Description
Where do droids log things? Run droids0.apk in an emulator, press the button, and check the Android system log for the flag.
Setup
Download the APK file.
Install Android Studio and configure an Android Virtual Device (AVD) emulator.
wget <url>/droids0.apkSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Install and run the APK in an Android emulatorObservationI noticed the challenge description said to 'check the Android system log,' which indicated the flag is not displayed on screen but instead written via a log call accessible through adb logcat.Install the APK using ADB, launch it in the emulator, and press the Flag button. The flag is written to the Android system log (logcat) rather than displayed on screen. Watch logcat while pressing the button.bashadb install droids0.apkbash# Launch the emulator and open the app, then:bashadb logcat | grep picoCTFExpected output
D/PICO_FLAG( 1234): picoCTF{a.moose.once.bit.my.sister}What didn't work first
Tried: Run 'strings droids0.apk | grep picoCTF' to extract the flag without an emulator
strings on the APK itself returns nothing useful because the flag is assembled and emitted at runtime via Log.d(), not stored as a literal string in the binary. The flag only exists as logcat output after the button is pressed, so static extraction tools will come up empty.
Tried: Use 'adb logcat -s PICO_FLAG' expecting to filter by tag name
The -s flag filters by tag, which works, but only if you know the exact tag name in advance. Using 'grep picoCTF' on the raw stream is more reliable when the tag is unknown; guessing a wrong tag (e.g. 'picoCTF' or 'FLAG') silently produces no output and appears as if the flag was never logged.
Learn more
Android's logcat is the system logging output. Apps write to it using
Log.d(tag, message),Log.i(),Log.e(), etc. Log messages are invisible to normal users but fully visible over ADB to developers (and attackers). In this challenge, instead of displaying the flag on screen, the app writes it to the log.adb logcat | grep picoCTFfilters the continuous log stream for lines containing the flag prefix. Alternatively, Android Studio's Logcat window provides a GUI filter. You can also useadb logcat -s PICO_FLAGto show only log entries with the 'PICO_FLAG' tag.Step 2
Read the flag from logcatObservationI noticed the logcat stream produced a line tagged PICO_FLAG after pressing the button, which confirmed the flag value was fully assembled at runtime and just needed to be copied from that output.The flag appears in the logcat stream when the button is pressed. Copy the full picoCTF{...} string from the output.Learn more
This challenge demonstrates a common Android security mistake: logging sensitive data. In production apps, log statements should be removed or disabled in release builds because logcat is accessible to any process with the READ_LOGS permission and to anyone with adb access.
To verify this statically:
jadx droids0.apk -d droids0_java/then look at MainActivity to see theLog.d()call that outputs the flag to logcat.
Flag
Reveal flag
picoCTF{a.moose.once.bit.my.sister}
The flag is logged to Android logcat when the button is pressed - run in an emulator and watch adb logcat output.