DIVA - Access Control Issues - Part 2


Now we will move to our next challenge which is the second part of the Access Control Issues, in which there are two option either we can register and get a pin to see the Tveeter API credential, or if we already have the pin we can see the API credentials, So the objective of this challenge is to access the API credentials without registering for it.
10-1
Before we proceed let’s have a quick view of source code ()
10-2
If you solved the previous challenge, I explained in that the intent filter should not be considered as protection method, if you are using it in an activity, eventually it will be accessible to export publicly.
So let’s open our adb shell and exploit this
{ adb shell am start jakhar.aseem.diva/.APICreds2Activity}
10-3
10-4
But in the application it’s still asking for pin, now we need to find a way to bypass it
Let’s have a look at APICreds2Activity.class to understand the application in more detail
10-5
10-6
10-7
After analyzing both the source code, we could understand that to view the credential we need a pin, but if we disable the pin check it will ask for no further verification and land us directly to the API credentials, let’s try this
{adb shell am start jakhar.aseem.diva/.APICredsActivity check_pin false}
10-8
{ adb shell am start jakhar.aseem.diva/.APICredsActivity -ez check_pin false}
10-9
You can try both the commands, whichever works for you.
10-10
And it works like a charm, this time it didn’t ask for any PIN and landed us directly to the view credentials.

~ tavşanı sever

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments