M8: Menards Plaintext Password Storage (15 pts)

What You Need for This Project

Windows Users

Use the Nox emulator for this project. Don't use BlueStacks, unless you've rooted it first.

Summary

The Menards Android apps stores the user's password locally without encryption.

Responsible Disclosure

I notified the developer of the Android flaws in 2017 but the app was not fixed.

Start VMware

Always launch your Kali virtual machine before you start Genymotion, to avoid VirtualBox networking errors.

Installing the App

Install the app shown below from the Google Play store.

Registering an Account

On your Android device launch the app and click CREATE ACCOUNT.

Register an account with the password

YOURNAME-PASSWORD

as shown below. Replace "YOURNAME" with a version of your name that doesn't contain any spaces.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Exploring the Android File System

On Kali, in a Terminal, execute this command:
adb shell
You get a root shell on the Android device, as shown below.

On Kali, in the Terminal, execute these commands:

cd /data/data
cd com.menards.mobile
cd shared_prefs
ls
You see the files the app saved, including one named User_Information.xml, as shown below.

On Kali, in the Terminal, execute this command:

cat User_Information.xml
You see the password, containing your name, as shown below.

Find the text covered by a green box in the image above. Enter it into the form below to record your success.


M4: Recording Your Success (15 pts)

Use the form below to record your success.
Name:
Text:

Posted 1-14-19 by Sam Bowne
Dash removed from password 1-23-19
Changed slightly to work on Windows also 2-13-19
Converted to a CTF 2-28-19