I could get web traffic routed through Burp, but the application would fail to connect and I wouldn’t see any traffic. I could get a system up and running, and get the APK installed. I was never able to get Android Studio’s emulator to completely work. I tried a bunch of emulators / configurations that didn’t work. Getting this all set up was by far the hardest part of this box, and having read all the box reviews, what people really didn’t like about the box. The goal here is to set up an emulator and proxy the application traffic through Burp or watch it in Wireshark to see how it communicates with the RouterSpace host. In this case, it’s a heavily obfuscated mess, 740 lines that look like this (five lines shown):Ĭlick for full size image RouterSpace.apk - Dynamic Background / Failures This post talks about reverse engineering React Native applications, and leads to the assets/ where the JavaScript is. Some Googling around for this will turn up references to React Native, a framework for creating Android and iOS applications in JavaScript. The other, the constructor, just has an invoke-direct call to com/facebook/react/ReactActivity. getMainComponentName is simple enough, returning “RouterSpace”. locals 1 const - string v0, "RouterSpace" return - object v0. method protected getMainComponentName () Ljava / lang / String. line 5 invoke - direct, Lcom / facebook / react / ReactActivity ->() V return - void. source "MainActivity.java" # direct methods. super Lcom / facebook / react / ReactActivity. class public Lcom / routerspace / MainActivity. Typically I would be doing to something like JD-GUI for Java reverse engineering, but I’ll take a quick look at the file, and it’s quite short: So “” seems like a good place to start.smali files are kind of like assembly language, still in text, but much lower level than the Java it’s compiled from. To extract the source, I’ll run apktool d RouterSpace.apk: APKs are archive files, which means that they are really just a zip-like container with a bunch of other files in them. Typically they are written in Java, but also support Kotlin. Unpack APKĪn APK is an Android Package file, to be loaded onto Android mobile devices. The install instructions show a manual download and install, but I’m also able to apt install apktool. To look at the application, I’ll use apktool, from ibotpeaches. Shell as paul RouterSpace.apk - Static Install apktool Nothing interesting here, but good to know that -X flag works. □ Regex Filter │ Suspicious activity detected !!! I can filter out these responses using -X, which will remove anything that matches pattern in the response feroxbuster -u -X 'Suspicious activity detected !!!' The “RequestID” seems to change randomly, which I suspect is why feroxbuster is having a hard time filtering it out. On refresh of the same URL, it’s different: It seems that the length of the response is changing for each request. WLD GET 5l 12w 73c Got 200 for (url length: 96) WLD GET 1l 14w 71c Got 200 for (url length: 32) □ Press to use the Scan Management Menu™ □ Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt The site is for a company the sells some kind of mobile feroxbuster -u The HTTP response is returning an odd X-POWERED-BY header, which I’ll look at in a bit. Neither the SSH nor the HTTP server versions are recognized. Nmap done: 1 IP address (1 host up) scanned in 20.07 seconds =NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)= If you know the service/version, please submit the following fingerprints at : |_http-trane-info: Problem with XML parsing of /evox/aboutĢ services unrecognized despite returning data. |_ SSH-2.0-RouterSpace Packet Filtering V1
0 Comments
Leave a Reply. |