
on the same page there are interesting terms like
islamic terrorism, jihad via internet, judism...
also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...
This site loads the jQuery library in order to...<p>1. Access $("#text1")[0].innerHTML<p>2. $( document ).ready() { typeWriter (); }<p><i>facepalm</i>
Oh, come on. You have to have an old phone lying around to factory reset for shits and giggles. Not like they'd burn good zero days on a publicity stunt.<p>Remember, this thing'll be getting picked apart by everybody considering the source.<p>Unless you're afraid of getting black bagged that i...<SIGNAL LOST>
First Challenge Solution:
Mossad 2019 Challenge Start: <a href="https://r-u-ready-4.it/" rel="nofollow">https://r-u-ready-4.it/</a> Every line in the image is binary 8-bit number that will give you an ip address : 35.246.158.51<p>Challenge-1 :Link <a href="http://3d375032374147a7865753e4bbc92682.xyz" rel="nofollow">http://3d375032374147a7865753e4bbc92682.xyz</a> / <a href="http://35.246.158.51" rel="nofollow">http://35.246.158.51</a><p>Download app.apk from <a href="http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk" rel="nofollow">http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk</a> Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will user it as "Seeder" property in the app //////////////////////////////////////////////////////////////////////////////////////////////// using WireShark (or any other packet snipper) we can see that the login button does this:<p>POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json; charset=utf-8 accept-encoding: gzip content-length: 29 host: 35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-Length: 47<p>{"IsValid":false,"LockURL":"","Time":149646302} ///////////////////////////////////////////////////////<p>Using <a href="http://www.javadecompilers.com/" rel="nofollow">http://www.javadecompilers.com/</a>, i Decompiled the apk, and got a lock at the Manifest < <xml version="1.0" encoding="utf-8" ....... <activity android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize" android:hardwareAccelerated="true" android:launchMode="singleTop" android:name="com.iwalk.locksmither.MainActivity" .... .....<p>The line "look for us on github.com" got my attention, so i looked for iwalk.locksmither in github and found "iwalk-locksmithers" linke: <a href="https://github.com/iwalk-locksmithers-app" rel="nofollow">https://github.com/iwalk-locksmithers-app</a> the server source code was there. In the code, there are a few comments that can help<p><a href="https://github.com/iwalk-locksmithers-app/server/blob/master/main.go" rel="nofollow">https://github.com/iwalk-locksmithers-app/server/blob/master...</a> link 70 points us to the auth-1 weeknes.<p>the part of "for currentIndex < len(lock.Password) && currentIndex < len(loginData.Password) { if lock.Password[currentIndex] != loginData.Password[currentIndex] { break } //OG: securing against bruteforce attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"<p>the securing aginst bruteforce (tyring all combinations) is the weeknes. The idea behind for hacking the password is to try only one char at first. if we get a 30ms dealy, it means we got the 1st char right, so then we can check the next one, so we will try 2 chars (the 1st we know, the second we will guess) if we will get 60 ms +- dealy then we got th 2nd char and we will try the third one, and again and again, until we will get the password.<p>To solve it, it wrote a simple c# code that does in a loop http push to the server every time we try to add a new char to the password, and if we got a dealy that is +- 30ms more then the last try, we add that char our final password the uri is <a href="http://35.246.158.51:8070/auth/v1_1" rel="nofollow">http://35.246.158.51:8070/auth/v1_1</a> and user agent is ed9ae2c0-9b15-4556-a393-23d500675d4b (as writen in the server) I did some avg calcs of the dealys The password length is 32 with hexa char (didnt know that until i guessed the password) we can know that the password is correct when we get back "IsValid":true" *Time we get is in nano Seconds and not ms<p>After I enterd the pasword and cliend id, i got a link for a token and a linke for challenge 2<p><a href="http://759d8eba52184f538c8a4525680cfb33.xyz/" rel="nofollow">http://759d8eba52184f538c8a4525680cfb33.xyz/</a><p>Challenge-2 <a href="http://759d8eba52184f538c8a4525680cfb33.xyz/" rel="nofollow">http://759d8eba52184f538c8a4525680cfb33.xyz/</a>