Manager From Hackthebox
2022-4-2 18:11:36 Author: infosecwriteups.com(查看原文) 阅读量:26 收藏

Part Of Intro to Android Exploitation

Hello Amazing Hackers, I am Hac and Today we will be doing Manger from Hackthebox it’s an easy android challenge in which you have to have to exploit the android app to get the flag . And it’s also a good time to learn more of android Hacking .

It was a easy challenge if u know basic web hacking but the hardest part is to setup a proper lab . So think this write-up as setting up proper environment, I know there is a lot of cool stuff like SSL pinning and more but this write-up is made for people who are new to android Exploitation.

To do this challenge we need to install GENYMOTION (it’s an android emulator ) and make sure you have virtual box installed .

Once you have successfully installed genymotion you need to create one account , So go ahead and do that . After that we will be installing Android 7.1 (it works for me ) .

Open Genymotion then click on + sign

After That Click on Android API > Then choose 7.1-API 25 > Then Choose Google Nexus 9 > Then choose Next . (Wait for Few minute or a sec and it will be done )

Now We need to setup the proxy so that we can intercept the request which our android device is sending . So open up your Burp Suite then go to Proxy > options .

After That Under Proxy listener Click on Add > add your port number (4444) > All interface > OK

Our Burp suite is Ready to rock and roll!!!!! . But wait a minute , We have to configure our proxy for android device (I forgot to take screenshot sorry ,but i have screen-recording ) .

Now We need to send our challenge file from our machine to the android app

IT’s Time to Rock and Roll . Let’s do a quick check that we are able to intercept request and …………..

I tried login with creds like admin:admin , admin:password but no Luck , But we can create user so let’s do that.

Now let’s login to our user account

We can try changing the username to admin ??

And ……….. boom it worked we are admin now (I was think about playing with different parameter but it was super easy lol )

I Hope you liked this and you learned something new . If you have any question the feel free to dm on twitter


文章来源: https://infosecwriteups.com/manager-from-hackthebox-b93aecbd46dd?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh