Mobile Hacking Lab - Secure Notes Lab Solution

Objective Retrieve a PIN code from a secured content provider in an Android application. Secure Notes Lab 馃憠 : https://www.mobilehackinglab.com/course/lab-secure-notes Secure Note Application The Secure Note application asks for a PIN. Submitting an invalid PIN results in the message [ERROR: Incorrect PIN]. Source Code Analysis Android Manifest Analysing the AndroidManifest.xml, we can see that the application exports a content provider and the MainActivity. <provider android:name="com.mobilehackinglab.securenotes.SecretDataProvider" android:enabled="true" android:exported="true" android:authorities="com.mobilehackinglab.securenotes.secretprovider"/> <activity android:name="com....

December 22, 2023 路 4 min 路 Rizal

Mobile Hacking Lab - Post Board Lab Solution

Objective Exploiting a Cross-Site Scripting (XSS) vulnerability in Android WebView to achieve Remote Code Execution (RCE) The post board challenge from Mobile Hacking Lab is available here 馃憠 https://www.mobilehackinglab.com/course/lab-postboard. Inspecting Android Manifest The application has only one activity com.mobilehackinglab.postboard.MainActivity. The relevant snippet from AndroidManifest.xml is provided below. <activity android:name="com.mobilehackinglab.postboard.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="postboard" android:host="postmessage"/> </intent-filter> </activity> As the activity is exported, it can be launched by other applications installed on the same device....

December 20, 2023 路 6 min 路 Rizal

Oversecured OVAA - Vulnerabilities and Exploits

Recon $ frida-ps -Uai | grep ovaa - Oversecured Vulnerable Android App oversecured.ovaa Exploiting Insecure Logger Service Android Manifest Entries - InsecureLoggerService <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <service android:name="oversecured.ovaa.services.InsecureLoggerService"> <intent-filter> <action android:name="oversecured.ovaa.action.DUMP"/> </intent-filter> </service> Source Code - InsecureLoggerService // oversecured.ovaa.services.InsecureLoggerService package oversecured.ovaa.services; import android.app.IntentService; import android.content.Intent; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.File; import java.io.FileWriter; import java.io.IOException; import java.io.InputStreamReader; /* loaded from: classes.dex */ public class InsecureLoggerService extends IntentService { private static final String ACTION_DUMP = "oversecured....

February 27, 2023 路 26 min 路 Rizal

PicoCTF - ROPFU

Intro Classic ROP challange. File Info $ file vuln vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, BuildID[sha1]=3aa2bb6a5bf44d90a355da83fa909bbf5d9d90ce, for GNU/Linux 3.2.0, not stripped Statically linked binary. Source code #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFSIZE 16 void vuln() { char buf[16]; printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"); return gets(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); vuln(); } Running Executable $ ....

November 12, 2022 路 6 min 路 Rizal

PicoCTF - Buffer Overflow 3

Intro Do you think you can bypass the protection and get the flag? It looks like Dr. Oswal added a stack canary to this program to protect against buffer overflows. We are given compiled binary, its source and the host and port where challenge is hosted. saturn.picoctf.net 63181 #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h>#include <wchar.h>#include <locale.h> #define BUFSIZE 64 #define FLAGSIZE 64 #define CANARY_SIZE 4 void win() { char buf[FLAGSIZE]; FILE *f = fopen("flag....

November 12, 2022 路 18 min 路 Rizal

PicoCTF X-Sixty-What

Intro Overflow the buffer and change the return address to the flag function. We are given the compiled binary, the application source code along with the hostname and port to connect to. #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFFSIZE 64 #define FLAGSIZE 64 void flag() { char buf[FLAGSIZE]; FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag....

November 10, 2022 路 16 min 路 Rizal

PicoCTF - Here's A LibC

Investigation When connecting to challenge server on the given hostname and port, it is an echo server which echoes back the user input in alternate case. $ nc mercury.picoctf.net 37289 WeLcOmE To mY EcHo sErVeR! test TeSt ^C We are given following files: $ ls -lR .: total 20 drwxr-xr-x 2 kali kali 4096 Nov 9 00:32 libc -rw-r--r-- 1 kali kali 95 Mar 15 2021 Makefile -rw-r--r-- 1 kali kali 8560 Mar 15 2021 vuln ....

November 9, 2022 路 9 min 路 Rizal

Ropasaurusrex PlaidCTF 2013

Introduction This is walkthrough for Ropasaurusrex challenge from PlaidCTF 2013. Repo for binary: https://github.com/adamdoupe/ctf-training/tree/master/ropasaurusrex Docker: docker run -p 127.0.0.1:31337:31337 -it adamdoupe/ropasaurusrex Crashing the Program: Enable Core Dumps: $ ulimit -c unlimited Sending large string: $ python -c "print ('A'*300)" | ./ropasaurusrex zsh: done python -c "print ('A'*300)" | zsh: segmentation fault (core dumped) ./ropasaurusrex Inspecting core dump: $ gdb ./ropasaurusrex -q core Reading symbols from ./ropasaurusrex... (No debugging symbols found in ....

November 7, 2022 路 26 min 路 Rizal

Rop Primer Level2

Introduction This is walkthrough for level2 of ROP Primer from vulnhub. Running the Application level0@rop:/home/level2$ ls -l total 588 -rw-r----- 1 root root 27 Jan 20 2015 flag -rwsr-xr-x 1 root root 595252 Jan 20 2015 level2 level0@rop:/home/level2$ level0@rop:/home/level2$ ./level2 level0@rop:/home/level2$ ./level2 AAAAAAAAAA [+] ROP tutorial level2 [+] Bet you can't ROP me this time around, AAAAAAAAAA! level0@rop:/home/level2$ Application accepts command line arguments. Crashing the Application Enable core dump - ulimit -c unlimited...

November 7, 2022 路 17 min 路 Rizal

Rop Primer Level1

Introduction This is walkthrough for level1 of ROP Primer from vulnhub. Exploit Development Running the Application level0@rop:/home/level1$ ./level1 [!] error bind()ing! [+] retrying bind() [!] error bind()ing! ^C This means that a service is already listening on the port. Inspecting netstat to look for listening ports. level0@rop:~$ su root Password: root@rop:/home/level0# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0....

November 7, 2022 路 20 min 路 Rizal