M 302: AndroBugs (10 pts) M 302：AndroBugs（10分）

What You Need for This Project你需要什么这个项目

A Kali virtual machine一个Kali虚拟机
You should have that already set up from previous projects您应该已经从之前的项目中设置了该项目

Purpose目的

To practice using AndroBugs, a really fast Android vulnerability scanner.使用AndroBugs练习，这是一款非常快速的Android漏洞扫描程序。

Installing AndroBugs安装AndroBugs

On Kali, in a Terminal, execute these commands, to install AndroBugs and scan the GenieMD APK file.在Kali上，在终端中，执行这些命令，安装AndroBugs并扫描GenieMD APK文件。

git clone https://github.com/AndroBugs/AndroBugs_Framework.git git clone https://github.com/AndroBugs/AndroBugs_Framework.git
cd AndroBugs_Framework cd AndroBugs_Framework
wget https://samsclass.info/128/proj/genie.apk wget https://samsclass.info/128/proj/genie.apk
python androbugs.py -f genie.apk python androbugs.py -f genie.apk

The scanner starts, as shown below.扫描仪启动，如下所示。

Within a minute, the scan finishes.在一分钟内，扫描结束。 It prints out a long report filename.它打印出一个长报告文件名。 Carefully copy the whole report name, which is highlighted in the image below.仔细复制整个报告名称，如下图所示。

Viewing the Report查看报告

On Kali, in a Terminal, execute this command, replacing filename with the correct filename on your system:在Kali上，在终端中，执行此命令，用您系统上正确的文件名替换filename：

nano /root/AndroBugs_Framework/Reports/com.geniemd.geniemd.harvard_c4d93e3104dcc873a7875a3825db0326a6e65cf3de83d6c01cddf9d8749bb38ae133cf3296139203aa1452778dce24d08ba143e1be1031f58caee094febbca80.txt nano /root/AndroBugs_Framework/Reports/com.geniemd.geniemd.harvard_c4d93e3104dcc873a7875a3825db0326a6e65cf3de83d6c01cddf9d8749bb38ae133cf3296139203aa1452778dce24d08ba143e1be1031f58caee094febbca80.txt

[Critical] <Command> Runtime Command Checking [Critical] <命令>运行时命令检查

This is the first vulnerability found, and it's pretty scary.这是第一个发现的漏洞，而且非常可怕。

These functions use Java to construct Android shell commands, which frequently leads to command injection flaws.这些函数使用Java来构造Android shell命令，这经常导致命令注入缺陷。

SSL Validation Flaws SSL验证缺陷

Scroll down to find the SSL validation error we exploited in a previous project.向下滚动以查找我们在之前项目中使用的SSL验证错误。 This scanner provides a lot of information about flaw, as shown below.该扫描仪提供了大量有关缺陷的信息，如下所示。

M 302: Recording Your Success (10 pts) M 302：记录你的成功（10分）

Find the text covered by a green box in the image above.找到上图中绿框所覆盖的文字。 That's the flag.那是旗帜。

Converted to a CTF 2-28-19转换为CTF 2-28-19