Search for a command to run...
The development team of Ebank is confident in their security measures, but rumors suggest that some users have been accessing hiden features they shouldn't have access to.
The Ebank app has a login page and hidden premium features.
Solving the challenge involved two main steps:
PremiumActivityDecompiled the APK using jadx to examine the source code.
Found that LoginActivity uses VALID_USERNAME and VALID_PASSWORD constants.
These constants are retrieved from string resources:
VALID_USERNAMER.string.debugVALID_PASSWORD = R.string.accessLocated strings.xml in the decompiled resources:
debug = "YWRtaW4=" (Base64 encoded)access = "UEBzc3cwcmQxMjMh" (Base64 encoded)Decoding:
The app uses simple Base64 decoding via decodeBase64() method
Decoded credentials:
adminP@ssw0rd123!After logging in, users are redirected to HomeActivity.
No visible UI element to access PremiumActivity.
Examined LoginActivity.java and found the redirectToNextActivity() method:
private final void redirectToNextActivity() {
Intent intent;
String redirectClass = getIntent().getStringExtra("redirect");
if (redirectClass != null) {
try {
intent = new Intent(this, Class.forName(redirectClass));
} catch (ClassNotFoundException e) {
intent = new Intent(this, (Class<?>) HomeActivity.class);
}
} else {
intent = new Intent(this, (Class<?>) HomeActivity.class);
}
startActivity(intent);
finish();
}
Vulnerability:
redirect Intent extra without validationClass.forName() to dynamically load any class name providedPremiumActivityLaunch LoginActivity with a redirect extra pointing to PremiumActivity:
adb shell am start -n com.sehno.ebank/.LoginActivity --es "redirect" "com.sehno.ebank.PremiumActivity"
Log in with the credentials:
adminP@ssw0rd123!After login, the app redirects to PremiumActivity instead of HomeActivity
The flag is displayed in PremiumActivity:
flag{Int3nt_Red!rectI0n_pWNed}