CTF challenge oauthbreaker. Level:Moderate, Name:Oauthbreaker Flags:2. This challenge provides an android application named oauth.apk.
oauth.apk ->
This app has 2 activities. First activity is MainActivity with authenticate button. On clicking this button a url will open in new web browser with option "Authorize Mobile Application". Opening the link available in web browser redirects to the second activity which is BrowserActivity. BrowserActivity is to load url using webview.
Application flow:
OAuth mobile application(MainActivity) -> Web browser -> OAuth mobile application(BrowserActivity)
URLs at each stage: Authenticate button in MainActivity opens the link: http://35.227.24.107/XXXXXXXXXX/oauth?redirect_url=oauth://final/login&response_type=token&scope=all. Opening the link "Authorize Mobile Application" present in web browser redirects to BrowserActivity in oauth app. This BrowserActivity loads a predefined URL: http://35.227.24.107/5aae3e828a/authed.
Classes in oauth application:
MainActivity.java
BrowserActivity.java
WebAppInterface.java
There is some issue with WebAppInterface java code. At line number 575, variable m is used which was not declared.
for (i = 0; i < arrayOfInt.length; i = m)
Might be this error is intentional!!! Looking at the for loop closly m is used to set the next iteration value in for loop, and the value of m is being set as i+1 inside the for loop. Hence it is obvious that the value of i should be incremented by 1 in for loop increment. Replacing the value of m with i in above line will fix the issue.
for (i = 0; i < arrayOfInt.length; i++)
Flag_1:
Let us first understand the URL opened in web browser i.e.,
http://35.227.24.107/XXXXXXXXXX/oauth?redirect_url=oauth://final/login&response_type=token&scope=all.
This url is to open the webpage oauth and the parameters required for it are redirect_url. URI provided in redirect_url parameter will be loaded in browser. Can we change this parameter value? Tried changing the parameter value to google.com. URL will become
http://35.227.24.107/XXXXXXXXXX/oauth?redirect_url=google.com. Loaded this url in web browser. Inspecting the webpage returned will provide the flag.
Flag_2:
Observed the MainActivity with a hope that will get some clue. MainActivity is loading a simple layout which has a single button and OnClick Listener implemented for this button. There is nothing suspicious in MainActivity. Coming to BrowserActivity. BrowserActivity is also very simple activity for loading a layout with webview. However there is this below line in browser activity which has some signficance. webView.addJavascriptInterface(new WebAppInterface(getApplicationContext()), "iface"); From the andriod documentation (https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)) addJavascriptInterface injects the supplied Java object into this WebView. also the statment : "only public methods that are annotated with JavascriptInterface can be accessed from JavaScript". Looking in WebAppInterface java file there is a method with annotation @JavascriptInterface. The method is getFlagPath()...!!! Will this method provide us the path to flag??? Let us call this method in BrowserActivity. From the same documentation page, we can see webview.loadUrl method can be used to call the public methods from javascript. In BrowserActivity I have added below lines to call the getFlagPath() method:
//webView.loadUrl(str1); //Remove the existing loadUrl method. webView.loadUrl("javascript:alert(iface.getFlagPath())");
Lets us try to print the value returned in getFlagPath() method by adding below lines in WebAppInterface.java file at line no: 683(befor the return command).
Log.d("WebAppInterface", "String is " + stringBuilder.toString());
With all the above changes completed, run the application. Now when the BrowserActivity starts in application, below lines will be present in logcat of andriod studio.
D/WebAppInterface: String is 48ce217fea4529a070a9d3e3c87db512b1596d413e580f7b2e1eab65f3948ab8.html
This must be the file containing the flag. Let us construct the url to access this webpage
http://35.227.24.107/XXXXXXXXXX/48ce217fea4529a070a9d3e3c87db512b1596d413e580f7b2e1eab65f3948ab8.html
Opening this page in browser will display the flag.
oauth.apk ->
This app has 2 activities. First activity is MainActivity with authenticate button. On clicking this button a url will open in new web browser with option "Authorize Mobile Application". Opening the link available in web browser redirects to the second activity which is BrowserActivity. BrowserActivity is to load url using webview.
Application flow:
OAuth mobile application(MainActivity) -> Web browser -> OAuth mobile application(BrowserActivity)
URLs at each stage: Authenticate button in MainActivity opens the link: http://35.227.24.107/XXXXXXXXXX/oauth?redirect_url=oauth://final/login&response_type=token&scope=all. Opening the link "Authorize Mobile Application" present in web browser redirects to BrowserActivity in oauth app. This BrowserActivity loads a predefined URL: http://35.227.24.107/5aae3e828a/authed.
Classes in oauth application:
MainActivity.java
BrowserActivity.java
WebAppInterface.java
There is some issue with WebAppInterface java code. At line number 575, variable m is used which was not declared.
for (i = 0; i < arrayOfInt.length; i = m)
Might be this error is intentional!!! Looking at the for loop closly m is used to set the next iteration value in for loop, and the value of m is being set as i+1 inside the for loop. Hence it is obvious that the value of i should be incremented by 1 in for loop increment. Replacing the value of m with i in above line will fix the issue.
for (i = 0; i < arrayOfInt.length; i++)
Flag_1:
Let us first understand the URL opened in web browser i.e.,
http://35.227.24.107/XXXXXXXXXX/oauth?redirect_url=oauth://final/login&response_type=token&scope=all.
This url is to open the webpage oauth and the parameters required for it are redirect_url. URI provided in redirect_url parameter will be loaded in browser. Can we change this parameter value? Tried changing the parameter value to google.com. URL will become
http://35.227.24.107/XXXXXXXXXX/oauth?redirect_url=google.com. Loaded this url in web browser. Inspecting the webpage returned will provide the flag.
Flag_2:
Observed the MainActivity with a hope that will get some clue. MainActivity is loading a simple layout which has a single button and OnClick Listener implemented for this button. There is nothing suspicious in MainActivity. Coming to BrowserActivity. BrowserActivity is also very simple activity for loading a layout with webview. However there is this below line in browser activity which has some signficance. webView.addJavascriptInterface(new WebAppInterface(getApplicationContext()), "iface"); From the andriod documentation (https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)) addJavascriptInterface injects the supplied Java object into this WebView. also the statment : "only public methods that are annotated with JavascriptInterface can be accessed from JavaScript". Looking in WebAppInterface java file there is a method with annotation @JavascriptInterface. The method is getFlagPath()...!!! Will this method provide us the path to flag??? Let us call this method in BrowserActivity. From the same documentation page, we can see webview.loadUrl method can be used to call the public methods from javascript. In BrowserActivity I have added below lines to call the getFlagPath() method:
//webView.loadUrl(str1); //Remove the existing loadUrl method. webView.loadUrl("javascript:alert(iface.getFlagPath())");
Lets us try to print the value returned in getFlagPath() method by adding below lines in WebAppInterface.java file at line no: 683(befor the return command).
Log.d("WebAppInterface", "String is " + stringBuilder.toString());
With all the above changes completed, run the application. Now when the BrowserActivity starts in application, below lines will be present in logcat of andriod studio.
D/WebAppInterface: String is 48ce217fea4529a070a9d3e3c87db512b1596d413e580f7b2e1eab65f3948ab8.html
This must be the file containing the flag. Let us construct the url to access this webpage
http://35.227.24.107/XXXXXXXXXX/48ce217fea4529a070a9d3e3c87db512b1596d413e580f7b2e1eab65f3948ab8.html
Opening this page in browser will display the flag.


Comments