testert1ng
diff --git a/‎README.md
+14-12 b/‎README.md
+14-12
diff --git a/‎h1_thermostat/README.md
+14 b/‎h1_thermostat/README.md
+14
diff --git a/‎h1_thermostat/flag0/README.md
+15 b/‎h1_thermostat/flag0/README.md
+15
diff --git a/‎h1_thermostat/flag0/imgs/flag.jpg
19.5 KB b/‎h1_thermostat/flag0/imgs/flag.jpg
19.5 KB
diff --git a/‎h1_thermostat/flag0/imgs/proxy.jpg
29.7 KB b/‎h1_thermostat/flag0/imgs/proxy.jpg
29.7 KB
diff --git a/‎h1_thermostat/flag1/README.md
+47 b/‎h1_thermostat/flag1/README.md
+47
diff --git a/‎h1_thermostat/flag1/imgs/app.jpg
10.8 KB b/‎h1_thermostat/flag1/imgs/app.jpg
10.8 KB
diff --git a/‎h1_thermostat/flag1/imgs/flag.jpg
41.3 KB b/‎h1_thermostat/flag1/imgs/flag.jpg
41.3 KB
diff --git a/‎h1_thermostat/flag1/imgs/src.jpg
25.1 KB b/‎h1_thermostat/flag1/imgs/src.jpg
25.1 KB
@@ -6,17 +6,18 @@
 
 ## 0x01 CTF
 
-| Difficulty (Points) |	Name                                       | Skills | Completion |
-| ------------------- | ------------------------------------------ | ------ | ---------- |
-| Trivial (1 / flag)  | [A little something to get you started][2] | Web    | 1 / 1      |
-| Easy (2 / flag)     | [Micro-CMS v1][3]                          | Web    | 4 / 4      |
-| Moderate (3 / flag) | [Micro-CMS v2][5]                          | Web    | 3 / 3      |
-| Moderate (6 / flag) | [Photo Gallery][10]                        | Web    | 3 / 3      |
-| Moderate (5 / flag) | [Cody's First Blog][8]                     | Web    | 3 / 3      |
-| Easy (4 / flag)     | [Postbook][6]                              | Web    | 7 / 7      |
-| Moderate (5 / flag) | [Ticketastic: Live Instance][9]            | Web    | 2 / 2      |
-| Easy (3 / flag)     | [Petshop Pro][7]                           | Web    | 3 / 3      |
-| Moderate (5 / flag) | [TempImage][4]                             | Web    | 2 / 2      |
+| Difficulty (Points) |	Name                                       | Skills  | Completion |
+| ------------------- | ------------------------------------------ | ------- | ---------- |
+| Trivial (1 / flag)  | [A little something to get you started][2] | Web     | 1 / 1      |
+| Easy (2 / flag)     | [Micro-CMS v1][3]                          | Web     | 4 / 4      |
+| Moderate (3 / flag) | [Micro-CMS v2][5]                          | Web     | 3 / 3      |
+| Moderate (6 / flag) | [Photo Gallery][10]                        | Web     | 3 / 3      |
+| Moderate (5 / flag) | [Cody's First Blog][8]                     | Web     | 3 / 3      |
+| Easy (4 / flag)     | [Postbook][6]                              | Web     | 7 / 7      |
+| Moderate (5 / flag) | [Ticketastic: Live Instance][9]            | Web     | 2 / 2      |
+| Easy (3 / flag)     | [Petshop Pro][7]                           | Web     | 3 / 3      |
+| Moderate (5 / flag) | [TempImage][4]                             | Web     | 2 / 2      |
+| Easy (2 / flag)     | [H1 Thermostat][11]                        | Android | 2 / 2      |
 
 [1]: https://ctf.hacker101.com/ctf
 [2]: ./a_little_something_to_get_you_started
@@ -27,4 +28,5 @@
 [7]: ./petshop_pro
 [8]: ./codys_first_blog
 [9]: ./ticketastic_live_instance
-[10]: ./photo_gallery
+[10]: ./photo_gallery
+[11]: ./h1_thermostat
@@ -0,0 +1,14 @@
+# H1 Thermostat
+
+## [Flag0](./flag0) -- Found
+
+- Communication is key
+- Have you looked at what the app is sending to the server?
+
+## [Flag1](./flag1) -- Found
+
+- Doesn't the MAC seem interesting?
+- Access to the source code would help
+- Check out the [Android Quickstart][1] video from Hacker101
+
+[1]: https://www.hacker101.com/sessions/android_quickstart
@@ -0,0 +1,15 @@
+# H1 Thermostat - FLAG0
+
+## 0x00 Configure Proxy
+
+Set Android Emulator use the Burp proxy. 
+
+![](./imgs/proxy.jpg)
+
+## 0x01 Install APK
+
+Just drug apk to install it into Android Emulator. And start the app.
+
+Here comes the first FLAG in the POST request.
+
+![](./imgs/flag.jpg)
@@ -0,0 +1,47 @@
+# H1 Thermostat - FLAG1
+
+## 0x00 Params
+
+There are different messages sending through. We can decode them with [base64][1].
+
+| encoded                                          | readable                             |
+| ------------------------------------------------ | ------------------------------------ |
+| eyJjbWQiOiJnZXRUZW1wIn0                          | {"cmd":"getTemp"}                    |
+| eyJ0ZW1wZXJhdHVyZSI6IDc3LCAic3VjY2VzcyI6IHRydWV9 | {"temperature": 77, "success": true} |
+| eyJjbWQiOiJzZXRUZW1wIiwidGVtcCI6Nzd9             | {"cmd":"setTemp","temp":77}          |
+| eyJjbWQiOiJzZXRUZW1wIiwidGVtcCI6NzB9             | {"cmd":"setTemp","temp":70}          |
+| eyJzdWNjZXNzIjogdHJ1ZX0=                         | {"success": true}                    |
+
+As the app shows current temperature is 73 and target 70.
+
+![](./imgs/app.jpg)
+
+Tried to manually change the temperature by encode 
+
+```javascript
+//eyJjbWQiOiJzZXRUZW1wIiwidGVtcCI6NzN9
+base64({"cmd":"setTemp","temp":73})
+```
+
+But got an error as following
+
+```json
+//eyJzdWNjZXNzIjogZmFsc2UsICJlcnJvciI6ICJNQUMgZmFpbHVyZSJ9
+{"success": false, "error": "MAC failure"}
+```
+
+## 0x01 Check Source
+
+Something wrong with that MAC. Need go back to check the source for some help.
+
+![](./imgs/src.jpg)
+
+```
+classes.dex -> com -> hacker101 -> level11 -> PlayloadRequest
+```
+
+Both flags can be found here.
+
+![](./imgs/flag.jpg)
+
+[1]: https://www.base64decode.org/