Android becomes a part and parcel of our life. Without an Android phone, it is impossible to start our day. It is a blessing of modern techn

seen from Argentina
seen from Germany
seen from Australia

seen from United States
seen from China
seen from United States
seen from United States

seen from United States

seen from United States

seen from United States

seen from Italy

seen from United Kingdom
seen from South Korea
seen from China
seen from China
seen from Canada

seen from United States
seen from Germany

seen from United States
seen from Romania
Android becomes a part and parcel of our life. Without an Android phone, it is impossible to start our day. It is a blessing of modern techn

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
Catch
So over the last few weeks I've been working on Catch. With work and the festive period I haven't had a lot of time; I finally got the opportunity to finish it last night. :)
It has a medium rating but I wouldn't say it's due to the initial foothold and privilege escalation being difficult- it's more due to there being a couple of rabbit holes (all of which I fell into for a period!)
Enumeration
As always, a port scan kicks off the process. Unfortunately I can't show the output of the port scan as during the time I switched laptops and I'm too lazy to power my old one on. xD However, the results were roughly as follows:
Port 80: HTTP (Catch Global Systems main page)
Port 3000: Gitea(?)
Port 5000: Lets Chat(?)
Port 8000: Cachet status page system
Port 80 was the first location I checked. You're greeted with what appears to be Catch's main application:
The signup/login functionality isn't present; I did notice the ability to download a file. The file that downloads is an apk.
For those that are unfamiliar with mobile applications, apk is one of the file formats for an Android mobile application which uses XML and Java. Having a little experience with mobile applications, my first thought was to decompile the apk and check for any hidden hardcoded secrets, usually stored in strings.xml.
To decompile the apk, I used apktool.
$ apktool d catchv1.0.apk
This decompiles the apk to near it's original form and places the resulting files in ./catchv1.0/. From here, I viewed ./res/values/strings.xml and found 3 potentially usable tokens for other applications:
$ grep token catchv1.0/res/values/strings.xml <string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string> <string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string> <string name="slack_token">xoxp-23984754863-2348975623103</string>
Foothold
With these in hand, I started with Lets Chat at random. Lets Chat is an open-source chat application utilizing a REST api. With it being open-source, it didn't take long at all to find how to use the discovered token:
As you can see, a password for John is viewable in one of the chat rooms. This grants you access to another one of their applications called Cachet- open-source yet again.
Cachet is the last stop before system access; admittedly this is where I fell rabbit hole 1 as I did spend some time trying to use the gitea_token, more out of curiosity than anything. After spending some time on this, however, I gave up and focused on Cachet.
As it turns out, the version of Cachet in use had two pubicly known vulnerabilities related to interaction with the application's dotenv file. One allowed you to leak values set in dotenv while the other allowed you to add new values to dotenv which could be used to achieve remote command execution. This is done by hosting a redis server, altering the dotenv file to make the application use your hosted redis server as a session driver and finally changing the value of the session key after the initial connection to a payload generated by phpggc. Better detail off this is given here.
I did spend some time playing around with the RCE vulnerability here, more out of interest as I haven't had any experience with Redis prior to this and it took me a while to get RCE working as the video doesn't explicitly show the process step-by-step.
Originally, I was getting the token from the source code in the application, adding this as a key with the phpggc payload as the value and then altering the dotenv file to connect to my Redis Server. As the RCE occurs when the client connects the second time and reads the value from the original session token, this didn't work.
I did eventually get this working, uploaded a PHP web shell and upgraded this to a reverse shell; this ultimately proved to be a waste of time as you end up in a Docker instance with no ability to break out of it!
