(URL: https://media.makeameme.org/created/a-challenge-lets.jpg)
This is the third part of the android security challenge injuredAndroid from b3nac, previously in the second post we learn about how misconfigured AWS bucket and firebase can lead to unintended information leak in the app, furthermore, we also learn about interesting a bug in Unicode that let us bypass certain check in the application.
In this post, I'm going to show you how to solve the last three challenges. Without further ado, let's get into it
it is just an ordinary URL however instead navigating to a website using prefix http:// or https:// it used its own URL schema to take the user directly to the specific content or resources in the app
this is one of the examples of a deep link in android(taken from android developer official website):
android:name="com.example.android.GizmosActivity"
android:label="@string/title_gizmos" >
<intent-filter android:label="@string/filter_view_http_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
<data android:scheme="http"
android:host="www.example.com"
android:pathPrefix="/gizmos" />
<!-- note that the leading "/" is required for pathPrefix-->
</intent-filter>
<intent-filter android:label="@string/filter_view_example_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "example://gizmos” -->
<data android:scheme="example"
android:host="gizmos" />
</intent-filter>
</activity>
if we look into the AndroidManifest.xml file we can see the specification of the challenge 11 activity deep-link
so in order to invoke the following activity component of the android app, we need to pass URI using this prefix "flag11://". We can send the URI by using adb command like below figure
But! in order to finish this challenge we need to input the flag and by looking at the source code we can get the flag by using logcat since the flag is shown in the debugging log
we got the 11th flag :)
11th flag => HIIMASTRING
the second way to get the flag according to the walkthrough is through the binary called "menu" it says if we run it will show the flag
by looking at the MainActivity class that responsible for calling the class that host challenge 12, we can see that you need to use another exported activity to invoke our target FlagTwelveProtectedActivity class since it is unexported
from the information above it is pretty clear we need to use ExportedProtectedIntent activity
looking at the source code we need to pass a parcelable inside the intent using index "access_protected_component". This extra is then used to invoke the protected activity component
Parcelable is basically just implementation of the Java Serializable so if you want to pass a kotlin or java object you can use this function.
once we pass the right intent, it turns out that we need to pass one more index in the intent again called "totally_secure" to pass this level and it needs to contain https:// schema on it
so how do we do this?
pretty simple! first, you need to create an intent object to invoke FlagTwelveProtectedActivity class and specify the intent extra "totally_secure" on it then you create another intent object that will send the previously crafted intent to the ExportedProtectedIntent, like the above figure.
Run the code and you pass this level(no flag !!!)
looking at the manifest file we can see that it need to invoke using deep-link again but you need to specify the host, thus, it will go like this "flag13://rce"
looking at the source code above when we called the class it first called the copyAssets() function and as you can see we need to pass three parameters binary, param, and combined along with the deep-link. To pass this level we need to supply the combined parameter with the right input
the binary and param parameter is used to invoke runtime function that lets us execute a program but it is only limited to inside the files directory which is inside the application internal directory
let's take a look at the copyAssets() function first
as the name implies it used to copy the content inside the assets folder but the destination is the same as the location where the binary and param parameter input execute which is in "files" directory
looking at the application there is the only file named "narnia" inside the assets folder and it turns out it is a go executable
let's try to reverse engineer it using Ghidra. If you never reverse engineer go binary you will feel overwhelmed with the result but all you need to do is focus on the main.main function since this equivalent to main() function in C
when you look at the first few line of the code there is a string comparison:
let's try to decode the hex string and remember this is still in little-endian we need to reverse it to make it more readable
ok let's try to input this string as the parameter and the result show several options that we can use
from the looks of it is pretty straight that we need to use testOne,testTwo, and testThree together
combining these three outputs we got "Treasure_Planet" and I think this is the secret string that we need to supply in combined parameter
from all of this information, let's create the exploit
supplying parameter in deep-link follow the same manner as normal http:// URL and once I run the Exploit I pass the challenge, cool!
13th flag => Treasure_Planet
This is the third part of the android security challenge injuredAndroid from b3nac, previously in the second post we learn about how misconfigured AWS bucket and firebase can lead to unintended information leak in the app, furthermore, we also learn about interesting a bug in Unicode that let us bypass certain check in the application.
