CTF challenge is impenetrable
Hey everyone,
I'm currently working on a CTF challenge from SecDojo and I'm a bit stuck.
The setup is:
- I have access to one machine
- There are 4 additional machines to pivot into
- Each machine contains 2 flags
- SSH access is not available (requires a key I don't have)
- The only exposed service I can use is HTTP
I was also provided with an APK file, which I assume is part of the challenge, but I'm not very experienced with analyzing Android apps.
What I’ve tried so far:
- Basic enumeration over HTTP
- Looking for common endpoints (admin, login, etc.)
What I’m struggling with:
- How to use the APK effectively in this scenario
- How to pivot from the initial machine to the others using only HTTP
- Whether I should focus more on reverse engineering the APK or web exploitation
Any hints or guidance would be really appreciated (no full solutions please 🙏)
Thanks!
#Help