This is the second challenge from the Mobile section of DSO-NUS CTF 2021. The challenge needs us to find the password of a user using OSINT.


What?? A secret activity? I wonder how many apps have these..

We are given an apk.



First I decompile the apk using this website to get the source code in java.

Then by analyzing the source code we can find

Observe that the logic is just checking the password against a sha-256 hash


I need to find a password for f3917p such that the hash is equal to 1f413f06cb30df064361e85d11c5da61e06db232e57f5b44cd3d33ab4a92e08e.

I tried reverse the sha-256 hash but found nothing.

The next thing I try is to google the username xYzKiRiToxYz. Sadly, it still doesn’t give any interesting result.

Finally, I did a username search with

[*] Checking username xYzKiRiToxYz on:
[+] Chess:
[+] GitLab:
[+] ICQ:
[+] NameMC ( skins):
[+] ProductHunt:
[+] Roblox:
[+] Spotify:
[+] Steamid:
[+] Twitter:
[+] Xbox Gamertag:

Interestingly, there’s a gitlab account associated with the username.

Going in to the gitlab account, I found a repo that has the source code for this apk. Although the password had been removed in the latest version, the password keeping_secrets_is_hard can still be found in the previous commit.

Lastly, I generated the pre-hash flag with the following code.

We get K33p1nG_sEcr3t5_15_h@rD. Throwing it into SHA-256 hash and we will get the flag.


class Sol {

    public static void main(String args[]){
        String username = "xYzKiRiToxYz";
        String password = "keeping_secrets_is_hard";
        try {
            MessageDigest instance = MessageDigest.getInstance("SHA-256");
            byte[] digest = instance.digest(password.getBytes());
            StringBuilder sb = new StringBuilder(digest.length * 2);
            int length = digest.length;
            for (int i = 0; i < length; i++) {
            String str = sb.toString();
        } catch (Exception unused) {

        String ans = "1f413f06cb30df064361e85d11c5da61e06db232e57f5b44cd3d33ab4a92e08e";
        char[] charArray = password.toCharArray();
        try {
            charArray[0] = (char) (charArray[0] ^ ' ');
            charArray[1] = (char) (charArray[1] ^ 'V');
            charArray[2] = (char) (charArray[2] ^ 'V');
            charArray[4] = (char) (charArray[4] ^ 'X');
            charArray[6] = (char) (charArray[6] ^ ' ');
            charArray[9] = (char) (charArray[9] ^ ' ');
            charArray[12] = (char) (charArray[12] ^ 'V');
            charArray[14] = (char) (charArray[14] ^ 'F');
            charArray[16] = (char) (charArray[16] ^ 'X');
            charArray[17] = (char) (charArray[17] ^ 'F');
            charArray[20] = (char) (charArray[20] ^ '!');
            charArray[22] = (char) (charArray[22] ^ ' ');
        } catch (Exception unused2) {
        String str2 = new String(charArray);


flag : DSO-NUS{108e77465a2acf4f78008bcf6bc1f782ad470f1a5dcac91dd56906a5ae02c8da}