1
00:00:00,000 --> 00:00:00,870
‫Instructor: Hi.

2
00:00:00,870 --> 00:00:01,703
‫Within this lecture,

3
00:00:01,703 --> 00:00:05,340
‫we're going to see another flow, another mistake

4
00:00:05,340 --> 00:00:09,420
‫in the implementation and it will let us do a login

5
00:00:09,420 --> 00:00:12,540
‫with an administrator account one more time.

6
00:00:12,540 --> 00:00:16,230
‫So in order to do that, I'm gonna uninstall this APK.

7
00:00:16,230 --> 00:00:17,370
‫Okay?

8
00:00:17,370 --> 00:00:20,400
‫And I'm going to delete this,

9
00:00:20,400 --> 00:00:24,240
‫and I'm going to open my Apktool,

10
00:00:24,240 --> 00:00:27,570
‫I mean, Apktool decompiled folder.

11
00:00:27,570 --> 00:00:30,300
‫If you come into the resources folder,

12
00:00:30,300 --> 00:00:32,310
‫you will find the values.

13
00:00:32,310 --> 00:00:35,550
‫So this is one of the things that I actually look at

14
00:00:35,550 --> 00:00:38,580
‫when I do some real penetration tests.

15
00:00:38,580 --> 00:00:42,180
‫And because you have these values,

16
00:00:42,180 --> 00:00:45,090
‫or strings.xml over here.

17
00:00:45,090 --> 00:00:45,923
‫Right?

18
00:00:45,923 --> 00:00:48,570
‫So in the strings.xml,

19
00:00:48,570 --> 00:00:51,720
‫developer can actually define some strings

20
00:00:51,720 --> 00:00:55,200
‫to use in the application,

21
00:00:55,200 --> 00:00:57,630
‫but they sometimes store values

22
00:00:57,630 --> 00:01:02,222
‫like passwords or user names or any kind of hashes

23
00:01:02,222 --> 00:01:06,300
‫that may lead us to any funny thing,

24
00:01:06,300 --> 00:01:09,480
‫any funny implementation in the process.

25
00:01:09,480 --> 00:01:13,290
‫So make sure you check the strings.xml

26
00:01:13,290 --> 00:01:17,130
‫when you actually do a penetration test.

27
00:01:17,130 --> 00:01:20,460
‫So that's exactly what I'm going to do over here.

28
00:01:20,460 --> 00:01:24,030
‫So another thing, maybe you can look for,

29
00:01:24,030 --> 00:01:27,150
‫the network configuration and other stuff,

30
00:01:27,150 --> 00:01:28,620
‫like we have seen before,

31
00:01:28,620 --> 00:01:32,220
‫but make sure you check the strings.xml, definitely.

32
00:01:32,220 --> 00:01:34,800
‫So I'm gonna come over here,

33
00:01:34,800 --> 00:01:38,280
‫and if you scroll down a little bit, let me just zoom in.

34
00:01:38,280 --> 00:01:40,950
‫I cannot seem to find it very...

35
00:01:40,950 --> 00:01:42,150
‫In a proper way.

36
00:01:42,150 --> 00:01:44,670
‫Okay, so let me zoom in.

37
00:01:44,670 --> 00:01:45,750
‫So here you go.

38
00:01:45,750 --> 00:01:47,550
‫Now, it's much better.

39
00:01:47,550 --> 00:01:48,960
‫If you come over here,

40
00:01:48,960 --> 00:01:51,600
‫you can see the activity names.

41
00:01:51,600 --> 00:01:55,380
‫But there is a value called is_admin.

42
00:01:55,380 --> 00:01:56,790
‫And as you can see,

43
00:01:56,790 --> 00:02:01,020
‫this is hard coded over here and it has the value of No.

44
00:02:01,020 --> 00:02:03,600
‫So this is very suspicious, right?

45
00:02:03,600 --> 00:02:06,030
‫So maybe, rather than No,

46
00:02:06,030 --> 00:02:07,410
‫we can just say, "Yes."

47
00:02:07,410 --> 00:02:09,390
‫And see what happens.

48
00:02:09,390 --> 00:02:14,390
‫So definitely, developers try to hard code over here,

49
00:02:15,990 --> 00:02:19,680
‫like the privilege of the user.

