u/myassin75f

CTF challenge is impenetrable

Hey everyone,

I'm currently working on a CTF challenge from SecDojo and I'm a bit stuck.

The setup is:

- I have access to one machine

- There are 4 additional machines to pivot into

- Each machine contains 2 flags

- SSH access is not available (requires a key I don't have)

- The only exposed service I can use is HTTP

I was also provided with an APK file, which I assume is part of the challenge, but I'm not very experienced with analyzing Android apps.

What I’ve tried so far:

- Basic enumeration over HTTP

- Looking for common endpoints (admin, login, etc.)

What I’m struggling with:

- How to use the APK effectively in this scenario

- How to pivot from the initial machine to the others using only HTTP

- Whether I should focus more on reverse engineering the APK or web exploitation

Any hints or guidance would be really appreciated (no full solutions please 🙏)

Thanks!

#Help

reddit.com
u/myassin75f — 7 days ago