DIVA application walkthrough

Challenge 1:- Insecure Logging

Step 1: Get pid of the application/process.

Command “nox_adb shell” or “adb shell” depending upon the adb you are using in your laptop.

Step 2: Once you get the PID of the application for which you want to capture the logs, run logcat command.

Command “nox_adb logcat — pid=<process id>” or “adb logcat — pid= <process id>”

Once you enter logcat command, logs of the associated process will start appearing on the command prompt.

Step 3: Enter any number and hit check out to see the same number being logged on the command prompt.

Challenge 2:- HARDCODING ISSUE PART 1

Step 1: Run JADX tool or JD-Gui tool.

Step 2: Open the DIVA apk file using the file>open option in the JADX or JD-Gui Tool.

Step 3: Search the complete code of the apk using different keywords like “secret”, “key”, “pass”, “password” etc,

Using the above search you will observe that the hardcoded activity class has the vendor key, which you can use to complete this challenge.

Challenge 3:-INSECURE DATA STORAGE -PART 1

Step 1: Go to Insecure data storage -part 1, enter username, password and save.

Step 2: Run adb shell to take shell of the android device to check where these credentials are being saved.

Step 3: go the the directory /data/dat using the command “cd /data/data” as all the directories created by the installed applications are saved in /data/data.

Step 4: Go to the directory of the app that you are testing, in this case it is “jakhar.aseem.diva”, which is actually the package name of the application which you can get from the AndroidManifest.xml file of the decompiled application.

Step 5: This directory will have all the files of the application, now we have to check all the files and directories and the files within those directories to get the saved credential. In the Insecure data Storage Part-1 challenge the credentials are saved in the “shared_prefs” folder in an xml file which can be seen below.

Step 6: Read the “jakhar.aseem.diva_preferences.xml” file using the cat command as shown below.

Challenge 4:-INSECURE DATA STORAGE -PART 2

Step 1: Go to Insecure data storage -part 2, enter username, password and save.

Step 2: Run JADX tool or JD-Gui tool.

Step 3: Open the DIVA apk file using the file>open option in the JADX or JD-Gui Tool.

Step 4: Now we need to check what’s happening in the backend code, how the credentials are being saved. For this we need to go to the same class of the challenge i.e., InsecureDataStorage2Activity and read to the code to understand the logic.

Step 5: From the above code we can deduce that credentials are being saved in the database ids2.

Step 6: Take shell of the android device, and browse to the /data/data/<your app directory> and there you will observe the database directory. This Database directory will have several databases including the ids2.

Step 7: Now we have to extract the data from the ids2 database, for which we will use sqlite3 tool, command can be seen from the below screenshot.

Step 8: List the tables using the .table command and the use the SQL query to extract the data from the ids2 database.

Challenge 5:-INSECURE DATA STORAGE -PART 3

Step 1: Go to Insecure data storage -part 3, enter username, password and save.

Step 2: Run JADX tool or JD-Gui tool.

Step 3: Open the DIVA apk file using the file>open option in the JADX or JD-Gui Tool.

Step 4: Now we need to check what’s happening in the backend code, how the credentials are being saved. For this we need to go to the same class of the challenge i.e., InsecureDataStorage3Activity and read to the code to understand the logic.

Step 5: Now from the above code we can understand there is a new file being created by the name uinfoXXXXXtmp.

Step 6: Take shell of the android device, and browse to the /data/data/<your app directory> and there you will observe, there is a file created with uinfoXXXXtmp.

Step 7: Read the file using the cat command as shown below.

Challenge 6:-INSECURE DATA STORAGE -PART 4

Step 1: Go to Insecure data storage -part 4, enter username, password and save.

Step 2: Run JADX tool or JD-Gui tool.

Step 3: Open the DIVA apk file using the file>open option in the JADX or JD-Gui Tool.

Step 4: Now we need to check what’s happening in the backend code, how the credentials are being saved. For this we need to go to the same class of the challenge i.e., InsecureDataStorage4Activity and read to the code to understand the logic.

Step 5: Now from the above code we can understand that there is a file being created by the name .uinfo.txt” in the sdcard directory as the directory select is using the getabsolutepath command for saving the file.

Step 6: Take shell of the android device, and browse to the /sdcard directory.

Step 7: List the files using ls command.

*Now the trick lies here, as we don’t see any “.uinfo.txt” file saved in the sdcard directory, we need to check for the hidden files here using the “ls -lah” command.

Challenge 7:- INPUT VALIDATION ISSUE PART -1

Step 1: As from the hint above let’s enter admin in the search bar and hit search to see what’s the output.

Now our challenge is to get the data of all the users with malicious payload.

Step 2: Check for input validation vulnerability.

As from the above screen shot we can observe that the application is allowing the special character and checking for the user from the database.

If the user is not present we get an error, if the user is present we get the credentials.

However, from the above observation we can deduce that the app is not at all filtering any special character.

Step 3: Since we know that for extracting data from database we use SQL injection vulnerability by sending SQL query, let’s try SQL injection here.

