mzfr
diff --git a/‎Android/Activities.md
+82 b/‎Android/Activities.md
+82
diff --git a/‎Android/Android.md
+64 b/‎Android/Android.md
+64
diff --git a/‎Android/Broadcast_Receivers.md
+10 b/‎Android/Broadcast_Receivers.md
+10
diff --git a/‎Android/Commands.md
+20 b/‎Android/Commands.md
+20
diff --git a/‎Android/Content_Providers.md
+18 b/‎Android/Content_Providers.md
+18
diff --git a/‎Android/Intents.md
+24 b/‎Android/Intents.md
+24
diff --git a/‎Android/Permissions.md
+32 b/‎Android/Permissions.md
+32
diff --git a/‎Android/Services.md
+10 b/‎Android/Services.md
+10
diff --git a/‎Home.md
+35 b/‎Home.md
+35
diff --git a/‎Learning-Vim.md
+42 b/‎Learning-Vim.md
+42
diff --git a/‎Self-Hosting.md
+6 b/‎Self-Hosting.md
+6
@@ -0,0 +1,82 @@
+Activities are basically the GUI screen that we seen in an android app.
+
+- `run [app.activity.info](http://app.activity.info)-a <package-name>`
+    - Don't use the `-u` flag. It's for activity which are not exported.
+    - Non-exported activities might also give you something juicy but usually, it requires root permissions.
+- start activity is always exported because an application has to be started when someone clicks on the ICON.
+    - It have intent filter for the launcher.
+- If you want to invoke an activity:
+    - `run app.activity.start --component <package-name> <activity-name>`
+
+In addition to provoking any exported activity with drozer, also read the source code and see what is being done with `onCreate()`  method. Because every time activity is called there is an onCreate() method called. So maybe see what they do it with the data(if they accept any) or are there any `if/else` condition that is placed.
+
+Also check if the activity sends any result back. This is done by `setResult()` . So see if there any call to that function and try to find out what's being sent back to the caller.
+
+These are better know as `fragments` . They are just small UI task that kind of help the activities. 
+
+**NOTE**: It's possible to try to provoke the `unexported` activities, because they might give you something. Like say if there is a `SETTING ACTIVITY` which shows you the setting of the application etc. Now that is only to be displayed once the user is logged in but it might be possible to provoke them with having a user to do login.
+
+
+## Tricks
+
+If any activity allows loading any URL in `webView` then try to read the JS file.
+
+On  server host the following code:
+
+```jsx
+<html>
+    <head>
+        <title>Test</title>
+    </head>
+    <body>
+        <img src='http://<server-url>/img.png' onerror=alert(1)>
+    </body>
+</html>
+```
+
+And then try to run the activity if alert(1) is loaded it's possible that you might see something good as well.
+
+To test if it's possible to read the internal files try the following:
+
+1) Make a file name `xss.html`  with the following code:
+
+```jsx
+<html>
+    <head>
+        <title>Test</title>
+    </head>
+    <body>
+        <h1>Test</h1>
+        <script src="http://<url>/xss.js"></script>
+    </body>
+</html>
+```
+
+2) In `xss.js` try with the following code:
+
+```jsx
+Object.getOwnPropertyNames(window).forEach(function(v, x) { document.writeln(v); });
+```
+
+It should give you loads of functions, scroll to the bottom and see if you have anything like `apkInterface` if yes then you can try the following command:
+
+```jsx
+Object.getOwnPropertyNames(window.apkInterface).forEach(function(v, x) { document.writeln(v); });
+```
+
+And if this gives some output then try running:
+
+```jsx
+document.write(apkInterface.getApkPushParams());
+```
+
+This might give you payload that contains access token or any kind of cookies.
+
+Another way of checking is that see if 
+
+- `settings.setJavaScriptEnabled(true);`
+- DOM setting is enabled or not, it would look similar to line as javascriptEnabled.
+- Also check for `webSettings().setAllowFileAccess(true);`  if it's false then you won't be able to read the files.
