<summary><strong>Learn AWS hacking from zero to hero with</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Parts of this tutorial were extracted from the [Drozer documentation pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf).**
Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases).
```bash
pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity
```
Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk).
Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
| **Help MODULE** | Shows help of the selected module |
| **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. |
| **shell** | Start an interactive Linux shell on the device, in the context of the Agent. |
| **clean** | Remove temporary files stored by drozer on the Android device. |
| **load** | Load a file containing drozer commands and execute them in sequence. |
| **module** | Find and install additional drozer modules from the Internet. |
| **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. |
| **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. |
| **shell** | Start an interactive Linux shell on the device, in the context of the Agent |
| **run MODULE** | Execute a drozer module |
| **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` |
| **payload** | The exploits need a payload. `drozer payload list` |
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\
Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`** function as it will be handling the messages received.
In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission.
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
<summary><strong>Learn AWS hacking from zero to hero with</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
