M 302: AndroBugs (10 pts)

What You Need for This Project

Purpose

To practice using AndroBugs, a really fast Android vulnerability scanner.

Installing Python 2

This tool requires Python 2, which is not included in modern versions of Linux, like Debian 12.

To install it, execute this command:

sudo nano /etc/apt/sources.list.d/bullseye.list
Enter your password.

Paste in this text:

deb http://deb.debian.org/debian bullseye main
deb http://deb.debian.org/debian bullseye-updates main
deb http://security.debian.org bullseye-security main
Save the file with Ctrl+X, Y, Enter.

Then execute these commands:

sudo apt update
sudo apt install python2

Installing AndroBugs

On Linux, in a Terminal, execute these commands, to install AndroBugs and scan the GenieMD APK file.
git clone https://github.com/AndroBugs/AndroBugs_Framework.git
cd AndroBugs_Framework
wget https://samsclass.info/128/proj/genie.apk
python2 androbugs.py -f genie.apk
The scanner starts, as shown below.

Within a minute, the scan finishes. It prints out a long report filename. Carefully copy the whole report name, which is highlighted in the image below.

Viewing the Report

On Linux, in a Terminal, execute this command, replacing filename with the correct filename on your system:
nano /root/AndroBugs_Framework/Reports/com.geniemd.geniemd.harvard_c4d93e3104dcc873a7875a3825db0326a6e65cf3de83d6c01cddf9d8749bb38ae133cf3296139203aa1452778dce24d08ba143e1be1031f58caee094febbca80.txt

[Critical] <Command> Runtime Command Checking

This is the first vulnerability found, and it's pretty scary.

These functions use Java to construct Android shell commands, which frequently leads to command injection flaws.

M 302: SSL Validation Flaws (10 pts)

Scroll down to find the SSL validation error we exploited in a previous project. This scanner provides a lot of information about flaw, as shown below.

Find the text covered by a green box in the image below. That's the flag.


Converted to a CTF 2-28-19
Updated for generic Linux 9-26-22
Python 2 installtion steps added 2-14-24