50
00:02:19,680 --> 00:02:22,770
‫And if we change it, we can manipulate the app.

51
00:02:22,770 --> 00:02:23,850
‫Let's see.

52
00:02:23,850 --> 00:02:27,450
‫So I'm gonna exit out of this ADB shell,

53
00:02:27,450 --> 00:02:32,450
‫and I will just run the Apktool with B like building,

54
00:02:32,700 --> 00:02:35,790
‫and it will build a new APK for me.

55
00:02:35,790 --> 00:02:38,910
‫'Cause we have manipulated the file, right?

56
00:02:38,910 --> 00:02:43,350
‫So as you can see, Apktool can be very helpful in this case.

57
00:02:43,350 --> 00:02:48,350
‫So let's wait until our new APK is created.

58
00:02:48,870 --> 00:02:49,740
‫Okay?

59
00:02:49,740 --> 00:02:52,350
‫And then we're gonna install it and then we're gonna use it.

60
00:02:52,350 --> 00:02:55,770
‫So let me come over here to Distribution,

61
00:02:55,770 --> 00:02:57,990
‫and just use this one.

62
00:02:57,990 --> 00:03:00,650
‫So I'm gonna copy this to my desktop,

63
00:03:00,650 --> 00:03:04,530
‫and let me minimize this and open my Genymotion.

64
00:03:04,530 --> 00:03:05,970
‫And here you go.

65
00:03:05,970 --> 00:03:07,590
‫Oh yeah, it gives me an error,

66
00:03:07,590 --> 00:03:09,570
‫because we haven't signed it yet.

67
00:03:09,570 --> 00:03:11,310
‫So we are gonna have to sign it

68
00:03:11,310 --> 00:03:15,060
‫by using the same old commands that we use generally.

69
00:03:15,060 --> 00:03:19,110
‫So I'm gonna just hit Upper Arrow over here

70
00:03:19,110 --> 00:03:21,090
‫to find the Jarsigner.

71
00:03:21,090 --> 00:03:22,950
‫So I'm gonna sign this.

72
00:03:22,950 --> 00:03:25,590
‫I remember we have created this key store file,

73
00:03:25,590 --> 00:03:27,600
‫so I know the password and stuff.

74
00:03:27,600 --> 00:03:30,600
‫So now it's signed and here you go.

75
00:03:30,600 --> 00:03:34,260
‫Now, it's uploaded to my Genymotion.

76
00:03:34,260 --> 00:03:38,220
‫So as you can see we have a Create User button.

77
00:03:38,220 --> 00:03:40,380
‫We didn't have that, right?

78
00:03:40,380 --> 00:03:42,300
‫We haven't seen it before.

79
00:03:42,300 --> 00:03:45,300
‫Since now we are an administrator,

80
00:03:45,300 --> 00:03:48,120
‫we can create actual users.

81
00:03:48,120 --> 00:03:52,560
‫And in real life, it should give us much more privilege

82
00:03:52,560 --> 00:03:53,700
‫on this app.

83
00:03:53,700 --> 00:03:57,030
‫Even though we see the Create User button right now,

84
00:03:57,030 --> 00:03:59,820
‫I believe it doesn't do much.

85
00:03:59,820 --> 00:04:03,397
‫So when I just hit on it will say,

86
00:04:03,397 --> 00:04:05,910
‫"Yeah, this is still in progress."

87
00:04:05,910 --> 00:04:10,620
‫But if you can make something like this happen in real life,

88
00:04:10,620 --> 00:04:12,450
‫of course, you're gonna discover

89
00:04:12,450 --> 00:04:14,520
‫a lot more administrator privileges.

90
00:04:14,520 --> 00:04:15,900
‫Like you can create users,

91
00:04:15,900 --> 00:04:18,854
‫you can manipulate the process and stuff.

92
00:04:18,854 --> 00:04:21,930
‫So it's a very dangerous thing

93
00:04:21,930 --> 00:04:25,290
‫to have an administrator control,

94
00:04:25,290 --> 00:04:29,370
‫or administrator condition to be stored

95
00:04:29,370 --> 00:04:32,490
‫in the strings.xml file.

96
00:04:32,490 --> 00:04:33,900
‫So this is it.

97
00:04:33,900 --> 00:04:37,623
‫We're gonna stop here and continue within the next lecture.