In this post, I'm going to show you how to solve the last three challenges. Without further ado, let's get into it
Challenge 11:
To finish this challenge you need some knowledge on how deep link works. so what is a deep link?it is just an ordinary URL however instead navigating to a website using prefix http:// or https:// it used its own URL schema to take the user directly to the specific content or resources in the app
this is one of the examples of a deep link in android(taken from android developer official website):
<activity
android:name="com.example.android.GizmosActivity"
android:label="@string/title_gizmos" >
<intent-filter android:label="@string/filter_view_http_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
<data android:scheme="http"
android:host="www.example.com"
android:pathPrefix="/gizmos" />
<!-- note that the leading "/" is required for pathPrefix-->
</intent-filter>
<intent-filter android:label="@string/filter_view_example_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "example://gizmos” -->
<data android:scheme="example"
android:host="gizmos" />
</intent-filter>
</activity>
<activity
android:name="com.example.android.GizmosActivity"
android:label="@string/title_gizmos" >
<intent-filter android:label="@string/filter_view_http_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
<data android:scheme="http"
android:host="www.example.com"
android:pathPrefix="/gizmos" />
<!-- note that the leading "/" is required for pathPrefix-->
</intent-filter>
<intent-filter android:label="@string/filter_view_example_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "example://gizmos” -->
<data android:scheme="example"
android:host="gizmos" />
</intent-filter>
</activity>
<activityandroid:name="com.example.android.GizmosActivity"
android:label="@string/title_gizmos" >
<intent-filter android:label="@string/filter_view_http_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
<data android:scheme="http"
android:host="www.example.com"
android:pathPrefix="/gizmos" />
<!-- note that the leading "/" is required for pathPrefix-->
</intent-filter>
<intent-filter android:label="@string/filter_view_example_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "example://gizmos” -->
<data android:scheme="example"
android:host="gizmos" />
</intent-filter>
</activity>
<activity
android:name="com.example.android.GizmosActivity"
android:label="@string/title_gizmos" >
<intent-filter android:label="@string/filter_view_http_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
<data android:scheme="http"
android:host="www.example.com"
android:pathPrefix="/gizmos" />
<!-- note that the leading "/" is required for pathPrefix-->
</intent-filter>
<intent-filter android:label="@string/filter_view_example_gizmos">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<!-- Accepts URIs that begin with "example://gizmos” -->
<data android:scheme="example"
android:host="gizmos" />
</intent-filter>
</activity>
Deep-link can be set inside an intent-filter tag, a developer can specify the schema of the link by putting android:scheme XML tag and host by putting android:host XML tag. As you can see from the example it is up to you what name or prefix you want to use for you deep-link app.if we look into the AndroidManifest.xml file we can see the specification of the challenge 11 activity deep-link
so in order to invoke the following activity component of the android app, we need to pass URI using this prefix "flag11://". We can send the URI by using adb command like below figure
But! in order to finish this challenge we need to input the flag and by looking at the source code we can get the flag by using logcat since the flag is shown in the debugging log
we got the 11th flag :)
11th flag => HIIMASTRING
the second way to get the flag according to the walkthrough is through the binary called "menu" it says if we run it will show the flag
Challenge 12:
in order to finish this challenge you need to craft your own exploit using android studioby looking at the MainActivity class that responsible for calling the class that host challenge 12, we can see that you need to use another exported activity to invoke our target FlagTwelveProtectedActivity class since it is unexported
from the information above it is pretty clear we need to use ExportedProtectedIntent activity
looking at the source code we need to pass a parcelable inside the intent using index "access_protected_component". This extra is then used to invoke the protected activity component
Parcelable is basically just implementation of the Java Serializable so if you want to pass a kotlin or java object you can use this function.
once we pass the right intent, it turns out that we need to pass one more index in the intent again called "totally_secure" to pass this level and it needs to contain https:// schema on it
so how do we do this?
pretty simple! first, you need to create an intent object to invoke FlagTwelveProtectedActivity class and specify the intent extra "totally_secure" on it then you create another intent object that will send the previously crafted intent to the ExportedProtectedIntent, like the above figure.
Run the code and you pass this level(no flag !!!)
Challenge 13:
The last challenge involves a little bit of reverse engineering and RCE exploit to pass the challenge.looking at the manifest file we can see that it need to invoke using deep-link again but you need to specify the host, thus, it will go like this "flag13://rce"
looking at the source code above when we called the class it first called the copyAssets() function and as you can see we need to pass three parameters binary, param, and combined along with the deep-link. To pass this level we need to supply the combined parameter with the right input
the binary and param parameter is used to invoke runtime function that lets us execute a program but it is only limited to inside the files directory which is inside the application internal directory
let's take a look at the copyAssets() function first
as the name implies it used to copy the content inside the assets folder but the destination is the same as the location where the binary and param parameter input execute which is in "files" directory
looking at the application there is the only file named "narnia" inside the assets folder and it turns out it is a go executable
let's try to reverse engineer it using Ghidra. If you never reverse engineer go binary you will feel overwhelmed with the result but all you need to do is focus on the main.main function since this equivalent to main() function in C
when you look at the first few line of the code there is a string comparison:
let's try to decode the hex string and remember this is still in little-endian we need to reverse it to make it more readable
ok let's try to input this string as the parameter and the result show several options that we can use
from the looks of it is pretty straight that we need to use testOne,testTwo, and testThree together
combining these three outputs we got "Treasure_Planet" and I think this is the secret string that we need to supply in combined parameter
from all of this information, let's create the exploit
supplying parameter in deep-link follow the same manner as normal http:// URL and once I run the Exploit I pass the challenge, cool!
13th flag => Treasure_Planet
Comments
Post a Comment