Android CTF

Challenge Description Welcome to the Config Editor Challenge! In this lab, you’ll dive into a realistic situation involving vulnerabilities in a widely-used third-party library. Your objective is to exploit a library-induced vulnerability to achieve RCE on an Android application. configeditor.apk Solution As usual, I started out by performing static analysis to read the code. Static Analysis I started by looking into the AndroidManifest.xml. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <activity android:name="com.mobilehackinglab.configeditor.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="file"/> <data android:scheme="http"/> <data android:scheme="https"/> <data android:mimeType="application/yaml"/> </intent-filter> </activity> There’s only one activity and it has a intent filter which accept URI parameter. ...

Challenge Description Welcome to the NoteKeeper Application, where users can create and encode short notes. However, lurking within the app is a critical buffer overflow vulnerability. Your mission is to uncover this vulnerability and exploit it to achieve remote code execution. notekeeper.apk Solution I started out by performing static analysis to look into the code Static Analysis I started out by looking into the AndroidManifest.xml. 1 2 3 4 5 6 7 8 <activity android:name="com.mobilehackinglab.notekeeper.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> There’s only one activity at the moment so lets look into it. ...

Challenge Description Welcome to the Remote Code Execution (RCE) Challenge! This lab provides a real-world scenario where you’ll explore vulnerabilities in popular software. Your mission is to exploit a path traversal vulnerability combined with dynamic code loading to achieve remote code execution. documentviewer.apk Solution I started out by working on static analysis. Static Analysis As usual, I check the AndroidManifest.xml. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <activity android:name="com.mobilehackinglab.documentviewer.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="file"/> <data android:scheme="http"/> <data android:scheme="https"/> <data android:mimeType="application/pdf"/> </intent-filter> </activity> There is only one MainActivity activity and it has the intent filter where it accept some URI parameter. ...