Reverse Engineering is the process of disassembling an application to understand how its system workings. The methods and tricks employed depend on the target, so it is possible that the reverse engineering approach for each application will differ.
One of the activities commonly performed in Reverse Engineering is Decompilation. Decompilation is the process of recovering the source code from a compiled application.
One of many tools that can be used for decompiling an application is JADX. JADX is an open-source tool used for decompiling Android applications, with a specific focus on those developed for the Android platform. By utilizing JADX, users can analyze and comprehend the source code structure of an Android application.
Releases · skylot/jadx (github.com)
At the moment, I won’t provide additional explanations about JADX, but I’ll commence the reverse engineering process. The application of choice is Androgoat.
The vulnerability we will attempt to address through reverse engineering is the “Unprotected Android Package”. In short, if there are elements in the application that cannot be opened or clicked, this technique will potentially allow us to overcome such issues without the need for clicking.
Tools needed:
- Jadx-gui
- ADB
Step to reproduce:
Open Jadx-gui
Choose the application you want to decompile (Androgoat)
We have to analyze first. Where is our issue, what features, or what pop-ups are present? If you take a closer look, our issue is related to the Input Validations feature. If we get more specific, the function that cannot be clicked is called OS CMD Injection
To save time, click the search button as we cannot analyze one by one.
You can fill in the column with anything, but it’s better if it’s more specific.
There is a function with the same name as the issue we are looking for. Let’s analyze it!
Let’s make sure again that the function is the one we want to penetrate by looking at the AndroidManifest.xml file that has been decompiled by JADX.
After a closer look, it seems that this is the function we’re looking for. The next step is to proceed with the ADB tools.
- Make sure that ‘adb devices’ is already connected
- Launch adb shell and enter the command as follows:
In our case, am start -n owasp.sat.agoat/.InputValidationsOSCMDInjectionMain2Activity
As a result, we have successfully accessed/penetrated the OS CMD Injection feature.