Challenge 8:- INPUT VALIDATION ISSUE PART -2

Step 1: Since the functionality suggests that we need to enter a url and it will get loaded, let’s try that.

Step 2: Now, the challenge is to access sensitive information apart from url.

Step 3: For testing purpose we created a text file by name “DIVA-sens-info.txt” which contains sensitive secret key “SECRETKEY_1234” .

Step 4: Now the challenge tells us to read the sensitive information from the device, for that we will use file:///<path to your file in android device>” command.

From the above screenshot we can observe that the app can read device files.

Similarly you can read any files including the credentials saved in the preferences xml file.

Challenge 9:- ACCESS CONTROL ISSUE- PART 1

Step 1: Check what is happening by clicking on the “View API CREDENTIALS” Button.

Now, The challenge is to get this key but not by using this button, instead by exploiting the components such as activities, services, content providers etc.

Step 2: We need to get what activity is being called when we hit the button, for that we will do logcat using adb logcat” command and see the activity that is being called upon clicking the above button.

As we got the activity name. Now let’s try to access it from adb activity manager directly, for that we will use “adb shell am start -n jakhar.aseem.diva/.APICredsActivity”, but first close the Diva application from your anroid device to check activity will actually be able to be run directly using the above adb command.

Challenge 10:- ACCESS CONTROL ISSUE- PART 2

Now, once you click on the “View Tveeter API Credentials” button, you will be prompted to the next page where it will ask for the PIN.

The challenge is to get the API credentials without knowing the pin.

Step 1 : First Let’s check the activity being called using the logcat command when you click on those buttons.

Activity name is “jakhar.aseem.diva/.APICreds2Activity”

But even if we try to invoke the activity using the old am(activity manager) command from adb it doesn’t work, check the screenshot below.

So what happened here is that there is another security measure implemented which is not allowing us to get the api credentials.

Step 2: Let’s check what’s the security measure that’s implemented from the source code using the jadx tool.

From the below screenshot we can observe what’s happening in the backend is that the code is taking another parameter chk_pin and checking if bcheck value is false then give the password else give a message that “Register youself at http://payatu.com…..”

Now what we need to do is just send and extra parameter “chk_pin” with value false while invoking the activity “jakhar.aseem.diva/.APICreds2Activity”.

Well that didn’t work too but why is that?

Here’s the catch that we need to understand, the chk_pin is the variable name that is being used in the classes of the source code but it is not actual parameter.

Step 3: Get the actual parameter associated with this variable chk_pin.

In order to get the value of this chk_pin we have to inspect the strings.XML file which is located in application decompiled folder /res/values/string.xml

Now we know the value is “check_pin” not the “chk_pin”.

Step 4: Start the activity using the activity manager of adb and send an extra parameter check_pin with value as false and check the diva app.

adb shell am start -n jakhar.aseem.diva/.APICreds2Activity -a jakhar.aseem.diva.action.VIEW_CREDS2 — ez check_pin false

Challenge 11:- ACCESS CONTROL ISSUE- PART 3

Objective of this challenge is to get the notes from outside the app without knowing the pin.

Step 1: Create a pin.

Step 2: Click on go to private notes to check what activity is invoked when we give the pin for getting the notes.

Well no luck with the logcat to get the activity name. we might want to try something new now.

Step 3: Go back to basics again look at the source code using the jadx tool.

Cool, So we read the code again, if userpin is equal to the pin then go inside the block and get the notes, and for getting the notes there is something being queries that is “CONTENT_URI” within the “NotesProvider” class, which is some content uri that we need.

Step 4: Now, lets double click on the “CONTENT_URI” to get the URI .

Now we know know the content URI We want to query to get the Notes.

Step 5: Let’s just hit the URI and get the notes.

But how ??

We can use the below adb command.

adb shell content query — uri content://<URI>

Voila, We got the notes without the pin.

Challenge 12:- HARDCODING ISSUE PART 2

Step 1: Well, since it the hard coding challenge that means we need to go back to the apk source code and dig deep into it, and for reading the code we will be using the same old JADX tool.

After analyzing the code above, we can understand that the activity is creating another class with the name of “DivaJni”, let’s have a look at that, by double clicking on the name DivaJni.

After analyzing the code above we could understand that there is a native library with the same name divajni, if you unzip the APK you will see the lib folder, which contains all the libraries inside it, let’s have a look

Let’s open any of the library and analyze it.

Well, I tried reading the .so file using less and more command in windows, didn’t work.

Tried to open the .so files in notepad and sublime, well no luck there too, then I understood that I might need another tool which can read the .so files.

But, since I am lazy I didn’t install any tools in my windows machine, instead I started my kali vm to read the file using the strings tool of unix.

Try the codes, 1 by 1 and the highlighted one worked for me.

Challenge 13:- INPUT VALIDATION ISSUE PART -3

Objective of this challenge is to crash the app using the Input validation issue.

Well this was simple, just send a long string and the app gets crashed.

Anyway, you might wanna know why did this happened?

Well, This happened due to non restricted input length of the launch code, leading to a memory corruption vulnerability.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store