Objective Exploiting a Cross-Site Scripting (XSS) vulnerability in Android WebView to achieve Remote Code Execution (RCE) The post board challenge from Mobile Hacking Lab is available here 👉 https://www.mobilehackinglab.com/course/lab-postboard. Inspecting Android Manifest The application has only one activity com.mobilehackinglab.postboard.MainActivity. The relevant snippet from AndroidManifest.xml is provided below. <activity android:name="com.mobilehackinglab.postboard.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="postboard" android:host="postmessage"/> </intent-filter> </activity> As the activity is exported, it can be launched by other applications installed on the same device....

Recon $ frida-ps -Uai | grep ovaa - Oversecured Vulnerable Android App oversecured.ovaa Exploiting Insecure Logger Service Android Manifest Entries - InsecureLoggerService <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <service android:name="oversecured.ovaa.services.InsecureLoggerService"> <intent-filter> <action android:name="oversecured.ovaa.action.DUMP"/> </intent-filter> </service> Source Code - InsecureLoggerService // oversecured.ovaa.services.InsecureLoggerService package oversecured.ovaa.services; import android.app.IntentService; import android.content.Intent; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.File; import java.io.FileWriter; import java.io.IOException; import java.io.InputStreamReader; /* loaded from: classes.dex */ public class InsecureLoggerService extends IntentService { private static final String ACTION_DUMP = "oversecured....

Intro Classic ROP challange. File Info $ file vuln vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, BuildID[sha1]=3aa2bb6a5bf44d90a355da83fa909bbf5d9d90ce, for GNU/Linux 3.2.0, not stripped Statically linked binary. Source code #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFSIZE 16 void vuln() { char buf[16]; printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"); return gets(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); vuln(); } Running Executable $ ....

Intro Do you think you can bypass the protection and get the flag? It looks like Dr. Oswal added a stack canary to this program to protect against buffer overflows. We are given compiled binary, its source and the host and port where challenge is hosted. saturn.picoctf.net 63181 #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h>#include <wchar.h>#include <locale.h> #define BUFSIZE 64 #define FLAGSIZE 64 #define CANARY_SIZE 4 void win() { char buf[FLAGSIZE]; FILE *f = fopen("flag....

Intro Overflow the buffer and change the return address to the flag function. We are given the compiled binary, the application source code along with the hostname and port to connect to. #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFFSIZE 64 #define FLAGSIZE 64 void flag() { char buf[FLAGSIZE]; FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag....

Investigation When connecting to challenge server on the given hostname and port, it is an echo server which echoes back the user input in alternate case. $ nc mercury.picoctf.net 37289 WeLcOmE To mY EcHo sErVeR! test TeSt ^C We are given following files: $ ls -lR .: total 20 drwxr-xr-x 2 kali kali 4096 Nov 9 00:32 libc -rw-r--r-- 1 kali kali 95 Mar 15 2021 Makefile -rw-r--r-- 1 kali kali 8560 Mar 15 2021 vuln ....

Introduction This is walkthrough for Ropasaurusrex challenge from PlaidCTF 2013. Repo for binary: https://github.com/adamdoupe/ctf-training/tree/master/ropasaurusrex Docker: docker run -p 127.0.0.1:31337:31337 -it adamdoupe/ropasaurusrex Crashing the Program: Enable Core Dumps: $ ulimit -c unlimited Sending large string: $ python -c "print ('A'*300)" | ./ropasaurusrex zsh: done python -c "print ('A'*300)" | zsh: segmentation fault (core dumped) ./ropasaurusrex Inspecting core dump: $ gdb ./ropasaurusrex -q core Reading symbols from ./ropasaurusrex... (No debugging symbols found in ....

Introduction This is walkthrough for level2 of ROP Primer from vulnhub. Running the Application level0@rop:/home/level2$ ls -l total 588 -rw-r----- 1 root root 27 Jan 20 2015 flag -rwsr-xr-x 1 root root 595252 Jan 20 2015 level2 level0@rop:/home/level2$ level0@rop:/home/level2$ ./level2 level0@rop:/home/level2$ ./level2 AAAAAAAAAA [+] ROP tutorial level2 [+] Bet you can't ROP me this time around, AAAAAAAAAA! level0@rop:/home/level2$ Application accepts command line arguments. Crashing the Application Enable core dump - ulimit -c unlimited...

Introduction This is walkthrough for level1 of ROP Primer from vulnhub. Exploit Development Running the Application level0@rop:/home/level1$ ./level1 [!] error bind()ing! [+] retrying bind() [!] error bind()ing! ^C This means that a service is already listening on the port. Inspecting netstat to look for listening ports. level0@rop:~$ su root Password: root@rop:/home/level0# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0....