b3nac / injuredandroid Goto Github PK

A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.

License: Apache License 2.0

Java 11.02% Kotlin 51.32% Groovy 0.56% Objective-C 1.29% Ruby 5.96% Shell 0.34% Dart 26.85% Go 0.56% CMake 1.14% C++ 0.95%

android android-studio security-testing android-security webview bug-bounty pentesting flutter flutter-security flutter-xss

injuredandroid's Introduction

InjuredAndroid - CTF

A vulnerable Android application with ctf examples based on bug bounty findings, exploitation concepts, and pure creativity.

Now available on Google Play! https://play.google.com/store/apps/details?id=b3nac.injuredandroid

Setup for a physical device

Download the latest release injuredandroid.apk from the releases or Google Play.
Enable USB debugging on your Android test phone.
Connect your phone and your pc with a usb cable.
Install via adb if installing from releases. adb install InjuredAndroid.apk. Note: You need to use the absolute path to the .apk file or be in the same directory.

Setup for an Android Emulator using Android Studio

Use adb to pull the apk off of your device or install after downloading the latest release apk.
Start the emulator from Android Studio (I recommend downloading an emulator with Google APIs so root adb can be enabled).
Drag and drop the .apk file on the emulator and InjuredAndroid.apk will install.

Build from source

git clone https://github.com/B3nac/InjuredAndroid.git
Create local.properties for the flutter_module

Example for Windows:

sdk.dir=C:\\Users\\B3nac\\AppData\\Local\\Android\\Sdk
flutter.sdk=C:\\Users\\YourUsername\\PathTo\\flutter

Example for Linux:

sdk.dir=/home/username/Android/Sdk
flutter.sdk=/home/username/flutter

Set the Flutter path in Android Studio

File -> Settings -> Languages & Frameworks -> Flutter

Enable Dart Support in Android Studio
Run flutter pub get to import the flutter dependencies
Download the Android NDK that is required for the Assembly flag.
Now you should be able to compile the latest release of InjuredAndroid!

Tips and CTF Overview

Decompiling the Android app is highly recommended.

XSSTEST is just for fun and to raise awareness on how WebViews can be made vulnerable to XSS.
The login flags just need the flag submitted.
The flags without a submit that demonstrate concepts will automatically register in the "Flags Overview" Activity.
The exclamatory buttons on the bottom right will give users up to three tips for each flag.

Good luck and have fun! :D

Spoilers

Looking at the source code of the applications in the InjuredAndroid directory, InjuredAndroid-FlagWalkthroughs.md file, or binary source code in the Binaries directory will spoil some if not all of the ctf challenges.

injuredandroid's People

Contributors

Stargazers

Watchers

Forkers

olivertweesty bbhunter wizard2773 rajivraj alirezachegini 5l1v3r1 hehacks modulexcite f0829 wargg haxormad forkarepo enovella dskrish materaj2 arya772 kjigs jarlob krouser ismokaka christofersimbar nhattm3006 malanghackerlink gh0st0ne polling-repo-continua caketi crackercat fi5t jnkforks shoulewoba kp-forks superdeen bhlaawckk zwanski2019 learnpy2020 0xagentsteal zimshk santhoshinty attacker-codeninja njahrckstr hakatom asadanwar90 svanboxel yzhbeihai lcsouzamenezes n1f2c3 nobitasec swarupsro peruzal mohit0 zeroc00i antnks cybercraftsmanx ninja-pandit sleepyeinstein mild0wl securitycomplicance inosec2 maduraraj jeremy-chua jihwanjeon magnologan nithingowda j5s github-user-akash ak4l3r3 x0d3 jonlh22 sachpan galactic-opensource tommalvoriddle jaiswalakshansh ishmaelchibvuri milimeter moashxer dimkalin eitangayor pbsopankar duemaster timsnyk existentializm akanchhas xtiankisutsa yougoglencoco aizlm jlisboa sfm666 guima666 rahulsharma2905 butimnotashark kuang87 chinnidiwakar mathdeziel kobbycyber robinsonshai zerodaykb wangzhennj romeolorenzo mehmet-zahid cxtomer-demo

injuredandroid's Issues

Question about Flag8

Hey, this works but I noticed that in the walkthrough you have:

[injuredandroid]
aws_access_key_id = lookinstrings.xmlnotputtingitheresoawsdoesn'talert
aws_secret_access_key = lookinstrings.xmlnotputtingitheresoawsdoesn'talert

So I wanted to ask what do you mean by aws doesn't alert? Is there some service that reports if aws tokens were found in the open? What happens in the case of alert?

