Vault42

Summary

Vault42 was an Android APK reverse-engineering challenge. Static APK analysis exposed hardcoded secrets, exported activity behavior, and native-check literals, resulting in four recovered flags.

Evidence

• The APK contained classes3.dex, classes4.dex, lib/armeabi-v7a/libnative-lib.so, and res/layout/activity_vault.xml.
• apktool exposed obfuscated_secret=Q0RDXnVcS19GXg==.
• Smali logic decoded that secret using Base64 and XOR 0x2a, producing init_vault.
• jadx confirmed the Java logic and embedded flag strings.
• Native JNI disassembly showed the expected master key bytes for SuperSecretB10N1c.
• AdminActivity was exported in the manifest.

Steps

1. Identify and inspect the APK.

file "app-debug (1).apk"
strings "app-debug (1).apk" | rg -i "flag|ctf|saguenay|vault|secret|token|password|key|pin"
unzip -l "app-debug (1).apk"

2. Decode resources and smali.

apktool d -f "app-debug (1).apk" -o apktool_out
rg "Flag\s*[0-9]|UQAC\{|obfuscated_secret|AdminActivity|VaultActivity" apktool_out

3. Decode the resource secret used by the app.

import base64

blob = base64.b64decode("Q0RDXnVcS19GXg==")
print(bytes(b ^ 0x2a for b in blob).decode())

Output:

init_vault

4. Confirm decompiled Java output.

jadx -d jadx_out "app-debug (1).apk"
rg "UQAC|obfuscated_secret|checkMasterKeyNative" jadx_out

5. Inspect the native check for the master key.

readelf -Ws apktool_out/lib/armeabi-v7a/libnative-lib.so
readelf -p .rodata apktool_out/lib/armeabi-v7a/libnative-lib.so

The JNI literal reconstructed to:

SuperSecretB10N1c

Flags

UQAC{h4rdc0d3d_s3cr3t_1s_b4d}
UQAC{3xp0rt3d_4ct1v1t13s_l34k}
UQAC{fr1d4_h00k1ng_m4st3r}
UQAC{n4t1v3_c0d3_r3v3rs3_r0b0t}

Notes

The challenge demonstrates several mobile security anti-patterns: hardcoded secrets, exported privileged activity, Java-visible flag strings, and native-check theater that still exposes the expected value statically.