WEBVTT 00:01.360 --> 00:09.640 Now, you do remember the Android manifesto XML file, it contains some well, shall we call them weak 00:09.640 --> 00:10.270 points? 00:11.410 --> 00:17.260 There are exported activities that are shared and accessible with any other app on the device. 00:18.540 --> 00:23.730 We can bypass a login mechanism using this vulnerability, how convenient. 00:24.870 --> 00:25.670 So let's get started. 00:26.730 --> 00:31.020 So make sure that the Android emulator and application server are running. 00:32.670 --> 00:34.230 Open up a new terminal screen. 00:35.360 --> 00:37.790 Change directory to downloads folder. 00:39.800 --> 00:45.380 Run Java dash jar as your command to open the bytecode viewer. 00:47.140 --> 00:52.690 And the APK file from the file tab on the top of the menu. 00:54.090 --> 00:56.460 Open it and you might have to wait for a bit. 01:01.770 --> 01:04.350 So let's have a look at the Android manifest file. 01:07.010 --> 01:10.820 So you might want to search for exported activities. 01:12.060 --> 01:15.450 And we can see the shared activities with the other apps and the device. 01:16.660 --> 01:24.340 So we can use the post login activity to bypass the login mechanism, it's indicated that the activity 01:24.340 --> 01:27.790 is displayed after it posts a login. 01:28.990 --> 01:32.890 So using HDB, I can call this exported activity. 01:34.910 --> 01:38.960 Open up a new tab on the terminal screen and switch the user to route. 01:40.410 --> 01:43.290 So let's check the connection of the Android virtual device. 01:44.290 --> 01:45.490 Yep, it's on the list. 01:46.530 --> 01:50.370 So we can run ADB Shell and start Dashan. 01:51.760 --> 01:55.690 And give the full path name of the post login activity. 01:59.670 --> 02:06.120 A.M. calls the activity manager and performs various system actions, we'll use it to start an activity. 02:07.750 --> 02:09.010 OK, so enter. 02:12.610 --> 02:14.680 Now, let's check the application. 02:15.920 --> 02:18.280 So look at that, we logged in with our credentials. 02:19.750 --> 02:26.140 So this brings us to the post login activity that should only be available after logging and successfully. 02:27.530 --> 02:32.240 Demonstrating that the log in can indeed be bypassed entirely.