> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2023/bsidessf-cloud-village-ctf/photo-drive.md).

# Photo Drive

## Challenge Description

Who doesn't love reverse engineering Android APKs! I'm kidding, not everyone does :D

But, you will have to get your hands dirty for this one as the only way to reach the flag is to break the APK open.

Do your RE and you will find your way!

## Solution

Download and reverse the apk with apktool

```
apktool d photodrive.apk
```

I manually enumerated the application and found this comment

<figure><img src="/files/pEJnMlWhjIIeNiFigRai" alt=""><figcaption></figcaption></figure>

Vieweing the github repo [commits](https://github.com/Xhyperi0nX/photodrive-app/commits/master), I found one that says [add security fixes](https://github.com/Xhyperi0nX/photodrive-app/commit/7ffe6c6bc406467e51b48875a672fb095c7bfa01) which remove the misconfigured server.

Performing further enumeration on the github repo shows a branch with commit that [remove misconfigured server](https://github.com/Xhyperi0nX/photodrive-app/commit/7459cd03e5b2e881a30614ad91a7fdb99e724933) which contains a s3 bucket link.

<figure><img src="/files/LnqxlFPMwaTgp1wwipsJ" alt=""><figcaption></figcaption></figure>

Using aws cli, I am able to list out the file and install them

<figure><img src="/files/Nql3Zw1zSLu1fKIDF4LH" alt=""><figcaption></figcaption></figure>

However, I received an error denied when installing the account.txt. As I have did a similar challenge in Flaws.cloud before, I imported my own key with aws configure and is able to install the account.txt file.

{% embed url="<https://executeatwill.com/2022/01/17/Flaws.Cloud-Walkthrough/>" %}

You can refer to the level 2 writeup for more details.

<figure><img src="/files/ck3pzVPBTK8Cwn7f6stZ" alt=""><figcaption></figcaption></figure>

The Account.txt contains a set of credential for AWS.

```
Access key ID: AKIAYX67JAH5N5WJIXRC
Secret access key: 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
```

Login with the set of credential using `aws configure` and get more information using the `get-caller-identity` command.

{% embed url="<https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html>" %}

<figure><img src="/files/VQMtvOJaObjCuKi5uAI5" alt=""><figcaption></figcaption></figure>

The usernameis a base64 encoded value, and upon decoding I retrieved the flag.

<figure><img src="/files/s02CErVfpDBhSm3Iw8To" alt=""><figcaption></figcaption></figure>

Flag: `flag-{GaW6NW8vzwIhh8qU643AV3ohh4gwDByw}`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/2023/bsidessf-cloud-village-ctf/photo-drive.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