Typo on Flag 5

Flag button reads:

FLAG FIVE - EXPORTED BROADCAST RECIEVER

Should read

FLAG FIVE - EXPORTED BROADCAST RECEIVER

Flutter module missing x86_64 library

Even though Flutter supports x86_64 on Android since ~2019, the APK is missing the respective native library and as such, the Activity crashes with a dlopen error on such an architecture (e.g. while running on an emulator).

Flag - 8 Not solvable

aws s3 ls s3://injuredandroid --profile injuredandroid

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Issue in FLAG 9 submission

I was able to find the json path and it returns [nine!_flag] but that doesn't work in the app.

Is this the correct flag or am I on wrong path?

Error while installing

Hi B3nac
I am getting the following error while installing the apk
adb install InjuredAndroid.apk
Performing Streamed Install
adb: failed to install InjuredAndroid.apk: Failure [INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION: Failed to parse /data/app/vmdl1870249613.tmp/base.apk: AndroidManifest.xml]

I am using AVD Android 8.1 x86

thanks
siLLyDaddy

Flag 7 being completed with 8

I was working through the ctf and got stuck on flag 7 so moved on to flag 8 and noticed that completing that flag also marks flag 7 as completed.

Failed to install; Error while parsing

I wanted to try out your App. Unfortunately an error occured, while I tried to install the app via adb.
The Phone I use is a Samsung Galaxy S6.

MD5Hash of the apk: c0791ea520cdf0b1879deec50ed267fe InjuredAndroid.apk

Error Message:
Failed to install InjuredAndroid.apk: Failure [INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION: Failed to parse /data/app/vmdl959478977.tmp/base.apk: AndroidManifest.xml]

RCEActivity won't work w/ Android >= 10 (Q)

Executing files in the App's home directory no longer works w/ Android >= 10 and is denied by SELinux. A workaround is to package the binaries into the native libs directory (w/ "android:extractNativeLibs=true" in the Manifest).

See:
https://issuetracker.google.com/issues/128554619

Flag 12 - java.lang.SecurityException: Permission Denial

When I launch b3nac.injuredandroid.ExportedProtectedIntent while holding another Intent inside in order for it to launch b3nac.injuredandroid.FlagTwelveProtectedActivity I keep getting:

java.lang.SecurityException: Permission Denial: starting Intent { cmp=b3nac.injuredandroid/.FlagTwelveProtectedActivity (has extras) } from ProcessRecord{391b647 22147:com.example.tcmintentlauncher/u0a228} (pid=22147, uid=10228) not exported from uid 10227

This is the code I used in my POC app's onCreate() method:

Intent intent = new Intent();
intent.setClassName("b3nac.injuredandroid", "b3nac.injuredandroid.FlagTwelveProtectedActivity");
intent.putExtra("totally_secure", "https://something.com");

Intent launchIntent = new Intent();
launchIntent.setClassName("b3nac.injuredandroid", "b3nac.injuredandroid.ExportedProtectedIntent");
launchIntent.putExtra("access_protected_component", intent);
startActivity(intent);

I also tried using the setComponent function instead of setClassName. Same result.
Using flag11:// produced the same result as well.

I tried this on a rooted physical device (Android 8.0) and on an emulator as root (Android 9.0).
Unless I add exported="true" to FlagTwelveProtectedActivity in AndroidManifest.xml and then repack the app, this activity will not launch...

Am I missing something?

secret url showing not found actually ....!

I tried to access this url ...secret_url... but showing not found it was aquired after decoding an remote url in the apk pls check it

Level 8 - error with AWS

i'm trying to retrieve data from s3 but when i run:
aws s3 ls
I receive this:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
I'm missing something or this level is broken?

getting error while building the project in android studio ... flutter module giving a lot of trouble while building ..!

I tried to build the apk injured android ...installed all dependies flutter sdk and dart sdk after that this error were raising

Task :flutter:compileFlutterBuildDebug
Target kernel_snapshot failed: FileSystemException: Cannot open file, path = 'D:\android\build\flutter_module.packages' (OS Error: Access is denied.
, errno = 5)
build failed.

aws credentials in the app not working to escalate more ... !

found aws credentials but not working to dig deeper