+
+
+* Always look for permissions
@@ -0,0 +1,64 @@
+I will try to make them in such a way that I can also share it with others as well. Hope this will be helpful for me as well as other people.
+
+### General
+
+These are my android notes that I am going to keep while I progress and see what all I can do.
+
+- All the applications are stored on `/data/app` directory.
+- All the system applications are stored on `/system/app/`
+    - We don't have to touch this unless we are going behind the android OS
+- Some application gets installed in `/data/app-private`
+    - This is done my PM(package manager) using `FORWARD_LOCK` enabled
+    - No external app or anyone else can access that.
+    - Obviously if you have rooted device you can access those.
+
+**zygotes**: This is the process that listen for new application requests in Android OS
+
+
+* To get all the URLs from the apk
+    -  `strings <apk> | grep -ProI "[\"'\`](https?://|/)[\w\.-/]+[\"'\`]"`
+
+**Some general things**
+
+- In *AndroidManifest.xml* we can see `<application>` tag they define layout and stuff but it have some spicy stuff as well
+    - `<android:allowBackup>` : Define whether the backup of application data is allowed or not.
+        - `run app.package.backup -f <package-name>`
+        - So it's possible for the developer to define `Backupagent`  which can be used to do various task related to backup.
+        - we can make the backup using `adb backup <package-name>` , an activity will be launched. Leave the Key field black and back it up
+        - `dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar`
+            - here `backup.ab` is placed in the $(pwd)
+        - extract the tar and see if the databases etc is also being shared.
+
+    - Check if the app is debuggable:
+        - `run app.pacage.debuggable`
+        - If this is the case a shit load of information would be leaking.
+        - Use `adb jdwp` to see what all application are running in debuggable mode.
+        
+
+## API keys
+
+In 'strings.xml` you will find lot of APIs. It's possible to use some in wrong manners.
+
+* Google Maps API key:
+    - https://maps.googleapis.com/maps/api/staticmap?center=40.714728,-73.998672&zoom=12&size=2500x2000&maptype=roadmap&key=
+    - Post the key and see it works.
+    - Impact is not big but still an issue since an attacker can cause an increase in the cost.
+
+## APK Signing
+
+* **Generates X.509**
+
+```jsx
+keytool -genkey -v -keystore mykey.keystore -alias alias_name -keyalg RSA
+-keysize 2048 -validity 10000
+```
+
+* **For Signing**
+
+```jsx
+jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
+mykey.keystore application.apk alias_name
+```
+
+There are lot of bugs that have been discovered related to signing process. But those bugs are in the way android OS verifies the application and not in the application it self.%
+
@@ -0,0 +1,10 @@
+They are responsible for providing you all the notifications that you get. Also sometimes they pass around bits and pieces of information to other/multiple applications.
+
+- `run [app.broadcast.info](http://app.broadcast.info) -a <package-name>`
+- Broadcasts are sent via `sendBroadcast()` and what will be done on that broadcast will be determined by `onReceive()` method.
+- There are broadcasts receivers that gets registered at runtime so drozer will not report them and you'll have to find them manually.
+    - `registerReceiver()` - This is the method name.
+- It's possible that a activity have a intent filter. Now if we pass the intent via a broadcast it's possible that activity might get provoked.
+    - Only happens when it's set to `exported=True` or you have root permission(N/A)
+- We can also try to sniff the broadcasts.
+    - `run app.broadcast.sniff -a <action/intent>`
@@ -0,0 +1,20 @@
+So these are just collections of command that might be helpful.
