1 00:00:00,100 --> 00:00:05,350 - Hello all and welcome to the Android Security and Exploitation training series 2 00:00:05,350 --> 00:00:10,950 by PentesterAcademy. I'm Aditya. I'm your course instructor for this entire training 3 00:00:10,950 --> 00:00:15,300 series. So you can check out the certifications at 4 00:00:15,300 --> 00:00:18,940 securitytube-training.com and you can also view the entire course at 5 00:00:18,940 --> 00:00:25,040 pentesteracademy.com. Now, in the previous video, we had a look at the access control 6 00:00:25,040 --> 00:00:32,020 issues and we were able to invoke the activity containing the API and the key 7 00:00:32,020 --> 00:00:39,050 using the intent filter and the activity manager, right. So in this particular 8 00:00:39,050 --> 00:00:47,620 example or this particular issue which is the access control issues part II. It asks 9 00:00:47,620 --> 00:00:53,300 for whether you want to view the TVEETER API credentials and if you click on 10 00:00:53,300 --> 00:00:58,150 register now and click over here, it asks for a pin, right. And it asks you to 11 00:00:58,150 --> 00:01:04,930 register at website and login with that particular pin, right. So the objective is 12 00:01:04,930 --> 00:01:10,060 you're able access the third party app API credentials after you have registered, 13 00:01:10,060 --> 00:01:14,440 right. Now, you can register and the vendor gives you a pin, but what you want 14 00:01:14,440 --> 00:01:21,730 to do is access the API credentials from outside the app without knowing the pin, 15 00:01:21,730 --> 00:01:27,050 and this is quite similar to what we did in the previous video. So let's try this 16 00:01:27,050 --> 00:01:35,910 same example. Let's try the same method for this particular example as well. So 17 00:01:35,910 --> 00:01:45,680 this particular one is access control issues part II and if we look at the 18 00:01:45,680 --> 00:01:55,410 AndroidManifest.xml and we have the access control 1 activity and the access control 19 00:01:55,410 --> 00:02:02,330 2 activity where the intent filtering is VIEW_CREDS2 instead of simple VIEW_CREDS. 20 00:02:02,330 --> 00:02:08,730 So let's try to do use this. So adb shell am start -a 21 00:02:08,730 --> 00:02:15,890 jakhar.aseem.diva.action.VIEW_CREDS2. And let's see what happens with the 22 00:02:15,890 --> 00:02:29,328 application. Let me go to the home screen, then try this out and now as you see, it 23 00:02:29,328 --> 00:02:35,888 brings me to an enter pin screen rather than showing with the actual API key. So 24 00:02:35,888 --> 00:02:43,259 there is a kind of protection here which you'll need to bypass. So if you look at 25 00:02:43,259 --> 00:02:52,384 the source code for this particular exercise, you'll notice that it checks for 26 00:02:52,384 --> 00:03:00,045 another parameter which is called check pin or chk_pin. And if it is true, it asks 27 00:03:00,045 --> 00:03:04,585 you to register at a particular website and login with that pin, but if the check 28 00:03:04,585 --> 00:03:10,540 pin is set to false it tells you the API key and the password. So all we need to do 29 00:03:10,540 --> 00:03:17,134 is invoke this intent filter along with an extra parameter. So you can do it with 30 00:03:17,134 --> 00:03:23,392 either AM which we did earlier and adding an extra parameter to it or you can also 31 00:03:23,392 --> 00:03:28,590 use Drozer in this case in order to launch an intent filter as well as parse in an 32 00:03:28,590 --> 00:03:35,369 additional argument to it. So you can know more about Drozer in the training videos. 33 00:03:35,369 --> 00:03:41,058 So there, we have discussed in detail what Drozer is, how do we start it, how do we 34 00:03:41,058 --> 00:03:45,875 do a basic exploitation even scripting and so on. So you an check out 35 00:03:45,875 --> 00:03:50,797 securitytube-training.com in order to check out all those details. So we'll 36 00:03:50,797 --> 00:04:02,894 start Drozer and I check out the activity names for this particular package 37 00:04:02,894 --> 00:04:11,125 jakhar.aseem.diva. Now, if you notice there're three different activities. One 38 00:04:11,125 --> 00:04:16,512 is the main activity and then you have the APICreds activity which was the previous 39 00:04:16,512 --> 00:04:25,636 exercise and now you have the APICreds2 activity. So what we'll do over here is, 40 00:04:25,636 --> 00:04:33,055 we'll start the APICreds2Activity along with an extra check pin boolean set to 41 00:04:33,055 --> 00:04:39,799 false. Since in the code, you can check that the check pin variable is actually a 42 00:04:39,799 --> 00:04:48,344 boolean, so you can set it to false and launch the APICreds2Activity. So let's do 43 00:04:48,344 --> 00:04:59,372 run, app.activity.start--component and simply copy this one along with the 44 00:04:59,372 --> 00:05:09,209 package name which is jakhar.aseem.diva and parsing in extra data which is check 45 00:05:09,209 --> 00:05:19,928 pin. So extra boolean check pin set to false. And if let's see if this works or 46 00:05:19,928 --> 00:05:27,590 not. Before this, let me just go back, create the application, then launch this. 47 00:05:31,900 --> 00:05:40,477 Let's delete this, didn't work. So let's see where we went wrong when I'm activity 48 00:05:40,477 --> 00:05:54,845 start. So, sorry about the short interruption. So the chk_pin that we asked 49 00:05:54,845 --> 00:06:01,501 still trying. There is a string located inside the strings.xml. And if you look at 50 00:06:01,501 --> 00:06:08,924 this source code which is at this github URL, you can go inside the app and 51 00:06:08,924 --> 00:06:19,410 navigate to source, main, resources, then values and here you'll find the 52 00:06:19,410 --> 00:06:31,430 strings.xml. And if you open the strings.xml and simply scroll down, say 53 00:06:31,430 --> 00:06:38,350 maybe, okay, so here it is. So if you look over here, there's a string with a 54 00:06:38,350 --> 00:06:47,330 tag of chk_pin and the actual string is check_pin, so the check_pin is what we 55 00:06:47,330 --> 00:06:56,480 need to use inside our statement. So let's try to launch the activity. So 56 00:06:56,480 --> 00:07:01,630 app.activity.start --component jakhar.aseem.diva which is the package 57 00:07:01,630 --> 00:07:06,310 name and then the activity name is APICreds2Activity, parsing in an extra 58 00:07:06,310 --> 00:07:15,520 boolean of check pin false. And if you look over here, we have the API key as 59 00:07:15,520 --> 00:07:21,440 as well the user name and password. So this how you use Drozer in order to start 60 00:07:21,440 --> 00:07:27,270 an activity along with parsing extra variables to it. So that's all for this 61 00:07:27,270 --> 00:07:33,060 video. If you have any feedback or queries, reach out to me at adi@attify.com 62 00:07:33,060 --> 00:07:37,570 And if you want to check out the complete course videos, you can go to 63 00:07:37,570 --> 00:07:42,740 securitytube-training.com or you can get a subscription at petesteracademy.com. See 64 00:07:42,740 --> 00:07:45,000 you in the next video.