👾
General
  • 👾whomai
  • 🔥Mobile Pentest
    • 😎Android Architecture
    • 🥱Mobile Hacking Lab
      • IOT Connect
      • Strings
      • Guess me
      • Secure notes
      • Post Board
      • Food Store
      • Cycle Scanner
      • Document Viewer
      • Config Editor
  • 😇Web Vulnerabilities
    • 😁OS Command Injection
    • 😍Information disclosure
    • 🥰JWT attacks
    • 😎Access Control List
    • 😝CSRF
    • 😚SSRF
    • 😚API9:2023 Improper Inventory Management
  • 👻Privilege Escalation
    • 😎Linux Privilege Escalation
    • 😢Windows Privilege Escalation
  • HTB Writeups
    • 😚Soccer htb
    • 😃Devil HTB
Powered by GitBook
On this page
  1. Mobile Pentest
  2. Mobile Hacking Lab

Post Board

Hello everyone , In this blog post , I will try to explain my solution steps for Post Board challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

PreviousSecure notesNextFood Store

Last updated 3 months ago

  1. After we install The APK then we open it its a message application with an input field

  2. Let’s Examine the AndroidManifest.xml we found that activity com.mobilehackinglab.postboard.MainActivity , it’s an exported activity

    1. have a data schema with scheme= postboard and android:host= postmessage with a category BROWSABLE

  3. let’s analysis this main activity code :

    1. First thing we find is setupView() that have :

      1. setJavaScriptEnabled(**true**)

      2. path that load the url file:///android_asset/index.html

    2. the second thing is handleIntent()

      1. Verifies if the intent’s URI scheme is postboard and the host is postmessage.

      2. Decodes a Base64-encoded path in the URI, escapes certain characters, and passes it to JavaScript via WebAppInterface.postMarkdownMessage to display it on the home page.

  4. Let’s try to test our input :

    1. First payload is <h1>kero</h1> ⇒ already success

    2. the second payload is <img src=x onerror=alert(1)> ⇒ success

  5. when we analysis the WebAppInterface class we found this Func postCowsayMessage()

    1. it execute the cowsay script located at CowsayUtil.scriptPath

    2. passing the message arg as {"bin/sh", "-c", CowsayUtil.scriptPath + ' ' + message}

      1. it use a shell , then call the message + script path

      2. may be we can call the postCowsayMessage and then pass whoami as a cowsayMessage

      3. then it will be passed to runCowsay and then exec it by :

        1. my payload is <img src=x onerror=WebAppInterface.postCowsayMessage("Kero0x1_is_here;id")> let’s encode it and put it with adb

      adb shell am start -n "com.mobilehackinglab.postboard/.MainActivity" -a "android.intent.action.VIEW" -d "postboard://postmessage/

      PGltZyBzcmM9eCBvbmVycm9yPVdlYkFwcEludGVyZmFjZS5wb3N0Q293c2F5TWVzc2FnZSgiS2VybzB4MV9pc19oZXJlO2lkIik+"

  6. and here we success and already get rce 😉

🔥
🥱
image.png