+
+### adb
+
+- To find the package
+    - `adb shell pm list packages | grep <package-name>`
+    - If you have frida server running you can run `frida-ps -U | grep <name>`
+
+### drozer
+
+These commands are to be run on drozer console which open by running: `drozer console connect`
+
+- Package info: `run [app.package.info](http://app.package.info) -a <package-name>`
+- To open **AndroidManifest.xml:** `run app.package.manifest <package-name>`
+    - It's better to open this file in your editor to be able to read through it properly 😃
+- To see how many activity, broadcast, service or content provider are exported run:
+    - `run app.package.attacksurface <package-name>`
+- See clipboard content
+    - `module install clipboard`
+    - `run post.capture.clipboard`
@@ -0,0 +1,18 @@
+These are the third party application which can access the data from the application or provide it with some sensitive data. Ex: Like an app providing login via Facebook would have an activity that provokes the facebook login and stuff. After that facebook SDK would handle everything and once validated it will give the main application all the data required.
+
+The main issue with content provider activity is that they do not mention `android:exported=false` explicitly. If on any Content providers exported is set to true or is not mentioned at all then it could be vulnerable. It's sometime possible that they are exported but if that is the case then check that they are given certain permission. If they are exported and have `null` permission then that could be a big issue.
+
+- `run app.provider.finduri <paackage-name>`
+    - This will give you all the URLs that are accessible.
+    - Then you can run: `run app.provider.query <URL>` to see what data it returns.
+    - If this could be done then using `app.provider.insert` we can insert new data information.
+- With drozer you can also try to detect for SQL injection
+    - `run scanner.provider.injection -a <URI>/<pacckage-name>`
+- Also you can test whether the content provider allows the retrieval of files.
+    - `run [app.provider.read](http://app.provider.read) <content-provider-URL> /system/etc/hosts`
+    - file `/system/etc/hosts` is always present and word readable.
+        - It's like checking LFI by including `/etc/passwd`
+            - The vulnerability here is that if you can include a system file then you can read file from databases etc.
+- It's possible that pattern problems exists. If a content provider uses `path` in `path-permission` that means only that path is protected. So say `path=/Keys` was used that mean only that path is protected and it's possible that we can access the `/Keys/` path.
+    - Try to see whether the developer have used full path or not.
+    - Think like in linux systems when people use just the binary name and doesn't give full path we exploit that by making binary of that name and adding in `/tmp/` and then adding that path to the $PATH
@@ -0,0 +1,24 @@
+Basically a data object that tells what task is to be performed.
+
+```jsx
+<activity android:name="ActivityName">
+    <intent-filter>
+	<action android:name="android.intent.action.View">
+	<android:scheme="http">
+    </intent-filter>
+</activity>
+```
+
+This is a simple activity telling about the `action` and the type of URL it accepts. The scheme of that URL can be `http`.
+
+*There are Explicit intent as well - They are sort of one that opens the URL in the android browser. Think of like when you click on some article link in twitter app and it opens, In-app Browser.*
+
+```jsx
+**run app.activity.start —action <activity-name> —data-uri <URL> —component <component> <package-name>**
+```
+
+This is the command that can be used to interact with acitivites using drozer.
+
+**NOTE**: Always make sure to check out the code of that Activity to see what it is doing with the URL and see if it can be exploited.
+
+- Review the source code that handles the exported intents
@@ -0,0 +1,32 @@
+So every app asks for permission and each permission is defined in the *AndroidManifest.xml*
+
+Ex: If an app is asking for `Read SMS` then it would be defined something like: `android.permission.READ_SMS`
+
+We can use **drozer** command to see such kind of permissions:
+
+```jsx
+run app.package.info -a <package-name>
+```
+
+Also we can search application which is requesting particular permission:
+
+```jsx
+run app.package.list -p android.permission.READ_SMS
+```
+
+Example:
+
+```jsx
+<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
+    <uses-permission android:name="android.permission.INTERNET"/>
+    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
+    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="18"/>
+    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" android:maxSdkVersion="18"/>
+    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>
+    <uses-permission android:name="android.permission.WAKE_LOCK"/>
+```
+
+This is from on android application.
+
+- If `android:exported` is not defined then the version of SDK or the version of Android will determine whether it's `true` or `false`
+- Any component using `intent-filter` is exported by default.
@@ -0,0 +1,10 @@
+Runs code inside the application.
