hacking, mobile

It’s Finally Here!!! Intro To Android Security VM v2

In my previous post I described how I started working on v2 of Intro TO Android Security VM.

To view that post, click HERE.

Anyway, I can finally say… I AM DONE WITH THE VM!

What’s different between version 1.1.2 to version 2. Well… keep reading

In version 2 I added more dynamic analysis tools such as MARA, PIDCat, QARK. In the pentesting section, I added Metasploit. I also added MobSF (a one stop shop with dynamic scanning for android applications) in a docker container. In version 1.1.2 I tried to upgrade my python version to 3.7.5 and broke my Linux build (could not update the distro).

After speaking with Anant (owner/creator of @AndroidTamer) we decided to put MobSF into a docker container to keep it contained and not break our build.

I also created the virtual machine from a vagrant machine, as I realized with version 1, I severely underestimated the storage I needed to include all the programs I wanted. I also included insecure android apps to test in the Documents folder.

Interested in learning more – download/use the virtual machine at the following location:

SourceForge –> IntroAndroidSecurity download | SourceForge.net, click on External Link

Finally, make sure to read the README.md file as most issues can be solved in that file!

Hope everyone enjoy the virtual machine. If you have any questions or want to see an application added – let me know!

hacking, mobile

Get Excited! Version 2 of IntroToAndroidHacking Virtual Machine Is On The Way!

As the title suggests, I am working on the second version of the virtual machine I created in 2019.

I put myself out there and decided to create a training on Mobile Security and Bug Bounties – something I wanted to learn and am still interested in.

I noticed there was a virtual machine titled – Android Tamer, score! Well… not really. At the time, Android Tamer was SUPER out of date. Speaking with the creator, Anant Shrivastava about my dilemma needing a virtual machine for my training. Anant told me that it would be easier to create my own virtual machine as opposed to fixing the current version of Android Tamer.

Creating my own virtual machine? I’ve never done that before. Challenge accepted!

Anant, was SUPER helpful with all of my questions and guided me on creating the virtual machine. In about a month the first version was created. Yay!

After the training, I asked for feedback and decided I needed to revamp the virtual machine to make it more accessible/user friendly.

I added and updated out of date software in the virtual machine.

Then I noticed – I was running out of memory when trying to do my upgrades.

I realized at that moment, I totally underestimated the size of the virtual machine.

So, at this time I am revamping the virtual machine and starting with a barebone version of Ubuntu 18.04 (this is the OS the first version was built on) from Vagrant. Again, Anant gave me this advice when creating the first version. I didn’t go down that path as I never heard of Vagrant.

Speaking of Vagrant – shameless plug – I created a course through Cybrary on Intro to Vagrant. The course can be found here.

I started on the quest to version 2 yesterday (Sunday February 7, 2021), and I must say it was trying, yet fun.

Once I created the vagrantfile and started the vagrant box I realized I was dealing with the command prompt. I knew this wasn’t going to work and I needed to add a user interface. Looking on the internet, I found the lightdm and tried installing it. Once I rebooted my virtual machine, I encountered the error “could not log into session.” The login did not work.

Putting my research hat, I found the following link on how to remediate the no session login. Hmm, the ligthdm is using an older version of the unity framework that needs to be removed.

Rebooting the machine – it was a…

Somewhat success.

I had a user interface, but I didn’t like it. See tweets below

I wanted the user interface to have the same feel as the 18.04 Bionic Beaver operating system.

Doing even more research I found that 18.04 Bionic Beaver is using the MATE desktop.

Back to Google I go. I found a great site on how to install MATE onto a Linux operating system.

Somewhat score? The user interface is getting close, but not there.

Going back to the site above, I noticed that I installed the wrong version of the MATE desktop. I installed just the MATE desktop without the bells and whistles.

Looking at the bottom for the Ubuntu section it states – “

Alternatively you may choose to install Ubuntu MATE Remix.

Ubuntu MATE is a more comprehensive option that offers a slightly tweaked
layout, configuration, and themes to integrate into Ubuntu in a more seamless
fashion. This will install the complete MATE Desktop Environment as well as
LightDM and numerous other applications to provide a full and well rounded
desktop.

Once I installed the Remixed version – I finally found success!

Now that I have the interface I wanted – it’s time to add the tools and insecure apps.

Yes, that’s what set my virtual machine apart – I have insecure android apps installed in the virtual machine for students to learn mobile and android hacking as well as the common programs needed to perform mobile and android hacking.

Now, the fun part… Adding the software. I’ve added Metasploit, Burp and Zap proxies, etc.

I can’t wait to show the final product!

I hope everyone likes it…

hacking, owasp, web application security

The BodgeIT Store Series #7, Change your Passwords via a GET Request – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #7 in the BodgeIt Store series.

To view the blog post #6 click HERE.

Today’s topic is we’re going to change our password via a GET request.

Let’s get started.

We were able to log into the application without supplying a password – click HERE to read it.

Logging into the application as user1@thebodgeitstore.com’ OR ‘1’=’1

We get the following:

burp_login_user1_successful

Clicking on the user1@thebodgeitstore.com link we see:

bodgeit_GET_1

Let’s view the page source of the webpage:

bodgeit_GET_2

We see that the update password is looking for a POST, but we need to send it as a GET. How are we going to solve this?

Let’s do a right click on one of the text boxes and select “inspect element”.

From there we see:

bodgeit_GET_3

Double clicking on the form method we’re going to change the method from POST to GET.

bodgeit_GET_4

Going back to the password page, we can select the password to anything. I am going to use “hello”, and press “Submit”

bodgeit_GET_5

bodgeit_GET_6

We we’re able to change our password, through a GET request.

Let’s see if our solution was accepted.

bodgeit_GET_7

Our solution was accepted (as the challenge is now green)!

hacking, owasp, web application security

The BodgeIT Store Series #6, Access Someone Else’s Basket – #bodgeit #infosec #pentest #appsec #webapp

Happy Hacking!

Today’s post is #6 in the BodgeIt Store series.

To view post #5 in the BodgeIt Store series click HERE.

The topic for today is to access someone else’s basket.

First, let’s go to the admin page, and notice the different basket ids:

bodgeit_new_admin

We see that for each user – there’s a corresponding basket id.

Let’s go to the Your Basket page. Going there we see the following:
bodgeit_new_your_basket

Let’s open Burp and see if our traffic will reveal anything to us.

After opening Burp, and clicking on the “Update Basket” button we see:

bodgeit_basketid_initial

Hmm.. we see there’s a cookie value of b_id. Could this possibly be basket id?

Let’s try changing the value from 8 to 0 (which is the admin basket).

bodgeit_basketid_admin_not_working

bodgeit_basketid_admin_not_working_basket

OK… we see that the basket has been updated and we received a system error. This let’s me know that admin basket didn’t work too good.

Let’s go back and try another basket id of 1 which is the user1 account.

bodgeit_basketid_initial

bodgeit_basketid_changed_value

bodgeit_basketid_final

OK, changing the basket from 8 to 1 (user1 account) we see that our basket has been updated to show the user1 basket.

Let’s go back to the scoring page and see if we have successfully solved the challenge.

bodgeit_scoring_8

We solved the challenge successfully!