Android CTF

Challenge Description Welcome to the Remote Code Execution (RCE) Challenge! This lab provides a real-world scenario where you’ll explore vulnerabilities in popular software. Your mission is to exploit a path traversal vulnerability combined with dynamic code loading to achieve remote code execution. documentviewer.apk Solution I started out by working on static analysis. Static Analysis As usual, I check the AndroidManifest.xml. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <activity android:name="com.mobilehackinglab.documentviewer.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="file"/> <data android:scheme="http"/> <data android:scheme="https"/> <data android:mimeType="application/pdf"/> </intent-filter> </activity> There is only one MainActivity activity and it has the intent filter where it accept some URI parameter. ...

Challenge Description Welcome to the Android Insecure WebView Challenge! This challenge is designed to delve into the complexities of Android’s WebView component, exploiting a Cross-Site Scripting (XSS) vulnerability to achieve Remote Code Execution (RCE). It’s an immersive opportunity for participants to engage with Android application security, particularly focusing on WebView security issues. postboard.apk Solution As usual, I started by performing static analysis to get some understanding of the application. Static Analysis I started out by reading the AndroidManifest.xml code after decompiling using jadx-gui. ...

Challenge Description Welcome to the Android App Security Lab: SQL Injection Challenge! Dive into the world of cybersecurity with our hands-on lab. This challenge is centered around a fictitious “Food Store” app, highlighting the critical security flaw of SQL Injection (SQLi) within the app’s framework. foodstore.apk Solution As usual, static analysis to understand first. Static Analysis I started out by reading the AndroidManifest.xml code first. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 <activity android:name="com.mobilehackinglab.foodstore.Signup" android:exported="false"/> <activity android:name="com.mobilehackinglab.foodstore.MainActivity" android:exported="true"/> <activity android:name="com.mobilehackinglab.foodstore.LoginActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> There is a Signup, MainActivity and LoginActivity activity but only Signup activity is not exported. Reading the objective provided, this challenge will be focused in the signup function. ...