+
+- These are implemented on `onStartCommand()` , this method accepts the intent
+    - This could be vulnerable but again it depends on the code like what it is doing actually inside the code. How the intents are handled.
+    - `run app.service.start` to start the service and see what's up.
+- There is something called `Bound Service` - this help application connect with each other
+    - There are ways to implement this but mostly it done by what's know as `Messenger Implementation`
+        - Check out `handleMessage()` functions:
+            - That will tell you what kinds of message are expected and how the application executes other functions.
+- `run [app.service.info](http://app.service.info) -a <package-name>`
@@ -0,0 +1,35 @@
+These are just some of my old notes I made about random stuff that I learned. These are from 2018-2019, at that time I use to just write stuff down in markdown and push it to the repo. Now I've shifted to using [obsidian](https://obsidian.md/) and sync those note to a private repository(I push lot of secret stuff by mistake so had to make it private 😅).
+
+## Index
+
+* Capture the flag(CTF)
+	+ [Commonly Used Tools](tools)
+	+ [Web](web)
+	+ [Cryptography](Cryptography)
+	+ [Forensics](forensics)
+* Making a boot2root VM
+	+ [Important rules](rules)
+	+ [General things](Make-boot2root-VM)
+	+ [Setting Systemd services](services)
+	+ [Setting fail2ban](fail2ban)
+* BugBounty notes for **Android**
+	+ [General](Android)
+	+ [Adb/drozer commands](Commands)
+	+ [Intents](Intents)
+	+ [Permissions](Permissions)
+	+ [Activities](Activities)
+	+ [Broadcast Receivers](Broadcast_Receivers)
+	+ [Content Providers](Content_Providers)
+	+ [Services](Services)
+* BugBounty notes for **WEB**
+	+ [Authentication](Authentication)
+	+ [CORS](CORS)
+	+ [General Web](General)
+	+ [HTTP Parameter poisoning](HTTP-Parameter-poisoning)
+	+ [IDOR](IDOR)
+	+ [graphql](graphql)
+* [Starting with (n)vim](Learning-Vim)
+* [Bluetooth](bluetooth)(nothing big)
+* [Hacking boot2root/ OSCP notes](boot2root)
+
+
@@ -0,0 +1,42 @@
+I have just started using Vim for writing small scripts while doing CTFs so this will have things that I am learning with time.
+
+* duplicate a line: `:t.`
+* Copy paste are simple:
+    - `Shift+CTRL+C` - copy
+    - `Shift+CTRL+V` - paste
+* quit
+    - `:qa!`
+
+* visual mode:
+    - `v` to get into visual mode - this is just for characters
+    - `V` - this is for line mode
+    - `Ctrl+v` - Visual block mode
+    - Use arrow keys to select the text.
+        - Shift+$ - to completely select the word.
+    - Y - yank(copy)
+    - d - delete
+    - p - paste
+    - u - undo
+
+* :s/,/\r/g
+    - Break on comma
+
+* :set number
+    - Show line number
+
+## To Select and comment multiple lines
+
+* Select the first caracter of your block
+
+* press Ctrl+V ( this is rectangular visual selection mode)
+
+* type `j` for each line more you want to be commented
+
+* type `Shift-i` (like I for "insert at start")
+
+* type // (or # or " or ...)
+
+* You will see the modification appearing only on the first line
+
+* IMPORTANT LAST STEP: type Esc key, and there you see the added character appear on all lines
+
@@ -0,0 +1,6 @@
+* Tried cloudron - Not worth it
+    - I used the digitalocean marketplace to deploy it - https://marketplace.digitalocean.com/apps/cloudron
+    - The main thing is pricing, if I'm going to pay for the server then paying for the clouron sounds a bit odd. 
+    - Cloudron runs everything inside a docker, which is good. But it runs too many services by default due to which the memory usage is bit high most of the time.
+    - This way might be good for the people who doesn't want to do lot of technical stuff by themself and would like to just use the GUI to setup everything in few minutes.
+