It was one of my favorite findings so far. After complete exploitation I was able to control the Mobile App. So let’s see the complete process.
It was on a Pentest project, When I was listing all the aquisitions, domains and everything related to that organization, I found a Mobile App. So as I was always doing I have downloaded the APK of that app to do the static analysis (Actually just checking weather the firebase is set properly or not), but interestingly found a new domain that has not been found earlier. Hmm interesting .. It was a subdomain like example.examples.com went straight into it and seen a login page. What will you do when you see a login page usually, I just entered admin admin as username and password, no no it’s not valid credentials. Just looked for SQL injection on the username field, throwing an error wow a database error, hmm.. very interesting.
There comes our second step, tried to dump the database using sqlmap as expected, I was able to gather the database names and table names. There found 2 interesting tables member_login and admin_login. What will you look first? I just tried to dump everything on admin_login. haha it took a long time to dump everything. The final result was 3 usernames, email and hashed password. After investigating password hash, realized that it’s a bcrypt hashed password.
Went straight into the hashcat it’s a tool used to crack hashed passwords with the help of a wordlist. First ran a test with top 100 passwords, hmm not found. then tested with rockyou.txt it’s a lot of words na. waiting waiting…. After a while yes, got it we got the password. I just wondered WTF, you know it’s an admin password and how silly they were considering security, because the admin password is a very weak password, commonly used password. It has been found 86000+ times when I looked up with haveibeenpwned.
Now we have the email and password, what are you thinking go and log in. Yes logged in successfully, I just added some new posts out there, wondering what will happen, to be frank still I was not sure what am I doing, the next day I downloaded the mobile application and Opened in BOOM the html script I injected yesterday has been there, What. That’s when I am realizing, that domain is the admin panel for this mobile application.
So now I can achieve anything out there, even sent notifications, create/delete/edit posts, add contact infos, give them some offers haha, even make an application level DoS attack by adding some html script in a post which will end up with crashing the app when it opens.
Okay if you find this interesting share it to those who will be interested in those stuffs. ❤