With a heavy heart, I turned to the second vulnerability and leaked the database password from the dotenv file. This grants us access to the server through SSH as WIll.
Privilege Escalation
Privilege escalation was actually quite easy! Some simple enumeration reveals the presence of world-writeable directory /opt/mdm/apk_bin. In /opt/mdm, there is a Bash file verify.sh.
verify.sh is used to verify the legitimacy of apks uploaded to apk_bin and is executed as part of a cronjob which is executed as root. While references to verify.sh cannot be directly found, there is reference to 'check.sh' in the root directory in running processes (netstat -ano.)
The interesting lines of the script are here:
app_check() { APP_NAME=$(grep -oPm1 "(?<=string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml") echo $APP_NAME ...
The function app_check is taking the app_name from strings.xml and echoing it back with no form of mitigation against command injection. For example, wrapping the variable name with ${} would have prevented this vulnerability being exploitable as this would have specified that only variable expansion was expected- the app name would have been echoed back as a string and not interpreted as a literal Bash command.
I tested this first by simply making the app name 'Catch; touch /opt/mdm/heuheu' and uploading it using python -m SimpleHTTPServer on my end and curl on Catch's end which achieved the expected outcome.
I did this with APK Editor Studio after encountering some errors trying do manually decompile and then recompile with apktool. Note that you also need to create a key for signing the APK as verify.sh uses jarsigner to verify this.
will@catch:/opt/mdm/apk_bin$ ls -al .. total 16 drwxr-x--x+ 3 root root 4096 Jan 6 21:55 . drwxr-xr-x 4 root root 4096 Dec 16 2021 .. drwxrwx--x+ 2 root root 4096 Jan 6 22:03 apk_bin -rw-r--r-- 1 root root 0 Jan 6 21:55 heuheu -rwxr-x--x+ 1 root root 1894 Mar 3 2022 verify.sh
From here, I went old school and just made /etc/passwd fully accessible by everyone before changing root's password to 'mwaha'
Generating the password:
$ openssl passwd mwaha KW56XEY7wxZuU
Where the password is added in /etc/passwd:
root:KW56XEY7wxZuU:...
There you go. ^-^
Android .apk Dosyasından Kaynak Kodlara Erişim
Android .apk Dosyasından Kaynak Kodlara Erişim
Herhangi bir .apk dosyasından kaynak koduna erişebileceğinizi biliyor muydunuz? Marketten indirdiğiniz programların .apk uzantılı dosyalarında veya internetten indirdiğiniz .apk dosyalarında işlem yapabilirsiniz.
Evet yanlış okumadınız. Android uygulamalarınızı java ile yazıyorsanız .jar dosyaları gibi sıkıştırılmış dosyalar ile de muhakkak uğraşmışlığınız olmuştur. Her uygulama compile…
View On WordPress
Introducción a los retos de captura la bandera CTF, como método de entrenamiento ofensivo - Parte 3
Introducción a los retos de captura la bandera CTF, como método de entrenamiento ofensivo - Parte 3 @AgeticBolivia @UnifranzBolivia @u_bolivariana #UNIFRANZ Sede La Paz
Amigos, continuamos con la solución de los retos CTF iniciados en un anterior post.
Nivel 3 Reto: Forense 1
“Un peligroso delincuente esta pasando mensajes ocultos en los pdf que envia su complice en el extranjero. Puedes hacer un análisis, ya casi eres un hacker. ¿Encontraste tu bandera?”
n3 – forense 1 – documentoDescarga Solución
Podríamos analizar el archivo con las…
View On WordPress
Decompile and Modify APKs on the go with APKTool for Android [XDA Spotlight]
Decompile and Modify APKs on the go with APKTool for Android [XDA Spotlight]
APKTool is a powerful piece of software developed by XDA Senior Member ibotpeaches. The tool allows you to reverse engineer APK files, allowing you to decode resource files so you can modify them and then recompile the application. It is extremely difficult to qualify just how important this tool is to the Android community, but a list of some of its more popular use cases should give you a great…
View On WordPress

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
3 - Instalando mais ferramentas
Novo post, "Instalando mais ferramentas" para o Laboratório de penetração Android
Apktool
Apktool é uma das ferramentas mais importantes para o arsenal de um testador de penetração Android.
Usaremos essa ferramenta mais tarde para engenharia reversa de aplicativos do Android e para criar malwares para infecção de apps legítimos.
Baixe a versão mais recente do Apktool no link a seguir (faça o download do Apktool v2.2.2 ou mais recente para evitar alguns problemas que existem em…
View On WordPress
Урок модификации системы android #1 Добавляем имя sim карты в статус бар