👾
General
  • 👾whomai
  • 🔥Mobile Pentest
    • 😎Android Architecture
    • 🥱Mobile Hacking Lab
      • IOT Connect
      • Strings
      • Guess me
      • Secure notes
      • Post Board
      • Food Store
      • Cycle Scanner
      • Document Viewer
      • Config Editor
  • 😇Web Vulnerabilities
    • 😁OS Command Injection
    • 😍Information disclosure
    • 🥰JWT attacks
    • 😎Access Control List
    • 😝CSRF
    • 😚SSRF
    • 😚API9:2023 Improper Inventory Management
  • 👻Privilege Escalation
    • 😎Linux Privilege Escalation
    • 😢Windows Privilege Escalation
  • HTB Writeups
    • 😚Soccer htb
    • 😃Devil HTB
Powered by GitBook
On this page
  1. Mobile Pentest
  2. Mobile Hacking Lab

Secure notes

Hello everyone , In this blog post , I will try to explain my solution steps for Secure notes challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

PreviousGuess meNextPost Board

Last updated 3 months ago

  1. Let’s Examine the AndroidMainfest.xml

  2. After That i found 2 Providers ( com.mobilehackinglab.securenotes.secretprovider - androidx.startup.InitializationProvider) and 1 exported Activity (MainActivity )

  3. The MainActivity interact with a content provider, to validate a PIN and retrieve a secret value associated with that PIN.

  4. there is a listener set on a submitPinButton,

    1. when click the code call onCreate$lambda$0 () function ,,

    2. then it , which retrieves the text from pinEditText

    3. then use querySecretProvider to validate the entered pin

  5. Let’s analysis the com.mobilehackinglab.securenotes.SecretDataProvider :

    1. first of all the correct Pin use a key to decrypt the data stored in config.properties file

    2. then let’s keep going in our code

    3. it take a query string

    4. check for if it null , return null

    5. if there is a value then remove the prefix and then extract the int number from it

    6. in the end it invoke the decryptSecret()

    7. if the Cursor return valid , the code look for secret column to query the pin

    8. If a valid cursor is returned and data is available, the code looks for a column named "Secret", expecting this to hold the result of the query.

  6. Let’s back to the config.properties file and try to decrypt it manual

  7. Let’s try to brute force the pinget the decrypted Text

    #!/bin/bash

# Define the content provider URI
CONTENT_URI="content://com.mobilehackinglab.securenotes.secretprovider"

# Loop through all 4-digit PIN combinations (0000 to 9999)
for pin in $(seq -w 0000 9999); do
    echo "Trying PIN: $pin"

    # Use ADB to send the query command to the content provider
    adb shell content query --uri "$CONTENT_URI" --where "pin=$pin"

    # Check the output to see if it indicates a successful attempt
    # Assuming "Secret" is returned upon success, otherwise adjust the condition
    if adb shell content query --uri "$CONTENT_URI" --where "pin=$pin" | grep -q "Secret"; then
        echo "PIN found: $pin"
        break
    fi
done
🔥
🥱
image.png